Upload
sinclair
View
1
Download
0
Embed Size (px)
Citation preview
Running head: SELINUX INTEGRITY INSTRUMENTATION
1
SELINUX INTEGRITY INSTRUMENTATION (SII): INSTRUMENTING SELINUX FOR CONFIGURATION AUDITING AND INTEGRITY
MONITORING.
A Dissertation Presented in Partial Fulfillment of the Requirements for the Degree of
Doctor of Computer Science
By
Mike Libassi
Colorado Technical University
June, 2015
All rights reserved
INFORMATION TO ALL USERSThe quality of this reproduction is dependent upon the quality of the copy submitted.
In the unlikely event that the author did not send a complete manuscriptand there are missing pages, these will be noted. Also, if material had to be removed,
a note will indicate the deletion.
Microform Edition © ProQuest LLC.All rights reserved. This work is protected against
unauthorized copying under Title 17, United States Code
ProQuest LLC.789 East Eisenhower Parkway
P.O. Box 1346Ann Arbor, MI 48106 - 1346
UMI 3717282
Published by ProQuest LLC (2015). Copyright in the Dissertation held by the Author.
UMI Number: 3717282
SELINUX INTEGRITY INSTRUMENTATION
2
Committee
__________________________________________ Dr. Henry Felch, Faculty Mentor, and Chair
__________________________________________ Dr. Steven Gosnell, Committee Member
__________________________________________ Dr. Richard Livingood, Committee Member
__________________________________________ Date Approved
SELINUX INTEGRITY INSTRUMENTATION
ii
Abstract
SELinux is lacking methods to prove compliance with security policies and detect
change. The SELinux Integrity Instrumentation (SII) parses key parts of SELinux and
the Linux operating system that provide a configuration baseline. SII uses sets of hashing
algorithms that allow snapshots to be taken and compared against the baseline.
Configuration changes to Services, Booleans, and File Context were detected, and
differences displayed. Further, the type (domain) is parsed, and relationships between
services, Booleans, and file context can be viewed based on the domain. SII offers a
foundation that can be explored for use standalone or integrated into existing SELinux
tools. SII can be used by security administrators to ensure configuration integrity and the
ability to audit configurations to security goals. It is critical to measure what needs to be
managed, and SII brings a unique and innovative way to help manage SELinux.
Keywords: SELinux, integrity, configuration
SELINUX INTEGRITY INSTRUMENTATION
iii
Dedication
For Taylor and Sarah, if Dad can do it so can you.
For Lori, for the support to get it done.
SELINUX INTEGRITY INSTRUMENTATION
iv
Acknowledgements
I would like to thank Dr. Henry Felch for mentorship through the process. I
would also like to thank my committee: Dr. Maurice Dawson and Dr. Rick Livingood for
the valuable feedback. I would like to thank Dr. Steven Gosnell in tasking me to prove
the relevance the research. Further thanks to Stephen Smalley for the discussion of the
validity of this research and to Daniel J Walsh, at Red Hat, for specific SELinux guidance
and help. I would like to thank Sinclair Community College CIS Chair Robert Sherman
for the approval of the CIS lab to run the research and Professor Regnar for help getting
the needed hardware. Further, I would like to thank Professor Martha Taylor, at Sinclair
College, for the guidance on getting into a doctorate program.
SELINUX INTEGRITY INSTRUMENTATION
v
Table of Contents
Acknowledgements ............................................................................................ iv
Table of Contents ................................................................................................ v
List of Tables ...................................................................................................... x
List of Figures .................................................................................................... xi
Chapter One ............................................................................................................ 1
Topic Overview/Background .......................................................................... 1
Problem Opportunity Statement ..................................................................... 3
Purpose Statement ........................................................................................... 4
Research Question(s) ...................................................................................... 5
Propositions ..................................................................................................... 5
Theoretical Perspectives/Conceptual Framework ........................................... 6
Assumptions/Biases ........................................................................................ 6
Significance of the Study ................................................................................ 6
Delimitations ................................................................................................... 6
Limitations ...................................................................................................... 6
Definition of Terms ......................................................................................... 7
General Overview of the Research Design ..................................................... 7
SELINUX INTEGRITY INSTRUMENTATION
vi
Summary of Chapter One ............................................................................... 8
Organization of Dissertation ............................................................................... 8
Chapter Two ............................................................................................................ 9
Seminal Works .............................................................................................. 11
Policy Analysis ............................................................................................. 17
Security Metrics ............................................................................................ 22
Measuring SELinux ...................................................................................... 28
Security Visualization ................................................................................... 35
Summary of Literature Review ..................................................................... 42
Chapter Three ........................................................................................................ 45
Research Tradition(s) .................................................................................... 45
Research Questions and Propositions ........................................................... 45
Research Design ............................................................................................ 46
SELinux System Relationships ..................................................................... 47
The SELinux Instrumentation Architecture .................................................. 49
Differential Framework ................................................................................ 51
Population and Sample ................................................................................. 52
Sampling Procedure ...................................................................................... 52
Instrumentation ............................................................................................. 53
SELINUX INTEGRITY INSTRUMENTATION
vii
Validity ......................................................................................................... 53
Research Context .......................................................................................... 54
Resources Needed ......................................................................................... 54
When and where the research will be conducted. ......................................... 55
Any other participants involved in your research. ........................................ 55
Reliability ...................................................................................................... 55
Instrumentation ............................................................................................. 57
Data Collection ............................................................................................. 57
Tools for collection and analysis .................................................................. 58
Data Analysis ................................................................................................ 59
Summary of Chapter Three ........................................................................... 59
Chapter Four ......................................................................................................... 60
Presentation of the Data ................................................................................ 60
Presentation and Discussion of Findings ...................................................... 61
Algorithm One - Service Collection ............................................................. 64
Algorithm Two - File Context Collection ..................................................... 66
Algorithm Three - Boolean Collection ......................................................... 67
Algorithm Four - Fingerprint Hash ............................................................... 69
Algorithm Five - Results Collection ............................................................. 70
SELINUX INTEGRITY INSTRUMENTATION
viii
Algorithm Six - Differential .......................................................................... 71
Domain Relationship Testing ....................................................................... 77
Presentation and Discussion of Findings .......................................................... 78
Summary of Chapter ..................................................................................... 79
Chapter Five .......................................................................................................... 80
Findings and Conclusions ............................................................................. 80
Relationship between Configuration Items ................................................... 93
Results ........................................................................................................... 95
Findings ......................................................................................................... 96
Limitations of the Study ................................................................................ 97
Implications for Practice ............................................................................... 97
Implications of Study and Recommendations for Future Research .............. 97
Conclusion .................................................................................................... 98
References ........................................................................................................... 100
Appendix A ......................................................................................................... 110
Appendix B ......................................................................................................... 125
Appendix C ......................................................................................................... 127
Appendix D ......................................................................................................... 137
Appendix E ......................................................................................................... 139
SELINUX INTEGRITY INSTRUMENTATION
ix
Appendix F .......................................................................................................... 141
Appendix G ......................................................................................................... 151
SELINUX INTEGRITY INSTRUMENTATION
x
List of Tables
Table 1 - Test Verification ................................................................................................ 58
Table 2 – Testing Hardware .............................................................................................. 61
Table 3 – Function Performance Summary ...................................................................... 76
Table 4 – Sample cProfile Performance ........................................................................... 77
SELINUX INTEGRITY INSTRUMENTATION
xi
List of Figures
Figure 1 - Service to Object Relationship ......................................................................... 47
Figure 2 - Architecture ...................................................................................................... 50
Figure 3 - Data Collector Framework ............................................................................... 51
Figure 4 - Differential Analysis Reference Framework ................................................... 52
Figure 5 - Test Design ....................................................................................................... 54
Figure 6 – SII Collection Process ..................................................................................... 63
Figure 7 - Difference Testing ............................................................................................ 64
Figure 8 – Fingerprint Algorithm ..................................................................................... 70
Figure 9 - Diff Function Output ........................................................................................ 74
Figure 10 - Stackdiff function initial test .......................................................................... 74
Figure 11 - Stackdiff function count of items ................................................................... 75
Figure 12 - Stackdiff function Boolean httpd_use_nfs service config test 1 .................... 75
Figure 13 - Stackdiff function Boolean httpd_use_nfs service config test 2 .................... 75
Figure 14 - Test for relationship by domain httpd ............................................................ 78
Figure 15 - Algorithm Performance by SII function ........................................................ 82
Figure 16 - Test 2 system cent1 fingerprint change detections ........................................ 84
Figure 17 - Results from SII detection from domain change to Boolean mount_anyfile . 85
Figure 18 - Results from SII detection from domain change to Boolean httpd_use_nfs .. 86
Figure 19 - Results from SII detection from context change to file context to
/usr/sbin/puppetd ............................................................................................................... 87
Figure 20 - Results from SII fingerprints for cent1b ........................................................ 87
Figure 21 - Results from SII fingerprints for fedora2 ....................................................... 88
SELINUX INTEGRITY INSTRUMENTATION
xii
Figure 22 - Results from SII fingerprints for cent1 test 3 ................................................. 89
Figure 23 - Results from SII test 3 removed service. ....................................................... 89
Figure 24 - Results from test 3a service fingerprint and added service detection ............ 90
Figure 25 - Results from SII context change to File Context item /var/www(/.*)? .......... 91
Figure 26 - Results from SII fingerprints for cent2 test 4 ................................................. 92
Figure 27 - Results from SII for cent1 httpd_use_nfs Boolean state change .................... 92
Figure 28 - Results from SII for cent1 ftp_home_dir Boolean state change .................... 93
Figure 29 - Cent 1 Relationship search based on domain results. .................................... 94
Figure 30 – Domain results for ftpd_t ............................................................................... 95
SELINUX INTEGRITY INSTRUMENTATION
1
CHAPTER ONE
Security Enhanced Linux (SELinux) was developed under the GNU General
Public License by the National Security Agency (NSA) and released in 2003 with the
Linux 2.6 kernel. SELinux provides a deeper level of security using Mandatory Access
Control (MAC) architecture. MAC allows for fine grain security on the services, process,
ports and files with access rules (call policies).
Example of a policy:
• Potential security issue: A malicious process that inherits a user's rights and
access sensitive files. Firefox is compromised by a malicious add-on and
reads the user's private ssh keys even though it has no reason to do so.
• SELinux solution: A policy is developed constraining those programs
authorized to read the user's ssh directory to only the ssh service and ssh client
app; thus blocking the threat.
SELinux is a form of security reference monitor that provides mandatory access
controls (MAC) (Biba, 1977) and a key component in upholding policies that enforce the
security objectives.
Topic Overview/Background
SELinux provides a deeper level of security using Mandatory Access Control
(MAC) architecture. MAC allows for "fine grain" security on the services, process,
ports, and files with rules called policies. Many large companies and government
agencies currently use this security monitor.
SELINUX INTEGRITY INSTRUMENTATION
2
The United States Department of Defense, National Security Agency,
Amazon.com, New York Stock Exchange and Large Hadron Collider are a few of the
larger Linux installations on a larger list of who is running Linux (“List of Linux adopters
- Wikipedia, the free encyclopedia,” n.d.). The Open Stack, an open source cloud
framework that uses Linux and SELinux, is being adopted by the NSA looking to build a
secure cloud for their use (Kerner, 2013).
All these installations have the open source security mechanism SELinux installed
and active by default. However, the complexity of SELinux is an issue that affects its
acceptance. Feedback from Stephen Smalley with the Trusted Systems Research Group,
NSA in a personal communication email on May10th, 2013 also agrees with the value of
this work:
I think that research into tools to aid the configuration and monitoring of SELinux would
be very relevant today. Despite being a default-enabled security feature of Red Hat and
derivative Linux distributions, it remains a challenge for typical Linux admins to go
beyond the stock security policy shipped with Red Hat and customize policy to their
specific environments and security goals.
SELinux is a security reference monitor and the seminal works call out the need
for reference monitor integrity; "is protected: its function may not be maliciously or
accidentally modified by unauthorized forces" (Biba, 1977. p.7). Unknown configuration
changes to SELinux are a security risk to systems.
A gap exists in current research; the need for a structure that helps with the
understanding and monitoring of the SELinux configuration for integrity audits. Such a
framework is not only applicable to today's system running SELinux; also with the future
SELINUX INTEGRITY INSTRUMENTATION
3
of SELinux as it finds its way into virtualization solutions, like Xen hypervisor, PAAS
systems like Openshift.com and the mobile space with SELinux support into Android
(the SE for Android project).
Improper configuration of security systems is one of the top ten security issues as
per OWASP (Open Web Application Security Project (OWASP), 2010) and the fourth
recommendation of “Consider running scans and doing audits periodically to help detect
future misconfigurations or missing patches.” (Open Web Application Security Project
(OWASP), 2010, p. 12).
A problem with SELinux is the management of the hundreds of SELinux policies.
Past research documents over 1,500,000 flat rules involving 1,780 types (Marouf &
Shehab, 2011). The added SELinux complexity makes knowledge of SELinux coverage;
the service (like HTTP, ssh, and sftp), the ports and objects they access have the correct
configuration to protect them.
The existing research in SELinux policy analysis produces no measure of what
policies are protecting what services and the policy state. In addition, there is a need for
identifying services that are not being protected by SELinux.
Problem Opportunity Statement
Based on the problem background the following has been identified:
There is a lack of methods to ensure SELinux configuration compliance.
This problem is outlined by the National Institute of Standards and Technology (NIST)
Special Publication SP 800-55 Revision 1. The NIST SP 800-55 is a guide to help in the
development and implementation of measures for security control effectiveness. Section
six lists a few factors contributing to poor security:
SELINUX INTEGRITY INSTRUMENTATION
4
“Configuration management practices—New or upgraded information systems
that are not configured with required information security settings and patches;” (Chew et
al., 2008, p. 46)
And
“Architectures—Poor information system and information security architectures
that render information systems vulnerable.” (Chew et al., 2008, p. 46)
In order to maintain system security, the integrity of the reference monitor is
crucial; details of its architecture and configuration are needed. One of the rules for a
reference monitor outlined by seminal works that “is protected: its function may not be
maliciously or accidentally modified by unauthorized forces” (Biba, 1977, p. 7). In
addition recent research also reflected the need for validation: “The Trusted Computing
Base not only includes the reference validation mechanism, but also encompasses all
other functionalities that directly or indirectly affect the correct operation of the reference
validation mechanism.” (Xu, Shehab, & Ahn, 2012, p. 157). So without a measure of
SELinux's state it fails to meet these requirements.
Purpose Statement
A 2012 usability study by Schreuders, McGill, and Payne shows that the usability
of SELinux has some problems; feedback from the study stated users were “Unclear or
confused about behaviour [sic]” of SELinux (Schreuders, McGill, & Payne, 2012, p. 63).
There is a need to validate the SELinux configuration to allow for concise auditing and
verification of the security settings to ensure they are aligned to security policies set for
by security administration. These problems are to be researched under the following
proposition.
SELINUX INTEGRITY INSTRUMENTATION
5
Research Question(s)
RQ1. Does collecting the relationship of service to policy to object by domain
detect changes to services and indicate related policies and object context?
RQ2. Does collecting the relationship of service to policy to object by domain
detect changes to policies and indicate related services and object context?
RQ3. Does collecting the relationship of service to policy to object by domain
detect changes to object context and indicate related services and policies?
RQ4. Does collecting the relationship of service to policy to object by domain
detect services not covered under any security policies?
Propositions
The research here proposes that:
New SELinux Integrity Instrumentation (SII) can prove compliance to security
policies through detection of change.
Research using a framework that detects changes of SELinux's configuration will
mitigate configuration uncertainties. In addition, the mapping of services, objects and
policies will allow for monitoring, auditing and reporting of the SELinux configuration.
This concurs with the current recommendations “Access control policies on a process or
a daemon should be presented so that users could easily see the entire picture, what the
process or daemon can do or cannot do. Scattered settings cause confusion.” (L. Hu,
Mayo, & Wallace, 2013, p. 291). Along with NIST recommendations:
“Monitor the security controls in the information system on an ongoing basis
including assessing control effectiveness, documenting changes to the system or its
environment of operation, conducting security impact analyses of the associated changes,
SELINUX INTEGRITY INSTRUMENTATION
6
and reporting the security state of the system to designated organizational officials”
(National Institute of Standards and Technology & Aroms, 2012, p. 28)
Theoretical Perspectives/Conceptual Framework
Using the design science research perspective verification of unique artifacts was
done to evaluate their functionality. First the SII artifacts were validated against a series
of test cases, defined in chapter three, that will result in a pass, fail or partial. Second the
timing of the artifacts was measured to judge their performance.
Assumptions/Biases
The use of the Multi-Level Security (MLS) functionality in SELinux was
excluded from this research. Not all Linux systems run SELinux; however, a limited
heterogeneous install base was used for testing. The Android OS was excluded as part of
this research.
Significance of the Study
The artifacts developed from this research can be put into the open source
community for further use in SELinux administration and training. Exploration of the SII
algorithms outside of SELinux also is possible.
Delimitations
Open source contributions from the study was only verified against specific Linux
distributions; specifically Red Hat and Fedora based ones.
Limitations
Research will be limited to Red Hat and Fedora-based distributions of Linux.
SELINUX INTEGRITY INSTRUMENTATION
7
Definition of Terms
Policy - The SELinux rule that allows or does not allow access to a service, port,
file or asset.
Service - The binary that runs as part of the Linux server. Examples include the
Apache web server (HTTP) and Secure File Transfer Protocol (sftp).
Object - In terms of the Linux operating system objects are items like; ports, files,
and directories. In SELinux, these are also known as file contexts.
Trusted Computer Base (TCB) - The set of all hardware, firmware, and/or
software components that are critical to its security. Parts of a computer system outside
the TCB must not be able to misbehave in a way that would leak any more privileges
than are granted to them in accordance with the security policy.
Integrity - The state of being whole and undivided. In this research the Common
Vulnerability Scoring System (CVSS) describes integrity as (Mell, Scarfone, &
Romanosky, 2007, p. 9) “Integrity refers to the trustworthiness and guaranteed veracity
of information.”
Evaluation - The process of assembling evidence that a system meets, or fails to
meet, prescribed assurance goals.
Context - In SELinux the context is composed of four parts; the user, role, type,
and level. The type setting is also referred to as domain.
General Overview of the Research Design
Develop algorithms that gather configuration data that will be used to prove
compliance of the SELinux configuration to security policies. Algorithms will be
SELINUX INTEGRITY INSTRUMENTATION
8
implemented in an open-source framework that will collect and analyze the SELinux
configuration for one or more systems under test.
Summary of Chapter One
It is critical to be able to measure what we manage, and system and security
administrators should know the configuration of security systems. Security
Misconfiguration is number six on the OWASP top 10 security issues (Wichers, 2013)
and seminal works also set a basis for the need to maintain the integrity. The need to
verify SELinux has not been modified (either by accident or maliciously) is an
opportunity for a new framework that was the basis of the proposed research.
Organization of Dissertation
Chapter Two reviews seminal works in the area of security reference monitors
then reviews the research in policy analysis, security metrics, measuring SELinux and
security visualization with reference monitors.
Chapter Three outlines the research framework and summary of artifact design
and testing.
Chapter Four is the results from the research with conclusions and
recommendations in Chapter Five. The appendix has the artifacts, algorithms, and code,
as well as any additional data collected.
SELINUX INTEGRITY INSTRUMENTATION
9
CHAPTER TWO
U.S. Military seminal research set the foundations for security integrity with
concepts of information flow and integrity that lead to the development of new
architectures such as Flask and SELinux. With the accession of new security
mechanisms so was the need for the ability to maintain their integrity.
Most of the current research has been in the area of security policy analysis. The
work here is important to help combat the complexity of SELinux at the policy level.
However, a larger perspective of the SELinux system is needed; one that aids with
SELinux administration and maintaining configuration integrity. The valuable research
into SELinux policy analysis is in the “Policy Analysis” section, in this chapter.
Generating useful measures of SELinux is core to maintaining its integrity.
Security metrics, itself still a new field, has research that is useful and may be of
guidance in the dissertation research on methods of measuring security. Beneficial
research in this section is presented in the “Security Metrics” section.
Metrics that leverage security mechanisms like SELinux is examined separately
from general security metrics. An example is using analysis of SELinux compared to
current threats resulting in a security measure. Current research like this yield valuable
methodologies that give different perspectives of SELinux configuration that are helpful
for this dissertation is reviewed in the section titled “Measuring SELinux.”
Security Visualization is another area that is examined as a possible component of
this dissertation research. A picture is not just worth a thousand words; it is an essential
piece in aiding to SELinux administration. Research that uses visualization of SELinux
is reviewed in the “Security Visualization” section.
SELINUX INTEGRITY INSTRUMENTATION
10
The SANS Institute top cyber security risks states that misconfigured systems is a
major security issue and provides guidance on handling this by establishing and ensuring
standard secure configurations in the operating systems (Critical Control 3: Secure
Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations,
and Servers, n.d.). How can an administrator adhere to this without a clear understanding
of SELinux configuration? Further, SANS Institute calls for configuration monitoring
that measures the elements for secure configuration (Critical Control 3: Secure
Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations,
and Servers, n.d.).
The SANS Institute concept of “Control 3 Metric” calls for change monitoring;
“The system must be capable of identifying any changes to an official hardened image
that may include modifications to key files, services, ports, configuration files, or any
software installed on the system.” (Critical Control 3: Secure Configurations for
Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers, n.d.).
The integrity of the reference monitor requires more than understanding of the
configuration; it also calls for the need to identify changes to it.
Presented here is a gap in current research; one that is needed to combat the
complexity of SELinux. The work by Machon Gregory and Angela Reninger goes on to
support this view (Gregory & Reninger, 2009):
SELinux has a reputation for being difficult to use [15]. New security
technologies often face a user acceptance barrier because they are perceived by
users as reducing the functionality of the system in the service of the amorphous
(to users) goal of security. (p. 1)
SELINUX INTEGRITY INSTRUMENTATION
11
This dissertation research was intended to address this issue with unique and
relevant concepts in SELinux configuration monitoring. The work here would not be
possible without the previous research in this field.
Seminal Works
Seminal research in security systems outlines the operations of security
mechanisms and the need for their integrity. A majority of the seminal works are
technical reports for the U.S. Military, who had a strong need for maintaining the security
of information. All the seminal works summarized here call out the need for integrity
monitoring of security mechanisms. Even though the specifics of the works are with
outdated systems, the principals for maintaining their integrity still holds true today.
Information validity and dissemination control is the basis of the 1977 work by
Biba. The result is a protection policy that is used in security configuration of the system
kernel and a reference monitor. Biba models two domains that a security policy acts with
subjects and objects. Interactions between the two have associated modes (observation,
modification and invocation) with the use of integrity levels managing the objects.
The model that was presented for security policy creation is theoretical and was
developed in the environment of the military security domain. The basis of the model
still applies to mandatory access control (MAC) and discretionary access control (DAC)
architectures used today.
The seminal works of (Biba, 1977) also sets standards for the security reference
monitor. Three rules that qualify a security monitor are
A reference monitor must satisfy three logical properties:
1. It is complete: all accesses by subjects to objects are monitored and enforced;
SELINUX INTEGRITY INSTRUMENTATION
12
2. It is protected: its function may not be maliciously or accidentally modified by
unauthorized forces;
3. It has provably proper behavior: it must faithfully enforce the specified
protection policy. (Biba, 1977, p. 7)
SELinux is a security reference monitor, and the logical property of protection
from malicious or accidental modification sets the basis for the dissertation research.
The Department of Defense (DoD) has called out the need for ensuring proper
configuration of security controls. Documented trustworthiness is an important aspect
communicated in the DOD 8500.2 specifically called-out in section 3 on information
assurance implementation is:
E3.1.3.3. The ability to test and verify.
E3.1.3.5. The ability to manage changes to an established baseline in a secure
manner. (Information Assurance (IA) Implementation, 2003)
This measure of security controls is needed to maintain the robustness of the
system. Specific robustness is called out to measure the strength of security controls.
SELinux is the default security reference monitor in the Linux systems being used in the
DoD and NSA; the research here will help security administrators follow this guideline.
In addition, the standard IEC/ISO 27001:2013 sets a framework for security
guidelines and processes. The core of the 27001 calls for monitoring and auditing and
thus directly supports the validity of this research. Starting with risk assessments, section
6.1.2, the ISO states the need to produce repeatable, consistent and valid results.
Following the ISO 2700 section 7.5.1 on the need for documentation on the effectiveness
of the security management system; especially documenting the complexity of the
SELINUX INTEGRITY INSTRUMENTATION
13
process and their interactions. Section nine on performance evaluation and internal
audits of the info security management system to ensure it is properly implemented and
maintained. Specifically; section A.9.1.1 on access control policies states “An access
control policy shall be established, documented and reviewed based on business and
information security requirements.” (IEC/ISO, 2013, p. 8). All these areas of the ISO
help point out the problem with missing integrity monitoring in SELinux.
The take away is the need for documentation and auditing of any security system.
This dissertation is based on the need for configuration documentation and monitoring of
a security mechanism, like SELinux, to ensure it properly enforces security policies. To
achieve this security systems need to be instrumented for verification. The 27001 section
A.14.2.3 states the need to review platform changes to ensure there are no adverse
impacts on security. Having a baseline configuration is needed to comply with Section
A.18.2.3 “Information systems shall be regularly reviewed for compliance with the
organization’s information security policies and standards.” (IEC/ISO, 2013, p. 22).
Currently, there is no baseline state metrics for SELinux configuration and thus no clear
method to detect changes and understand its current configuration.
The seminal work by Saltzer-Schroeder presents guidelines for information
security. One of the design principles is the economy of mechanism; it outlines how
complexity can cause security problems. Further, Saltzer-Schroeder state the guideline
“Keep the design as simple and small as possible.” (Saltzer & Schroeder, 1974, p. 11).
Importance is placed on how protection mechanisms should adhere to this principle.
Other principles covered are:
SELINUX INTEGRITY INSTRUMENTATION
14
• Fail-safe defaults - to ensure permission defer to declined for system calls that
are not covered under a policy.
• Complete Mediation - Ensure all access is checked.
• Open Design - Security through obscurity is not a good measure of protection.
• Separation of Privilege - Ensure protection mechanisms require more than one
way to access. Make attackers breach multiple components to enter a system
unauthorized.
• Least Privilege - Ensure subjects and objects have the lowest privileges
needed to operate. If one is breached, it limits the potential damage.
• Least-common Mechanism - Limit the amount of shared objects between
subjects (users).
• Psychological Acceptability - Making a system understandable to use will
limit the possibility of misuse.
Out of these principles, the importance of psychological acceptability applies to
the research proposed here. One of the goals of the dissertation research is making
SELinux understandable as to identify configuration changes easily.
A model called the Bell-LaPadula model (or BLP) was developed in the domain
of military security in the mid-seventies. BLP, abstract in nature, was built for the
Multics operating system. The model assigns objects and subjects (i.e., document and
user) into classes of clearance and category. A “no-read-up” rule is implemented so a
subject cannot read objects above its clearance. The model also describes the *-Property
to cover scenarios where subject has access to objects of different clearance levels (Bell
SELINUX INTEGRITY INSTRUMENTATION
15
& La Padula, 1976). BLP is used to prevent information from a higher class to be written
to the object of a lower classification; this is called the no-write-down rule. The work
goes on to prove the basic security theorem; if the system starts in a secure state and each
transaction abides by the rules and the system remains in a secure state.
BLP is an abstract model that could be extended beyond a computer system to
physical controls. The establishment of the subject and object is also a base in SELinux
and the theorem of maintaining a secure state further supports the need for understanding
and monitoring the SELinux configuration.
Rushby’s “Design and Verification of Secure Systems” puts forth the need to
verify the system in order to guarantee security. Guarantee security should be must done
to the whole of the trusted computing base (Rushby, 1981). Though it is not the intent of
this research to put SELinux as part of the TCB; the verification of the SELinux
configuration ensures its dependability to security.
Computer Security Technology Planning Study Volume one and two, by James P.
Anderson, alludes to the importance of the security monitor verification as it reference
must always be involved in system security (Anderson, 1972a). Further in Anderson
suggested tamper proofing of the reference monitor (Anderson, 1972b). Anderson's work
points out the need to ensure the correct SELinux configuration is being implemented;
that it is protecting pertinent services and being alerted when it has undergone any
changes.
Protection in Operating Systems, by (Harrison, Ruzzo, & Ullman, 1976), provides
guidelines for security protection systems. Harrison’s section on safety states that even
no protection system is safe so we must consider a weaker condition that says, in effect,
SELINUX INTEGRITY INSTRUMENTATION
16
that a particular system enables one to keep one's own protection objects under control
(Harrison et al., 1976). In order to maintain the integrity; there is an underline need to
know of the system objects and their current state. With the SELinux acting as a
protection system, this need is not completely satisfied. The dissertation research here
fills this need.
The note from Lampson on confinement issues states that certification of the
system is a sure way to ensure security by making a distinction between confined and
unconfined programs (Lampson, 1973). Though the Lampson article focuses on the
problems around information confinement; it also eludes that knowledge of the state of
the service and its related security policies are critical to its integrity; especially new
services that may be running unconfined to any security policies. This specific check is
missing in current SELinux framework.
SELinux is built upon, or some consider an extension of, the Flask, security
monitor. The risks of unknown configuration changes to Flask is stated “Since policy
changes may be interleaved with the execution of controlled operations, there is the risk
that the system will enforce access rights according to an obsolete policy.” (Lepreau et
al., 1999, p. 3). An unknown change to policy state is a risk to system security in Flask
and SELinux and needs to be addressed.
Seminal works that have set the stage for protection mechanisms, like SELinux,
also call out some of the issues with their management. The importance of their integrity
is best summarized by paraphrasing (Biba, 1977) in the three logical properties a
reference monitor must satisfy: it is complete, protected and can demonstrate proper
SELINUX INTEGRITY INSTRUMENTATION
17
behavior. Integrity would not achievable without the previous research; however not
complete without the dissertation work presented here.
Policy Analysis
One of the most common areas of SELinux research is in the area of policy
analysis. The SELinux policy is one area known for its complexity (Jaeger, Sailer, &
Zhang, 2003; Sarna-Starosta & Stoller, 2004; Sasturkar, Yang, Stoller, & Ramakrishnan,
2011) and the psychological acceptability (Saltzer & Schroeder, 1974) of SELinux is
most of the basis for policy research. Other reasons for SELinux policy analysis are to
ensure the policies uphold security goals, have integrity in their current state and can
protect the system against current security threats.
The research by (Jaeger et al., 2003) into the SELinux type enforcement (TE)
policy analysis integrity introduces the Gokyo tool. The Gokyo tool is used to assist
security administrators in creating SELinux policies to meet security goals. Jaeger
proposes further research in the effectiveness of audits in managing security; thus
supporting the dissertation research.
The exploratory research into SELinux policies by (Zhai et al., 2009) does
extensive policy analysis to find policy loopholes. This research also supports the need
for other tools to aid in security administration. The additional research section states:
“powerful tool for SELinux policy configuration ought to be build up, which can not only
provide semantic analysis and integrity analysis statically, but also provide such analysis
dynamically in time.” (Zhai et al., 2009, p. 451).
SELINUX INTEGRITY INSTRUMENTATION
18
Existing approaches for analyzing integrity protection of the SELinux security
policy is significant to the dissertation research. The security policy is at the core of
SELinux, and existing research in this area is as follows.
Work in policy analysis by Sarna-Starosta & Stoller in 2004 concentrated on
empowering the end user to determine if SELinux policies are meeting security goals.
The development of the Policy Analysis using Logic-Programming (PAL) allows the
logic-programming XSB (a logic-programming system based on tabled resolution)
language queries to be used in SELinux analysis. The security administrator could ask
questions like; show information flow between object X and process Y that do not pass
through policy Z. The ability to verify policy settings does support administration of
SELinux. However, this still needs the administrator to be sure they are asking the correct
questions.
The work on policy to object relationships is similar to other research with
SELinux policy analysis. However, it is still relevant to this dissertation as it sets up the
security context using tuples of “security contexts as tuples [T, R,U], where T, R, and U
represent a type, role, and user, respectively.” (Sarna-Starosta & Stoller, 2004, p. 7). The
use of the domain attribute for process classification is applicable to the dissertation
methodology.
The policy integrity analysis (PAL) query algorithms and the information flow
graphs are a valuable reference to the dissertation research. However, the process itself
still can be expanded upon to a larger view of the SELinux configuration.
Hicks, Rueda, Jaeger, and McDaniel researched integrating SELinux with a
security-typed language in 2007; the work combines the security Java extension of JIF (a
SELINUX INTEGRITY INSTRUMENTATION
19
security-typed language) with SELinux. The work is with application integration with
the SELinux multi-level security (MLS): whereas this dissertation research is with Type
Enforcement analysis. The methods of policy extraction and analysis used in the research
are relevant to this dissertation research. In addition, the conclusion states a need for
compliance with the operating system and application information flow (Hicks, Rueda,
Jaeger, & McDaniel, 2007). The dissertation research here is in that direction to ensure
the integrity of the SELinux configuration with system services.
The research by Blanc and Lalande in 2012 is on implementing SELinux
protection in HPCC clusters; where new risks are encountered due to shared resources.
In the process of implementation of SELinux into HPCC; policy contexts are mapped to
the objects as part of the process that addresses confidentiality with the use of shared
resources. Though most of the research does not directly apply to this dissertation;
specifically integration with HPCC and analysis of SELinux logs; the policy mapping
procedure is worthy of background study in this dissertation research. Also stated as
additional research: ”the administrator needs new tools to perform safe updates and to
verify that the new policy will not introduce security issues.” (Blanc & Lalande, 2012, p.
9). This further supports the dissertation research here with a new toolset to ensure the
integrity of SELinux configuration after system updates.
The 2003 research by Jaeger, Sailer and Zhang conveys the complexity of policy
analysis in the SELinux type enforcement (TE) environment. To aid with the inherent
complexity of SELinux the policy analysis tool, called Gokyo, was introduced. Gokyo is
designed to identify and enable resolution of Biba integrity violations between the trusted
computer base subjects and the rest of the SELinux example policy. The research is at
SELINUX INTEGRITY INSTRUMENTATION
20
the policy level; however, the processes used to map type transition hierarchy are
applicable in this dissertation research. The Gokyo tool output can be further analyzed to
see if it could be leveraged in the research here. As in previous works, (Jaeger et al.,
2003), proposes further research on the effectiveness of audits in managing security; thus
supporting this dissertation research.
In 2007 LeMay, Fatemieh and Gunter developed the PolicyMorph tool to offer
assistance with policy validation and give suggestions for conflict resolution. The
research demonstrates its use in assisting administrators in the policy analysis process.
As with previous research with policy analysis, the work is at the atomic level when
compared to this dissertation research. However, the mathematical descriptions of the
SELinux policies are good background and worthy of review. The future work section
stated the develop a graphical interface to assist with control policy design and
maintenance (LeMay, Fatemieh, & Gunter, 2007). This work was part of the influenced
the inclusion visualization as a possible part of the SII framework of included as future
work.
The exploratory research into SELinux policies by Zhai, Ma, Tian, Yang, Liu and
Yang in 2009 is designed to help security managers with security policy configurations.
A design is proposed for a prototype tool to assist security managers and administrators
to detect and eliminate security loopholes. It’s commented with this approach the
analysis needs refinement for scale and complex security policy configurations (Zhai et
al., 2009). The dissertation research here is an approach to analyzing only the policies
that apply to the current running services to narrow the amount of analysis. The overall
design outlined by Zhai is worthy of study; especially the process used in the extraction
SELINUX INTEGRITY INSTRUMENTATION
21
of policy information and the construction of the access control space for subjects. The
further recommendation of extracting and analyzing the Boolean values as part of the
analysis was left out in this research. The analysis of the policy Boolean is planned as
part of the dissertation research. The further research section fully supports the need for
additional tools, especially ones for integrity analysis of SELinux policy configuration in
not only semantic analysis, also provide such analysis dynamically in time (Zhai et al.,
2009).
The 2012 research of Anand, Saniie and Oruklu uses the Six Sigma framework in
the SELinux policy management. The analysis provides areas of improvement to
existing policies and identification of new security threats. Sets of external threat data,
policy data, and system service data is collected and processed into the Six-Sigma
framework. Six-Sigma is not in the scope of this dissertation research. However, like
previous research discussed here the initial process also pulls service and policy data, and
this is a good background for the dissertation research. (Anand, Saniie, & Oruklu, 2012)
To tackle the complexity of SELinux Bai and Zhai 2012 work developed a
descriptive language, using C, for security policy configuration. This is a summary
paper. However, it does give valuable direction in its conclusion for simplified measures;
“For example, Boolean variables and a few special signs and macro blocks are ignored
during the analysis. All these details ought to be fully considered in the future research.”
(Bai & Zhai, 2012, p. 100). Policy Booleans are part of the dissertation research.
The 2011 research by Sasturkar, Yang, Stoller, and Ramakrishnan is into
problems of Role-Based Access Control (RBAC) policy analysis and delivers an
algorithm for measuring their complexity. Results found a simple analysis of
SELINUX INTEGRITY INSTRUMENTATION
22
uncomplicated RBAC policy changes is difficult to achieve in NP-time. Though this
research is not specific to SELinux, the research is current (2011), and it references
related SELinux analysis works. The work is theoretical based. However, the
reachability algorithms and theorems give insight to the complexity of analyzing an
RBAC system. Further, it also states the importance of policy management and the need
for additional work with the analysis of security policies has been a long problem
(Sasturkar et al., 2011). The additional work further justifies future research into
SELinux analysis.
The SELinux policy is one of the most complex, and most researched, areas of
SELinux. The research with policy analysis and information flow has been in aid of
administration and ensuring SELinux matches security goals. Much of the literature on
SELinux policy analysis uses formal expressions that will be used in the dissertation
research framework. A study of their use in policy analysis models is important to the
research in this dissertation. Though most research processes system subjects and objects
into different forms of mappings; the view is still too atomic, and a larger view of the
SELinux configuration is still needed. The valuable works will be an important base to
build the dissertation research on.
Security Metrics
The call for further research into security metrics is an area acknowledged by the
Department of Homeland Security, “What is the marginal change in our security (for
better or for worse), given the use of a new tool or practice?” (Department of Homeland
Security, 2009, p. 13). To measure any changes in security posture, we must be able to
establish a baseline to measure too. In addition, the National Security Agency also
SELINUX INTEGRITY INSTRUMENTATION
23
recognizes the need for SELinux improvements with enhanced tools and infrastructure
(SELinux Future Work, 2009) This dissertation research supports the decree; you cannot
manage what you do not measure, and SELinux needs tools and measures to help manage
it.
Presented in “Verifying information flow goals in Security-Enhanced Linux” by
(Guttman, Herzog, Ramsdell, & Skorupka, 2005) is a framework for the monitoring of
information flows. The goal is to provide a systematic way to ensure SELinux meets
security goals. Analysis of SELinux policies is completed with a tuple of the; type, role,
and user. The relationships between the different tuples are analyzed to verify access
controls are aligned to security goals. The algorithmic model does an analysis of the
system configuration and ensures it meets security goals. However, there is no formal
visualization presented in this work. The work is with policy analysis and security goals;
this is not in the realm of this dissertation research. However, a derivative of the
framework presented by Guttman et al., is worthy of a basis to build upon or study as
background on policy analysis.
The research by Smari, Spalazzi and Zemali is with security in the high-
performance computing (HPC) field. The paper discusses the use of SELinux in the run-
time security monitoring, as an executable reference monitor, to block the execution of
code that is not in line with security policies. The work here is not parallel to the
dissertation research, however, an important concept is stated: “Configuration flaws: at
installation time/run time, system installation and configuration do not satisfy
specifications (e.g., many software are installed with a standard configuration, simple for
the user, but not secure).” (Smari, Spalazzi, & Zemali, 2013, p. 2). This further supports
SELINUX INTEGRITY INSTRUMENTATION
24
the need for configuration monitoring of SELinux. Not knowing the configuration of the
reference monitor is a problem for security integrity.
An increasing need to identify and monitor software on remote systems is
researched in “Design and implementation of a TCG-based integrity measurement
architecture” by (Sailer, Zhang, Jaeger, & Van Doorn, 2004). The research looks at
extending the Trusted Computing Group (TCG) measurement from the BIOS up to the
dynamic executable content in the application layer. The work was specifically aimed at
an external system to take these measurements in a grid-computing environment.
Though the measurement is outside the scope of SELinux; the research integrates
the integrity architecture on top of SELinux. Section 2.1 has reference to the importance
of integrity as a binary property that depends on the verifier's view of the ability of a
programs protection (Sailer et al., 2004, p. 3). The “verifier’s view” is an important part
of this statement; as there is no complete view of SELinux configuration to allow for
such verification. Along with that point, “An Integrity Validation Mechanism, validating
that the measurement list is complete, non-tampered, and fresh as well as validating that
all individual measurement entries of runtime components describe trustworthy code or
configuration files.” (Sailer et al., 2004, p. 7). This general statement of integrity further
supports the need to a framework to allow this validation of SELinux.
Adaptive Access Policy for the Linux Kernel, by (Horie, Harada, & Tanaka,
2012), presents thoughts and possible architecture for using the SELinux monitoring and
logging as an intrusion detection system (IDS). Methods of building a reference database
used as a Kernel level IDS bear further research for possible use in the dissertation
SELINUX INTEGRITY INSTRUMENTATION
25
research framework. The data structure of the proposed “strict” statement may be
leveraged in policy analysis measurements, in this dissertation's research.
strict <subject> <object>:<class> <permissions> ;
Ex) strict ftpd_t shell_exec_t:file { execute } ;
... defines detection of shell execution by ftpd. (Horie et al., 2012, p. 84)
The conclusion states for further work to allow alerts from other security tools,
and the framework in the research here is one of those tools. The research adds an
important note on the ability to integrate with other security tools is beneficial and should
be considered in the research here.
SELinux is mentioned in the work by (Cirstea, Moreau, & de Oliveira, 2009) that
proposes a methodology that merges declarative and imperative methods to detect
violations in information flow. The work does a review of the Bell-LaPadula (BLP) and
McLean models. The model reviews can be a good resource for reference and
background on those subjects. Section 4.1 data structures may be of value, either as a
reference or used in a derivative manner for the dissertation research. Specifically the
subject, recourse, and access models may be leveraged in some fashion.
BIFI: Architectural Support for Information Flow Integrity Measurement, by (H.
Hu & Feng, 2008), researches modifications to SELinux for the Biba-invoke based
Information Flow Integrity (BIFI) framework. The architecture changes to SELinux are
beyond the research here. However, sections of the paper cover some information flow
concepts that may be useful in some form. An example is definition from H. Hu & Feng
on how information flows shows how data flows among system subjects (H. Hu & Feng,
SELINUX INTEGRITY INSTRUMENTATION
26
2008). Algorithmic measurement of information flows; like from subject s1 to subject s2
(s1, s2 ∈ S) and if s2 reads an object (o ∈ O) that s1 can modify then:
∀ s1, s2 ∈ S, o∈O
flow(s1, s2) := modify(s1,o) ∧ observe(s2,o)
An adaptation of this logic may be useful in the methodology of this dissertation
research. Though information flow analysis is not exactly what may be needed here,
logical relationships between subject and objects may be leveraged. Specifically useful is
the research around the logic of subject to the object via policy, with policy state and
subject and object security context.
Sankalp Singh’s 2012 doctoral dissertation, University of Illinois at Urbana-
Champaign, proposes a framework for performing security analysis and automatically
obtaining snapshots of an access control policies to check for compliance with a
specification of the global access policy. The research uses a compliance checking
algorithm and focuses on firewalls. This work also offers some interesting use of
visualization in the host layer rule graph that is close to the dissertation research; however
the work by Shigh uses model checking and focuses on network and firewall policies.
The dissertation supports the problem of administration and misconfiguration
“However, it has been shown in empirical studies that misconfiguration of access control
enforcement points is common.” (Singh, 2012, p. 3).
The future work further the design and implementation of algorithms to perform
compliance checking when the changes in the configuration (Singh, 2012). The SII
research here is directly in this area.
SELINUX INTEGRITY INSTRUMENTATION
27
The importance of power grid security is the driver of the research into auditing,
account management, risk assessment and configuration management with a proposed
Cyber-Physical Topology Language (CPTL). As more computational based devices are
used in the nation's power grid, the North American Electric Reliability Corporation’s
Critical Infrastructure Protection (NERC CIP) audits have become more complex and
labor intensive. Though CPTL is at a much larger level of analysis and visualization, the
configuration management aspect is in line with this dissertation research direction;
SELinux configuration management.
The definitions of the graphs attributes are good study and though not SELinux,
may be useful background on methods of visualization with the node leaf algorithm. The
reference to GraphML (http://graphml.graphdrawing.org/index.html) did get bookmarked
as a possible implementation language for the future work in this area. The importance
of audits and configuration management also echoes the importance of the research
proposed in this dissertation as configuration management is essential to understanding
configuration (Weaver, Cheh, Rogers, Sanders, & Gammel, 2013). Instrumentation of
SELinux is needed to help with its configuration management and auditing.
Security metrics is an area of some current research that indirectly valuable to the
dissertation research here. Even though, security metrics is still a young research area; it
can yield many benefits. One common thread that echoes in the research is the need for
these metrics and new tools, in maintaining the integrity of the security infrastructure.
SELINUX INTEGRITY INSTRUMENTATION
28
Measuring SELinux
Specific measures were taken of, and with, SELinux is an important area to
review. The dissection of the complex body of SELinux yields in understanding how it
works and how it can be monitored for integrity in this dissertation research.
Applying model checking to SELinux policies is part of a doctoral dissertation;
titled “Constraint-based analysis of security properties: Methods for specifying and
resolving security policy compliance problems” by (Sarna-Starosta, 2005). As well as
supporting statements on the issues with managing SELinux due to its complexity;
Rodriguez uses specific measures using a policy analysis language (PAL) to see if the
policy meets the security goals. The work does seem to miss the policy state as part of
the analysis. Still the examination of PAL and the Rodriguez algorithms is essential for
the research here. Page 56 of the dissertation has a great example of an SELinux policy
that is useful for reference.
The 2011 dissertation “Methods for specifying and resolving security policy
compliance problems” by Rueda Rodriguez, echoes the need for tools to assist
administrators configure and deploy distributed MAC systems to mitigate security
vulnerabilities (Rueda Rodriguez, 2011). The work done in the 2011 dissertation
introduces a framework called Program Integrity Dominates System Integrity (PIDSI).
PIDSI builds a snapshot, using logrotate, of a tamperproof policy. The PIDSI work uses
visualization for the information flow. The policy analysis and graphs are in the realm of
the dissertation research here. However, the PIDSI is not looking at the policy state and a
few other aspects where the research here is planned to do analysis and monitoring. Still,
aspects of the PIDSI work are useful to build upon or use as a reference. The process of
SELINUX INTEGRITY INSTRUMENTATION
29
building the tamperproof policy in PIDSI, an analysis is completed on parts of the
underline configuration. Further review of this may yield artifacts that can be built upon;
an example is Table 4.2 may be leveraged as a hash table in the methodology here.
Research into information flow with multi-level security (MLS) policies is the
core of the research by (Hicks, Rueda, Clair, Jaeger, & McDaniel, 2010). MLS adds
control of information flow by adding confidentiality levels (i.e. secret, company
confidential) to SELinux. The dissertation research here is using SELinux in the default
Type Enforcement mode (TE) and not MLS mode. However, the definition of
information flow offers a generic framework that is valuable for non-MLS analysis.
A policy consists of a set of security levels arranged in a lattice with partial order ⊑ and a
set of statements determining each subject’s read/write permissions for a given object
based on the security levels of the subject and object (and possibly also on other factors
such as the class of the object). (Hicks et al., 2010, p. 7)
As with other SELinux works the methods of configuration analysis are a good
background for the research done here.
Study on SELinux in a cluster environment in “Work in Progress: RASS
Framework for a Cluster-Aware SELinux” by (Darivemula, Leangsuksun, Tikotekar, &
Pourzandi, 2006). The research was in Reliability, Availability, Serviceability and
Security (RASS) for cluster-wide security with a distributed security policy. Work with
distributing security policies to all systems in a cluster does mapping of type enforcement
(TE) rules to policies. This mapping bears further study as a similar process can be
leveraged in the research proposed here.
SELINUX INTEGRITY INSTRUMENTATION
30
The research here is to combat the SELinux policy issues that are apparent from
policy expansion of the m4 macro processor. The m4 macro processor is use to
circumvent issues that arise from the sheer complexity and size of the SELinux example
policy (version 1.26 of the monolithic example policy specifies 2,024 types, 66,676
access vector rules, and 2,095 type transitions) by adding an abstraction layer. Policy
analysis is one of the larger areas of SELinux research; the main reason to ensure
SELinux policy supports an institution's security goals.
SENG is an experimental method for policy analysis that builds upon the existing
language and offers an abstraction layer that uncomplicated the policy analysis process.
SENG language is done using class sets and permission sets to remove the details needed
that are removed by the m4 processor.
Where SENG is intended for policy analysis and creation, it is worth the approach
SENG uses may be mirrored, in some parts, to the level of this dissertation research. The
use of class sets is close to the proposed methods of creating tuples of service to object
configurations (also create a hash table to allow for verification and monitoring). It is a
short paper, possibly due to being a symposium submission, however, ends up being a
good reference and some methods can be investigated for use in the research framework.
Model-based safety analysis of SELinux security policies, by (Amthor,
Kuhnhauser, & al, 2011), focuses on the analysis of access control policies of the
operating system. The research captures each state of a Harrison, Ruzzo, Ullman (HRU)
model. The HRU is a snapshot of the system's access control matrix (ACM), and
transitions are triggered by application-specific1 operations that modify the model's
subject set, object set or cells of the ACM. An HRU model defines a protection system
SELINUX INTEGRITY INSTRUMENTATION
31
consisting of a set of generic rights R and a set of commands C. A formalized security
policy of an SELinux “allow” policy is described with a 14-tuple defined as follows:
(E,C,U,RO,T,P,ur,am,r_def,r_trans,cf,uf,rf,tf)
The details of the “allow” policy tuple and monitoring set an important basis of
work with the dissertation research here. Similar methodology with different variables
may be employed in the dissertation research.
Information flow in operating systems: Eager formal methods, by (Herzog,
Ramsdell, & Guttman, 2003), develops an abstract model of the SELinux access control
mechanism. It also does an analysis of the system configuration and labels transitions
representing possible information flows. A proposed temporal logic diagram to state
security goals is very good; however is not the envisioned visualization sought after in
this dissertation. The description of the model checking to determine whether goals are
enforced by the particular SELinux configuration is helpful. The framework of the
security context tuple; consisting of three components; type, role, and user is a good
reference. The work is an excellent background for the research in this dissertation.
Comparing current vulnerabilities to the access control mechanisms (ACM); as
SELinux, AppArmor and Windows 7 DAC is the basis of the research in “Quantitatively
Measure Access Control Mechanisms across Different Operating Systems” by (Cheng,
Zhang, & Han, 2013). Using a framework, called ACVAL, a quality of protection (QOP)
is derived from analysis of the systems ACM. Attack patterns are inferred, and a
vulnerability coefficient allows the analysis to be cross-platform.
Though the vulnerability assessment is not in line with the dissertation research
here; the initial part of the ACVAL framework is a collection mechanism called “Fact
SELINUX INTEGRITY INSTRUMENTATION
32
Collector” that “collects the information about system state related to access control and
security policies, such as uid/gid, files and running processes, and encodes them as
Prolog facts.” (Cheng et al., 2013, p. 54). A closer analysis of the fact collector showed
that it used less than 100 lines of bash scripts to collect information (Cheng et al., 2013).
SII may leveraged calls to simple bash scripts in data collection.
The research brings up the point on how and when to use internal commands for
SELinux analysis in the implementation of the dissertation research. SELinux output
from commands like semanage offers easy access to configuration state data. However,
relying on commands that could be changed or deprecated could be an issue. Further
examination of the ACVAL bash scripts, not included in the paper, are worth further
investigation. This is similar to the quantitative measure of access control mechanisms
research in with the description of the “Fact Collector” and description of the use of the
checkpolicy command for use in data collection; these commands may find use in the
dissertation research data collection process (Cheng et al., 2014).
The doctorate dissertation by Thomas in 2011 explores how Mandatory Access
Controls (MAC) mechanisms can be made available to regular users of the operating
system by extending SELinux enforcement. The goal is to close the gap between
discretionary access control (DAC) and mandatory access control (MAC) systems. The
dissertation by Thomas is a similar approach to the process in this dissertation; a
hypothesis proven with a prototype framework built upon SELinux.
Part of the background also states the need for SELinux integrity; “Third, the
reference validation mechanism must be an assured piece of software; in Andersons
SELINUX INTEGRITY INSTRUMENTATION
33
words, it must be small enough to be subject to analysis and tests, the completeness of
which can be assured.” (Thomas, 2011, p. 19).
An analysis of the relationships of SELinux context, the meta-variables used and
the definitions for the prototype; specifically definition number 3.1.4 on the “Type”
object is considered. The type is used to group objects by resource type while the type is
used to group objects by security domain (Thomas, 2011). Grouping objects by SELinux
domain is valuable background for the research done in this dissertation. Type / domain
may be the binding value to build the service to policy to object relationships.
System hardening from host comprises the development of security policies. The
research presented in this article demonstrates the Vulnerability Scanning Tool
(VulSAN). VulSAN allows for security policy validations against possible attack paths.
Though the purpose of VulSAN in not directly in this research topic, it is in vulnerability
analysis. The policy analysis part of the tool is worthy of review for algorithms that may
be leveraged in this research.
Not only is the quality of protection is critical there is a need is to understand and
compare the quality of protection (QoP) offered from them (H. Chen, Li, & Mao, 2009).
Chen observed differences that call for collecting configuration data from all systems
Chen noted policies in different distributions offer different levels of protection even
when they use the same protections mechanisms (Chen 2009). The work here supports
the dissertation research, on SELinux configuration monitoring and possible
visualization. Not only is it important to know the configuration of a single system, to
ensure it’s protecting the excepted services and alert to changes, knowing all systems
SELINUX INTEGRITY INSTRUMENTATION
34
running SELinux are configured to an expected baseline is critical; especially in a
heterogeneous environment.
Using software active monitoring (SAM) to predict future system behavior
against security goals is a main focus of the 2011 work by Zhao, C., Dong, W., Leucker,
M. And Qi, Z. “Security Goals Assurance Based on Software Active Monitoring.” The
research supports the common thread on the complexity of SELinux power and
complexity. The complexity makes it difficult to the verification process “It is extremely
difficult to verify the consistency between the security policies and the security goals
desired by applications.” (Zhao et al., 2011, p. 70). The dissertation research is with
integrity (consistency) of the SELinux configuration, and it parallels the work here in
many aspects.
Methods for monitoring information flow within SELinux are a valuable
reference to the dissertation research. There is a similarity is the goals of the work here
(Zhao et al., 2011, p. 74) “Protecting these resources entails ensuring that information
flowing from one place to another must traverse specific points along its path” and
dissertations proposed research; the paths between services, policies and objects. The
simulation path alludes to the visual modeling that is planned in this dissertation research
with semantic substrates and dendrograms.
The N-step ahead projection is an interesting model to predict system behavior in
the context of the security policy. The linear temporal logic (LTL), LTL is an infinite
sequence of states where points in the timeline have unique successors, is worth review.
Using linear temporal logic (LTL) a description is given of the applications and objects
used and an N-Step projection is used to predict future behavior of the model.
SELINUX INTEGRITY INSTRUMENTATION
35
The use of LTL with predicate sets (observed and controlled) is an interesting
way to cluster the process steps that we can write an information flow in a visual form
(Zhao et al., 2011). Further the use of the state diagram visualization “We can view an
information flow graph as an assertion about all sequences of state transitions leading
from a state in σ0 to a state in σn which must encounter the σi in the given order” (Zhao
et al., 2011, p. 74). This work is comparable to the proposed research with visualization
of the service to policy to object. Even though Zhao’s work is policy-centric, as most
works have been; it gives a unique view of a measure of SELinux that is valuable to the
dissertation research.
Much of the existing work on SELinux metrics are of value; however most
formally verify the correctness of SELinux policies or compare configuration to security
goals or possible attack scenarios. Parts of the process used in the collection and analysis
of SELinux configuration are valuable for this dissertation research. However, a larger
framework with a larger view of the SELinux configuration is still needed. This missing
view of SELinux is researched here in the dissertation with the SII framework.
Security Visualization
If a picture is worth a thousand words, then it must be worth several thousand log
lines. The field of security visualization offers several aspects that can be employed for
effective visualization of the SELinux configuration. Not the whole field of security
visualization is reviewed here; only focused research with visualization of SELinux is.
Two specific works that focus on SELinux; (Marouf & Shehab, 2011) with SEGrapher
and (Clemente, Kaba, & Rouzaud-Cornabas, 2012) with SPTrack, employee visualization
of parts of SELinux and lend to the dissertation research. As with previous areas
SELINUX INTEGRITY INSTRUMENTATION
36
reviewed in this chapter the foundation of the research here is important, however, still
missing a new analysis of SELinux that is needed today.
SEGrapher work by (Marouf & Shehab, 2011) is very relevant to the dissertation
future research. The SEGrapher tool generates cluster analysis and graphs policy
relationships. The result is a visual aid to be used by the security or system administrator.
The policy relationship analysis is valuable for security management as issues arise with
policy interactions (like overlapping or matching) that cause unintended information
flows. The SEGrapher is a Java application that runs in a graphical under interface
(GUI). The problem with requiring a GUI is most enterprise systems run without the
GUI enabled. The direction of the work with SEGrapher is influential that visual aids in
administration are a needed area of research. Algorithms for policy analysis and
clustering are worthy of further analysis; as well as the graphing process used in
SEGrapher. The future work also referenced lends to the direction of this research with a
further focus on additional methods of visualization (Marouf & Shehab, 2011). An
influence of SEGrapher on this dissertation research is; any visualization and analysis can
be done off the system. An example is a central security workstation, with a GUI; that
interrogates external servers for status. The analysis and display can then be done on the
workstation. A text logging function also can be on or off the servers to allow for
automated alerting of configuration changes.
SPTrack by (Clemente et al., 2012) also offers a graphical display of information
flow in regards to its SELinux policy. Visual graphing from actual attacks collected from
a honeypot system is presented, and the live attack data is used in testing. Although
SPTrack focus is not in the realm of the research here the tool presents a visualization of
SELINUX INTEGRITY INSTRUMENTATION
37
information flows between the SELinux policies; this aspect of SPTrack is worthy of
review for its methodology.
The quote by Xu, Shehab, and Ahn on the importance of visualization supports
the need to see the SELinux configuration; (Xu, Shehab, & Ahn, 2008, p. 1),
“Information visualization [8] enables users to explore, analyze, reason, and explain
abstract information by taking advantage of their visual cognition.” Xu et al., explore a
visualization-based policy analysis framework for SELinux using semantic substrates
(Xu et al., 2008) Page 169.
This is a possibility for future research, and though it may not be directly applied
here, the outstanding work done by Xu, Shehab and Ahnto will be a big influence. The
dissertation research is taking a different view of SELinux, with visualization of
configuration and state monitoring, yet it will supplement tools like the one presented
here.
Ph.D. dissertation by (H. Chen, 2009) introduces the Vulnerability Surface
ANalyzer (VuLSAN) tool and the Windows Access Control Configuration Analyzer
(WACCA) tool for analysis of security policies under specific attack scenarios. The
research in this dissertation parallels the doctoral work by Chen in many aspects.
However, the VuLSAN tool takes the direction of analysis of threats to policy
configuration. Aspects of the research are valuable to this dissertation: specifically
parsing of the SELinux policy configuration and its analysis. For example, use of the
Lampson access matrix in representing the process (as rows) and the objects (as columns)
may be built upon in the work here.
SELINUX INTEGRITY INSTRUMENTATION
38
Chen also states the issues of complexities of the configurations of access control
mechanisms and its hindrance to security administration. This complexity leads to
misconfigurations with serious security consequences. The tools covered in Chen’s
dissertation is intended to allow the every-day system administrator understand their
security policy configurations. However, a gap still exists; Chen observes an assumption
of the assurance of access control systems. (H. Chen, 2009). Chen further comments on
the need for work in this area (H. Chen, 2009):
In general software, assurance is another open and challenging problem. Particularly in
access control, some systems employ the approach called reference monitor [35] to
improve assurance reference monitor is a module in the system that is responsible to
control all accesses in the system. (p. 20)
The work in this dissertation goes on to address this need for an assurance
framework that aids the every-day system administrator in combating the complexities of
SELinux.
Systematic Policy Analysis for High-assurance Services in SELinux, by (Ahn,
Xu, & Zhang, 2008), presents a formal SELinux policy analysis framework. The
framework looks at both parts inside and outside the trusted computer base (TCB). A
rule set is established and used to detect possible policy violations. The methods for
policy analysis offer a logical view of the information flow relations between subjects
and objects.
The logic behind the information flow relationships and the utilization of Colored
Petri Nets for graphing are worthy of further examination for visualization research.
SELINUX INTEGRITY INSTRUMENTATION
39
Further work proposed is “Developing a fully automatic and dynamic approach
for policy analysis remains as our future work since manual analysis is still needed to
identify real violations after the CPN-based analysis in our method.” (Ahn et al., 2008, p.
10). The further work points out the need for an automated solution to aid with SELinux
administration. The work influences this dissertation research to ensure it can be used in
an automated fashion.
Security reference monitor policies are difficult to administrate due to their
complexity. In this paper a visualization tool and process, called Policy Visualization
Framework (PVF), which visualizes the reference monitor policies with the goal to aid
administrators. A role-mapping algorithm is used to bucket the RBAC policy into the
domains of the user, role, and permission. The process is outlined by Pan, L., Liu, N., &
Zi, X. 2013 work “Visualization framework for inter-domain access control policy
integration.”
The semantic substrate is used in this paper maps the; user, role and permission
results from the algorithm used in the role mapping step of the PVF process. The three
groups are Spatially arranged in the semantic substrate (top down) then the relationship
between these is indicated with red, green and blue lines that correlate with the role
assignments. The mappings are also clustered in each horizontal region (user, role,
permission) into vertical domains.
After a review, the semantic substrate is found to be a great tool to visualize
relationships in a spatial hierarchical view. The research by Pan, Liu and Zi is valuable
for further study on the role mapping algorithm.
SELINUX INTEGRITY INSTRUMENTATION
40
The work also states the need for security administration tools; “… currently it is
still lack of useful visualization management tools for the average administrator.” (Pan,
Liu, & Zi, 2013, p. 74). The call for future work also supports this dissertations problem
statement. The research, by Pan et al., in role mapping and use of the semantic substrates
for policy visualization offers direction for future SII research.
The security visualization reference by Herman, I., Melançon, G., & Marshall
offers guidelines that help with the dissertation research; starting with (Herman,
Melançon, & Marshall, 2000, p. 1), “Is there an inherent relation among the data
elements to be visualized?” That question helps ensure the visualization methodology in
future research here is in the proper direction. In a summary answer; yes, the accurate
mapping of the inherent relationships between services, policies and objects have
relationships that can be visualized. The section on node metrics for clustering also may
offer further guidance.
The output in the work by (Fang, Miller, & Kupsch, 2012) using Graphviz and
SVG has concepts that can be leveraged. Concepts like; the use of XML allows for
flexibility of the output and the use if open source visualization tool, as Graphviz. The
diagram construction process and samples generated by SecSTAR offer a vision on
visualization of a complex system.
This paper describes DTEvisual, a system that leverages Domain Type
Enforcement (DTE) visualization for education. The focus of DTEvisual is system and
security administration education. The DTEvisual tool is useful for classroom
presentations, homework assignments, and self-study. The paper supports the claim of
SELinux complexity, “These modern systems are very complex. A strict access control
SELINUX INTEGRITY INSTRUMENTATION
41
policy can contain tens of thousands of rules.” (Y. Li, Carr, Mayo, Shene, & Wang, 2012,
p. 1). The use of ellipses and rectangles give a good sample of visualization, and the
implementation of Python and Qt is a good example of development. The work also
shows the potential benefits of this dissertation research for education.
The short article does a good job on summarization of the history and components
of SELinux. The review lays a good path for ways, to summarize, the complexity of the
system. It also goes further stating the effects of SELinux complexity the article gives a
good quote; “The difficulty of configuration has maybe been the reason why most people
have not taken SELinux in use” (Nimbalkar, Patel, & Meshram, 2013, p. 11).
The complexity of SELinux poses many issues, and one is adoption. Though no
plans to do any adoption measures or surveys directly; the design an algorithmic
framework, in the research, to audit and administer SELinux does partially address the
issue raised in the article.
The 2014 research by Qian, Z., and Chen, Y. Titled “Fluency of visualizations:
linking spatiotemporal visualizations to improve cybersecurity visual analytics” is
directed toward spatiotemporal data generated for security analysis. Even though, the
article demonstrates a proposed visual analytics system, Semantic Prism, with two use
cases; preliminary investigation on visualization gives good guidance for the dissertation
research. Ensuring any visualization helps the administrator gain situational awareness
through identification of a systems components visualizations of when, where, and what
for cybersecurity situational awareness (Qian & Chen, 2014). These guidelines are
helpful when creating algorithms for finding relationships in SELinux configuration
components for future work.
SELINUX INTEGRITY INSTRUMENTATION
42
Visualization will enable the SELinux administrator to identify new patterns and
recognize current and new relationships within the configuration. The visualization of
the SELinux configuration using semantic substrates is a component of the dissertation
research framework with the same goal stated in (Aris & Shneiderman, 2007):
Successful network visualization tools enable domain experts to carry out key tasks such
as recognizing clusters, identifying interesting nodes, discovering patterns of links, and
detecting unusual relationships.(p. 1)
Aris’s and Shneiderman’s 2007 paper is based on the use of the Network
Visualization by Semantic Substrates (NVSS) application. Though the NVSS tool is not
available for use in this dissertation's research (the NVSS authors did not want to share
the NVSS outside of their organization) the article is a useful reference for semantic
substrate development. The five design guidelines on page 16 and 17 will be a valuable
reference to the algorithms designs in the dissertation research.
Much of the current visualization works offer methods that can be leveraged in
this dissertations algorithm development. Visualization is a critical component to aid in
administration and education of the SELinux configuration. Even though a text log is
needed to allow for automation of alerting on configuration changes; the visual
component makes for easy identification of changes. The importance of visualization as
it enables users to explore, analyze, reason and explain abstract information by taking
advantage of their visual cognition (Xu et al., 2008).
Summary of Literature Review
A key aspect of information security is integrity. Integrity means that the security
assets, such as SELinux, can be verified of configuration and alerted to unknown
SELINUX INTEGRITY INSTRUMENTATION
43
modifications. Seminal works have set the basis for integrity monitoring for a trusted
computer base. There has been successful research done with policy analysis and
leveraging SELinux in measuring possible security issues. Also, much of these works
make statements concerning SELinux complexity. The complexity causes low adoption
of SELinux and issues with its configuration. There is a need for security and system
administrators to understand the SELinux configuration and monitor it for change.
The current research supports the issues stats in this dissertation: Unknown
configuration changes to SELinux are a risk to system security. Even with the excellent
current research with SELinux policies there remains a gap and the proposition, New
SELinux Integrity Instrumentation (SII) can prove compliance with security policies
through detection of change, is valid. Quantitative results from algorithms that can be
use used in detecting configuration change of SELinux will help fill the research gap.
The importance of usability has been stated in the seminal works with the design
principal of Psychological acceptability (Saltzer & Schroeder, 1974) and demonstrated in
the 2011 work by Schreuders, McGill, and Payne in their results of a usability study of
SELinux; “usability has long been acknowledged as an important aspect in the design of
security systems.” (Schreuders, McGill, & Payne, 2011, p. 2) . Specifically this
observation “Some participants forgot to manually set the policy to be enforced, meaning
that these policies were not enforced” shows the need for a visualization of the security
system configuration. Policy analysis is critical however the SELinux body of
knowledge has a gap for a larger scale view of the configuration the study here confirms
that gap and the proposed dissertation research is to add to that particular area
(Schreuders, McGill, & Payne, 2011, p. 18).
SELINUX INTEGRITY INSTRUMENTATION
44
The conclusions of Loscocco and Smalley further support the need for tools in aid
of administration, “Complexity can be further managed through policy specification
language enhancements and the development of policy specification and analysis tools.”
(Loscocco & Smalley, 2001, p. 10). Previous works have helped here. However, a
different view of SELinux is needed for administration and monitoring; the dissertation
research supports this effort.
SELINUX INTEGRITY INSTRUMENTATION
45
CHAPTER THREE
Algorithmic analysis of specific parts of the Linux system and SELinux allows for
configuration validation. In this section, a formal framework for evaluating the SELinux
configuration is described.
Research Tradition(s)
Most of SELinux research has been in an effort to manage its underline
complexity. The seminal works in security reference monitors point out the need to
upkeep their integrity. Algorithms will be employed in the SELinux research as an aid to
understanding the SELinux policy and its protection as compared to security goals. The
SELinux configuration is a living, complex environment that mathematical models can be
employed to overcome its complexity. Using a Python framework, the new SII methods
will be verified by its ability to parse configuration data into valuable information to
ensure SELinux configuration compliance and detect change.
Research Questions and Propositions
This research was executed via the design science research model testing the SII
algorithms and framework under the following research questions:
RQ1. Does collecting the relationship of service to policy to object by domain
detect changes to services and indicate related policies and object context?
RQ2. Does collecting the relationship of service to policy to object by domain
detect changes to policies and indicate related services and object context?
RQ3. Does collecting the relationship of service to policy to object by domain
detect changes to object context and indicate related services and policies?
SELINUX INTEGRITY INSTRUMENTATION
46
RQ4. Does collecting the relationship of service to policy to object by domain
detect services not covered under any security policies?
The dissertation research that the new SELinux Integrity Instrumentation (SII) can
prove compliance to security policies through detection of change.
Under design science research, the SII framework was verified to detecting of
configuration changes and produced a baseline of the SELinux configuration to mitigate
further configuration uncertainties by the mapping of services, objects and policies. SII
was further tested for the ability for reporting for SELinux auditing.
Research Design
The design and creation of artifacts that collect the SELinux configuration are the
basis of the research. Using quantitative observations on algorithm performance and
precision are taken from testing changes to SELinux configurations will be used to prove
the SII design.
Testing will use heterogeneous modern Linux operating systems that currently use
SELinux as the default security reference monitor. Tests will entail real-world
configuration changes to a set of test systems. Reference monitor configuration data will
be collected from both test and bases systems. Bases system will be matched operating
system with no changes performed.
In addition, algorithm-timing data from test and base will be collected to
determine algorithm performance. The monitoring system will collect timings to gauge
the practically of the monitoring artifacts.
SELINUX INTEGRITY INSTRUMENTATION
47
SELinux System Relationships
All running services on the system have an SELinux security context and possibly
an SELinux policy. Each SELinux policy has a state of “allow on” or “allow off.” Each
service is related to an object, either through the control of the policy (or not) and each
object also has a security context.
Figure 1 - Service to Object Relationship
An important step is to understand the relationships and the components that will
be used in the analysis. Figure 1 shows the service to policy to object relationships with
data about object context and policy state. The security context of SELinux is made-up
of (user, role, type, and level). The type is also known as domain and is a critical data
point in establishing relationships of all the parts.
Proposition 1. All services (S) have a security context (C).
SELINUX INTEGRITY INSTRUMENTATION
48
Where:
S = Service
C = SELinux security context that consist of user, role, type and level. The type
is also referred to as domain and in type enforcement configuration, the default if
SELinux, it is used to control access and execution on objects by services.
Proposition 2. All policies (p) have an allow state (t)
Where:
p = SELinux security policy
t = SELinux policy state. The states are: Allow on and Allow off.
Proposition 3. Some services (S) have a policy (p).
Where:
S = Service
p = SELinux security policy
Proposition 4. Some services (S) have a policy state (t) or no policy.
Where:
S = Service
t = SELinux policy state. The states are: Allow on and Allow off.
p = SELinux security policy
∀S∃C
∀p∃t
∃S∃p
∃S∃t¬p
SELINUX INTEGRITY INSTRUMENTATION
49
Proposition 5. All services (S) have objects (O)
Where:
S = Service
O = Object
Proposition 6. All objects (O) have a security context (C)
Where:
S = Service
C = Security Context
The SELinux Instrumentation Architecture
The instrumentation architecture consists of a collection, analysis, and output. A
general overview of the process for instrumentation is:
• Collection of data by type; like system, date, version, service, policy, object
mappings
• Establish hash tables
• Clustering relationships by domain type
• Build status and relationships
• Build lists of changes detected
• Output data for verification
Based on the relationship rules first step is data collection of the systems under
analysis. The security context is made up of (user, role, type, and level). Domain or type
∀S∃O
∀O∃C
SELINUX INTEGRITY INSTRUMENTATION
50
domain is also known as the “type” component of the security context. The level is
collected however it is used as part of the multi-level security (MLS); MLS is not in the
scope of this research.
This is outlined in Figure 2:
Figure 2 - Architecture
The output is key to successfully monitoring SELinux and contains core processes
of data collection and detection of the SELinux configuration. These areas of SELinux
are pulled for analysis: active services, SELinux policies, objects accessed by the services
for a list of systems under analysis. The data collection architecture is as follows:
SELINUX INTEGRITY INSTRUMENTATION
51
Figure 3 - Data Collector Framework
Differential Framework
With baseline state tests, using the same collection framework pulls new sets of
updated configuration data. The new tuples are also hashed and recorded as a test set that
can be compared to the baseline set. An overview of the differential framework is:
SELINUX INTEGRITY INSTRUMENTATION
52
Figure 4 - Differential Analysis Reference Framework
The hash comparisons give a fast analysis and only data on the changes are read
from the tables to add details of the change. This output will be to log format to allow
tracking of test results.
Population and Sample
No analysis of pre-existing data or human surveys is performed in this research.
The work is purely algorithmic analysis of the SELinux system in the framework of
graph theory for security configuration integrity. A population of test systems will be
used, and sampling of test metadata will be done.
Sampling Procedure
Collection of algorithm performance and test results on all test system during data
collection is planned.
SELINUX INTEGRITY INSTRUMENTATION
53
Instrumentation
A running log of the analysis system also is kept to allow for alerting tools to be
used when configuration changes occur. The results log will an important part of testing
the instrumentation and can be used if deployed for use in a live production environment.
Validity
The proposed setup will be in a lab environment consisting of a monitor control
system (MCS) with a connection to a cloud service to backup all data, code and test
scripts. A series of test systems will be put under specific test scenarios applied too. The
MCS will have SSH key authorized to be able to pull data from each system before and
after tests are performed. MCS will also be running with a control interface to allow for
control of systems to be tested.
The following propositions will be proved with test cases:
Proposition 1:
SII detected changes for a policy state change is equal to the number of policy
state changes on all test systems.
Proposition 2:
SII detected changes for services are equal to the services impacted by a policy
state change based on services related to the policy by the security context of the domain.
Proposition 3:
SII detected changes for object context change is equal to the number of object
changes on the test systems.
Proposition 4:
SELINUX INTEGRITY INSTRUMENTATION
54
SII detected changes for policies are equal to the policies impacted by an object
state change based on objects related to the policy by the security context of the domain.
Proposition 5:
SII detected changes for services change is equal to the number of services
introduced to the test systems without any corresponding policies changes on the test
systems.
Figure 5 - Test Design
Research Context
The research will be conducted in a lab environment. SII testing was in a
framework developed with the algorithms outlined in the methodology section of the
dissertation. The output of the prototype testing is examined to answer the research
questions and prove the proposition.
Resources Needed
Hardware and software consisting of one monitoring systems with a range of test
and base systems to run Linux distributions that use SELinux on by default; like Fedora
and CentOS. Possible two of each so one to be run baseline and one for testing changes
SELINUX INTEGRITY INSTRUMENTATION
55
to the system. One security server will be used for the prototype framework, with Python
and database framework, and used to send commands to the test systems and collect data.
When and where the research will be conducted.
Use of a CIS lab at Sinclair Community College that has 18 to 20 lab PCs has
been approved. An alternative environment for research is a series of four virtual
machines with a fifth system, to run as the collection and analysis system, in a personal
environment.
Any other participants involved in your research.
No human participation or study is required for this research.
Reliability
Testing of the SII system will be run on live Linux systems. The following tests
will be run to prove SII. With the following Linux services:
• HTTP – The Apache web server
• sshd – The secure shell server
• ftpd – The file transfer protocol server
• smbd – The Samba file server
• Plex - A free Media server
Test 1: Initial baseline - Tests ran to ensure collection and process of existing
configuration. Process times and resources are also recorded the output is validated for
accuracy.
Subtests include:
1a - Data collection timings and resources used.
SELINUX INTEGRITY INSTRUMENTATION
56
1b - Validation of data collected. – Summary of data collected is exported from
the database and summarized into count and size.
1c – Hash tables of the baseline are created and saved.
Test 2: System Change - A collection and analysis is run after a series of system
updates. This is to include an update to the SELinux base policy followed by security
updated and later application updates. After each change, an updated data collection and
analysis will be running for an indication of detected configuration changes.
Subtests include:
2a - Service update test – Using “sudo yum update to the httpd service”
2b - Policy file update test – Using “sudo yum update to the selinux-policy-
targeted”
Test 3: System Change - Changes to system services are done; specifically
security contexts change to a service and some of its objects. New unprotected service
will be added, and a service removed from the system. After each change, a updated data
collection and analysis will be running with a validation of any configuration changes.
Subtests include:
3a - New unprotected service – Install of the Plex service. Using “sudo yum
install plex-<version>.rpm”
3b - Service removed – Removal of the Samba service. Using “sudo yum erase
smb” also shutting down the server before removal.
3c – Object context change – Change to http document root domain context from
httpd_sys_content_t to httpd_log_t . Using “sudo semanange fcontext -a -t httpd_log_t
"/var/www(/.*)?"”
SELINUX INTEGRITY INSTRUMENTATION
57
Test 4: Policy Changes - A series of changes to existing SELinux policies will be
done. After each change a updated data collection and analysis to test for the indication
of any indication of configuration changes.
Subtests include:
4a - Policy state change – Changes to allow state on an existing policy. Using:
“sudo setsebool ftp_home_dir=on” for a temporary change to allow state and “sudo
setsebool -P httpd_use_nfs=on” for a change to allow state and the default state.
4b - Policy alteration – Create a policy from an AVC denial.
Instrumentation
For the algorithm performance, the Python cProfiler package will be installed and
be used for collecting asymptotic running times during testing.
Data Collection
Algorithms will be developed to collect and produce tuples of data from several
areas of the Linux system configuration and SELinux settings; as well as other metadata.
The areas of collection are:
• Service data - Data on the service (status and security context) for the current
system.
• Policy data - Details on policies for the service (context and state).
• Object data - Security context of objects related to the service.
From the data, a service to policy to object relationship is analyzed and may
produce additional output. Test metadata such as system information, date time,
algorithmic processing times, used for analysis, will be captured.
SELINUX INTEGRITY INSTRUMENTATION
58
The tuples of configuration data, with a hash of the tuple, are collected and built
into data tables. Relationships between service, policy and object are built and also put
into the tables. The hash table will allow for indexing, lookup, and differential analysis.
Data, like table sizes and item counts, in the hash tables, will be collected.
The output is structured data of the configuration of SELinux and any differences
recorded into a log file.
Results from the test cases will be collected as pass, fail or partial along with the
algorithm performance data collected from the testing. Further data on processing time
and memory use will also be collected. These results are verified against the validation
propositions as follows.
Table 1 - Test Verification
Proposition 1 Proposition 2 Proposition 3 Proposition 4 Proposition 5
Test 1 Test 1a/1b/1c Test 1a/1b/1c Test 1a/1b/1c Test 1a/1b/1c Test 1a/1b/1c
Test 2 Test 2b Test 2a/2b Test 2b
Test 3 Test 3a/3b/3c Test 3c Test 3c Test 3a/3b
Test 4 Test 4a/4b Test 4a/4b
Tools for collection and analysis
Data collection and analysis will use an open source language like Python
language and/or shell scripting. Data retention will be in a flat files and an open-source
MongoDB for data housing and querying. Any test metadata analysis like; algorithmic
processing time or number of calls use will be analyzed using R for the averages recorded
from testing.
SELINUX INTEGRITY INSTRUMENTATION
59
Data Analysis
Data analysis will be performed on the results of the test cases, as well as an
empirical evaluation of algorithms, will be performed.
Summary of Chapter Three
A series of algorithms will be developed and tested in a prototype framework that
is tested with real system data. This instrumentation will be validated that it can detect
changes to the SELinux configuration. Chapter four will have full details of all
algorithms designed during the experimentation, and all code will be presented in the
appendix. Results of the algorithms will be presented as well as the output and the
algorithm performance as well as any additional observations.
SELINUX INTEGRITY INSTRUMENTATION
60
CHAPTER FOUR
There are problems with validating SELinux configuration that can lead to
security administration issues. To allow for concise auditing and verification settings a
series of algorithms, the SELinux Integrity Instrumentation (SII), was created and
implemented into a testing framework. The SII framework was coded in Python (SII.py
in Appendix A) and ran in a CIS lab with testing results consisting of captured data on
algorithm precision and performance. This chapter reviews the testing environment,
methods and the details of the SII algorithms. Included are samples of the results and SII
framework output from each algorithm.
Presentation of the Data
Evaluation of SII precession and performance was performed in the Computer
Information System Lab at Sinclair Community College. The lab hardware consisted of
six HP Compaq workstations with the following specifications:
• CPU: Intel Core 2 E8400 3Ghz
• Memory: 3,713,328Kb (3.7 GB)
• Disk: 320 GB 2.5 inch USB 2.0 SATA Drive Enclosure
• Disk Format: XFS file systems on CentOS ext4 on Fedora
• Test and Base system disk Partitioning:
§ /home 250GB
§ /boot 500MB
§ / 51GB
§ swap 3.25GB
Operating Systems used:
SELINUX INTEGRITY INSTRUMENTATION
61
• CentOS 7.0 64 Bit (3.10.0-123.e17.x86_64)
• Fedora 20 64 Bit (3.11.10-301.fc20.x86_64)
A total of six workstations were setup for the testing. One system was a main
workstation to remote, via SSH, into test and base systems to run the testing and collect
data. Three CentOS 7.0 and three Fedora 20 systems were configured one each for a test
system (where configuration changes were done) one each for base (where no changes
were done) and one each as a backup in the event of hardware or software failure during
testing.
Table 2 – Testing Hardware
System Name
OS Station # Role
research1 CentOS 7.0 64 bit 5043WS25 Main system to run research from. Not part of the testing.
cent1 CentOS 7.0 64 bit 5043WS10 Test system. Test system went configuration changes outlined in Chapter 3 tests
cent2 CentOS 7.0 64 bit 5043WS04 Base system. The base system did not get any configuration changes. Testing started off with cent2 however due to errors was moved to cent1b.
cent1b CentOS 7.0 64 bit 5043WS18 Base system. Later used for re-testing test cases 3a and 4a.
fedora1 Fedora 20 60 bit 5043WS22 Test system. Test system went configuration changes outlined in Chapter 3 tests
fedora2 Fedora 20 60 bit 5043WS17 Base system. The base system did not get any configuration changes. Later used for re-testing test cases 3a and 4a.
Presentation and Discussion of Findings
The following SII algorithms were coded in a Python testing framework (SII.py in
Appendix A) using the nonSQL database, MongoDB, for JavaScript Object Notation
SELINUX INTEGRITY INSTRUMENTATION
62
(JSON) records as a database. The SII framework collected data during testing from the
following areas of the Linux operating system with an active SELinux:
• Service data - Collected status and security context data on the running
services for the test and base systems.
• Policy data - Configuration details on the SELinux Booleans.
• File Context data - Details on context on SELinux File Context configuration.
• Also recorded were the system name and the test number for each test. This
was manually inputted during SII execution.
The hash values were computed for:
• Each configuration tuple for the Service (S), Boolean/Policy (P), and File
Context (C) from the test and base system.
• A chain hash of each tuple hash for S, B and C was computed. This was
called the fingerprint hash (fp) for each area: fpS, fpB, and fpC.
Collection of the configuration data was triggered by the SII.py to external shell
scripts (Appendix B) that ran calls to systemctl, semanage and sesearch with results
stored in text files under a local directory named after the test ID. The SII framework
then opened and parsed these files for configuration data. The SII collection process is
seen in Figure 6.
SELINUX INTEGRITY INSTRUMENTATION
63
Figure 6 – SII Collection Process
The results from two tests go through an analysis flow (Figure 7) that compares
the fingerprints then the whole array of hash values, call a hash stack, for each
configuration area of Service, Boolean and File Context.
SELINUX INTEGRITY INSTRUMENTATION
64
Figure 7 - Difference Testing
The following is a sample of the parsed results generated from the testing of each
SII algorithm with the algorithm description a sample of code and any example results.
Algorithm One - Service Collection
For each test and base system, the service configuration data was collected and
hashed into tuples and stored in a service collection (table) per test.
Algorithm One
Inputs: - System Name {N} - Test Number {T} Outputs: 1. For each system in system data: a. Get service name {S};
SELINUX INTEGRITY INSTRUMENTATION
65
b. Get service security context {C}; c. Get service domain {D}; d. Hash <— {S, D, C}; 2. Tuple of {N, T, S, C, D, Hash, Date/Time}
SII.py code for the algorithm
The SII framework that generated the hash values were part of the serviceparse
function with the specific lines performing the hashing:
tohash = service+sdomain+Context Hash = md5.new(tohash).hexdigest() docinsert = {"Sys": system, "testnum": testnum, "Service": service, "Domain": sdomain, "Context": Context, "Hash": Hash, "date": datetime.datetime.utcnow()} db.service.insert(docinsert)
Sample of results
System service configuration items of; name, domain and SELinux context, which
were parsed and an MD5 hash generated for the tuple. The results were stored in a
collection for that test; in the sample JSON record below is an entry for system cent1 test
number 1 for the Apache (httpd) web service.
{ "_id" : ObjectId("54b167c9350a2b15f1a49f10"), "Domain" : "httpd_t", "Hash" : "10b2c74a673065f708d93efb72595df2", "Service" : "httpd", "Sys" : "cent1", "Context" : "system_u:system_r:httpd_t:s0", "date" : ISODate("2015-01-10T12:56:25.917-05:00"), "testnum" : "1" }
The sample JSON record shows the SELinux context “Domain” of httpd_t was
parsed from the context of the Apache (httpd) service. The resulting hash was an MD5
computed value for the combined service name, domain, and context. The data elements
SELINUX INTEGRITY INSTRUMENTATION
66
of the system (Sys) and the test number (testnum) were saved from the user input. The
dB collection contained one record for each active service on all base and test systems. A
total of 43 services, later 42 on test systems due to test cases, were collected with full
results are in Appendix D.
Algorithm Two - File Context Collection
From the raw file context output data on the path, type and context were extracted
to build the tuple and hashed.
Algorithm Two
Inputs: - System Name {N} - Test Number {T} Outputs: 1. For each context in context data: a. Get Path {P}; b. Get object type {Ot}; c. Get object security context {C}; d. Get object domain {D}; e. Get object (O) name {On}; 2. Hash <— {P, Ot, C}; a. Tuple of {N, T, P, Ot, C, D, Hash, Date/Time}
SII.py code for the algorithm
The SII function “fonctextparse” setup text parsing and the following code in the
function creates the tuple and MD5 hash:
tohash = fpath+ftype+fcontext Hash = md5.new(tohash).hexdigest() docinsert = {"Sys": system, "testnum": testnum, "Path": fpath, "Type": ftype, "Domain": domain, "Context": fcontext, "Hash": Hash, "date": datetime.datetime.utcnow()} db.fcontext.insert(docinsert)
Sample of Results
Sample JSON record for system cent1 test 1 is as follows:
SELINUX INTEGRITY INSTRUMENTATION
67
{ "_id" : ObjectId("54b167d0350a2b15f1a4b5e6"), "Sys" : "cent1", "Domain" : "httpd_sys_content_t", "Hash" : "13dd68cf3ab5aaa3ae580dd8b2f948c5", "Context" : "system_u:object_r:httpd_sys_content_t:s0", "date" : ISODate("2015-01-10T12:56:32.512-05:00"), "Path" : "/var/www(/.*)?", "testnum" : "1", "Type" : "allfiles" }
From the SELinux file context configuration the SELinux context (domain parsed
separately), as well as “type” and “path, ” was parsed. The path, type, and context were
used in the MD5 hash generation, and the results are stored in a collection by test
number. An average of 5,555 items was parsed this making the file context the largest
collection generated and analyzed during testing. The full results are in Appendix D.
Algorithm Three - Boolean Collection
From raw Boolean data, the tuple was generated from extracting Boolean
configuration items and creating a hash on them.
Algorithm Three
Inputs: - System Name (N) - Test Number (T) Outputs: 1. For each context in context data: a. Get Boolean name {p}; b. Get Boolean Description {D}; c. Get Boolean state {t}; d. Get Boolean default state {Dt}; e. Get Boolean domain {D}; f. Hash <— {p, Dt, t, D}; 2. Tuple of {N, T, p, Dt, t, D, Hash, Date/Time}
SII.py code for the algorithm
SELINUX INTEGRITY INSTRUMENTATION
68
The SII framework “booleanparse” function generated the tuple with the Boolean
name, the default state; current state and domain were created, and an MD5 hash
generated for the values. The tuple and hash code is as follows:
tohash = Boolean+Default+State+Domain Hash = md5.new(tohash).hexdigest() docinsert = {"Sys": system, "testnum": testnum, "Boolean": Boolean, "Description": Description,"Default": Default,"State": State, "Hash": Hash, "Domain": Domain, "date": datetime.datetime.utcnow()} db.booleans.insert(docinsert)
Sample of Results
Sample Boolean record from system cent1 test number1 is as follows:
{ "_id" : ObjectId("54b167cc350a2b15f1a49f4a"), "Sys" : "cent1", "date" : ISODate("2015-01-10T12:56:28.110-05:00"), "State" : "on", "Boolean" : "httpd_enable_cgi", "Hash" : "01e6da02834fbe05909ec54d822c70ec", "Description" : "Allow httpd to enable cgi", "Default" : "on", "testnum" : "1", "Domain" : "httpd_suexec_t" }
Policy name “Boolean” the description, context, domain, default and current state
along with test data (system, test number a date/time and the generated hash) are
contained in a JSON record in a collection by test. An average of 278 Booleans was
recorded for each system. This varied for test systems as configuration changes
happened under test cases. Full results are listed in Appendix D.
SELINUX INTEGRITY INSTRUMENTATION
69
Algorithm Four - Fingerprint Hash
For each area, (Service, Policy and Context) generate a unique hash (fingerprint)
based on a chain-hash of each tuple hash value of that area (Service, Boolean, File
Context).
Algorithm Four
Inputs: - System Name {N} - Test Number {T} - Array, sorted by name, of hashes for
the area (S, P, C) Outputs: 1. For the first item in hash array: a. Set H1 = ""; b. Set H2 = item from array; 2. H1 || H2 <-- Hash as new H1 a. For item +1 to N; b. H1 = item; c. H2 = Previous H1; d. H1 || H2 < -- Hash 3. {Fp} <-- final hash
Flow diagram for fingerprint hash generation
SELINUX INTEGRITY INSTRUMENTATION
70
Figure 8 – Fingerprint Algorithm
Algorithm Five - Results Collection
Results from tests were stored in a results MongoDB collection to be later used in
testing for differences.
Algorithm Five
Inputs: - System Name {N} - Date/Time {DT} - Test {T} - Service Fingerprint {SFP} - Policy Fingerprint {PFP} - Context Fingerprint {CFP} - Service Count {Sc} - Policy Count {Pc} - Context Count {Cc} Outputs: - Tuple of {N, DT, T, SFP, PFP, CFP, Sc, Pc, Cc}
Sample of the results
SELINUX INTEGRITY INSTRUMENTATION
71
File Context, Service, and Boolean hash fingerprints were generated and saved to
the results table. Examples are listed below and were used to detect changes between two
tests. The sample JSON records are from system cent1 showing records for test 1.
{ "_id" : ObjectId("54b1683e350a2b15f1a4b622"), "contextFP" : "d680d3862526ccab257cf4cba8120a86", "Sys" : "cent1", "serviceFP" : "3db923b4e92df96202c5647b09c6c920", "booleanFP" : "09433755b60e36621246da3bbc20d298", "date" : ISODate("2015-01-10T12:58:22.535-05:00"), "testnum" : "1" }
JSON results contained the “_id” assigned by MongoDB then the system “Sys”,
test number “testnum”, the fingerprints generated by the fingerprint algorithm as well as a
date/time stamp. Appendix D has full output.
Algorithm Six - Differential
The two-part algorithm that evaluates the fingerprints, generate from algorithm
five, and displayed a no diff or a diff for each configuration area (service, Boolean or file
context) of the configuration between two tests indicated. If a difference is found a
deeper analysis of each item in the configuration areas with details of what was changed
between the two tests.
Algorithm Six
1. Compare test (T) fingerprint {Tfp} with baseline (B) fingerprint {Bfp} for x (where x = pfp, sfp, cfp) Bfp(x) == Tfp(x)? If no difference return (no diff) else:
2. Compare hash stacks for base (B) and test (T): a. Pull B(x)fp (pull _id, Hash) Baseline hash = Bh b. Pull T(x)fp (pull _id, Hash) Test Hash = Th c. If Bh != Th then diff = 1
SELINUX INTEGRITY INSTRUMENTATION
72
Else diff = 0
3. Pull Diff data a. For each Diff == 1 Pull data tuple by _id
4. List differences a. By Service, Policy, FContext
SII.py code for the algorithm
Two functions called diffs and stackdiff run the two parts of the algorithm. The
three configuration areas were pulled from MongoDB for each test. Example code for
the service is listed:
t1svcStack = list(db.service.find({},{"Service":1 ,"Sys":1,"Context":1,"Hash":1}).sort("Service"))
An item count was done to allow for the indication of list length differences
between tests.
t1svclength = len(t1svcStack) t2svclength = len(t2svcStack) # Service test1svc_dic = {} for line1 in t1svcStack: svcname = line1.get("Service") svchash = line1.get("Hash") test1svc_dic[svcname] = svchash test2svc_dic = {} for line1 in t2svcStack: svcname = line1.get("Service") svchash = line1.get("Hash") test2svc_dic[svcname] = svchash # Service Checks svcdiff = test1svc_dic.viewitems()^
test2svc_dic.viewitems() for diffitem in svcdiff: dname = diffitem[1] for xitem in t1svcStack: if xitem["Hash"] == dname: print "----------------- Test 1-----------------" outitemsx = xitem.items() print tabulate(outitemsx,tablefmt="grid")
SELINUX INTEGRITY INSTRUMENTATION
73
for yitem in t2svcStack: if yitem["Hash"] == dname: print "------------------ Test 2 ------------" outitemsy = yitem.items() print tabulate(outitemsy,tablefmt="grid") print "---------------------------------------------" if t1svclength != t1svclength: print "Service Count difference" print "Set1:",t1svclength," vs ",t2svclength for k,v in test1svc_dic.iteritems(): if k not in list(test2svc_dic.keys()): print "Not in test2 service:" print k,v else: print "Both Service tests have same count of:",
t1svclength print "-------------------------------------------"
Sample of Results
SII framework took an input for two test numbers to search for differences then
first performed a fingerprint comparison. The fingerprints were stored in the database
and pulled and compared as well as outputted to the screen as seen in Figure 9. The
output used SPF for server fingerprint, BPF for Boolean fingerprint and CFP for context
file fingerprint with a “NO Diff” or a “********** FP DIFF!!” (Figure 9 shows a
Boolean FP difference) presented in the output. The actual fingerprint hash values were
also displayed for both tests in the output for test verification.
SELINUX INTEGRITY INSTRUMENTATION
74
Figure 9 - Diff Function Output
For the testing framework a yes no check to run a full hash stack analysis was
presented. On a yes the call to the “stackdiff” function is performed (Figure 9) to
determine the individual items that have changed between the two tests. Base systems,
where no fingerprint differences were found, the “stackdiff” function, were still executed
to allow capture of performance data.
Figure 10 - Stackdiff function initial test
Part of the “stackdiff” is a comparison of the total items in each area and test.
Figure 11 is an example of Boolean count check. If a count difference was detected the
item is missing from a test is displayed on the output.
SELINUX INTEGRITY INSTRUMENTATION
75
Figure 11 - Stackdiff function count of items
The configuration tuples from each test are listed where there was a hash
difference detected. Figure 12 and 13 are examples of two Booleans where this occurred,
and the full tuple was displayed.
Figure 12 - Stackdiff function Boolean httpd_use_nfs service config test 1
Figure 13 - Stackdiff function Boolean httpd_use_nfs service config test 2
SELINUX INTEGRITY INSTRUMENTATION
76
Test one shows the settings for the httpd_use_nfs Boolean where in test two the
Default and State were set to “on” causing the hash to differ from the hash value
computed in test 1. The full output from all tests is presented in Appendix C.
Performance
Fingerprint diff and hash stack diff performance results were measured using
cProfile wrappers in SII.py code. The two functions listed are “diffs” that did the
comparison between test fingerprints and “stackdiff” that did a deep analysis to find
individual items that have changed. For the base systems (where no changes were done)
the “stackdiff” was always run to capture the performance. Sample of the summary data
collected from cProfile shows number of function calls and total time in seconds to
complete execution.
Table 3 – Function Performance Summary
Function Performance Summary Test Number
diffs 189 function calls in 0.001 seconds 2
stackdiff 235878 function calls in 1.173 seconds 2
diffs 194 function calls in 0.001 seconds 3
stackdiff 157809 function calls in 0.337 seconds 3
diffs 199 function calls in 0.001 seconds 4
stackdiff 158315 function calls in 0.337 seconds 4
Full test results are in Appendix E.
Detail cProfile data from each system and test was captured and saved in CSV
and a binary format for detailed analysis. An example of cent1 test 2 stackdiff function is
as follows:
SELINUX INTEGRITY INSTRUMENTATION
77
Table 4 – Sample cProfile Performance
ncalls tottime percall cumtime percall filename:lineno(function) 47995 0.031 0 0.031 0 {isinstance} 29940 0.023 0 0.023 0 {method-get-of-dict-objects} 24523 0.012 0 0.012 0 {len} 11912 0.007 0 0.007 0 collection.py:182(database) 11878 0.045 0 0.31 0 cursor.py:1054(next) 11872 0.017 0 0.083 0 objectid.py:70(__init__) 11872 0.006 0 0.006 0 {method-popleft-of-
collections.deque-objects} 11872 0.037 0 0.066 0 objectid.py:174(__validate) 11872 0.016 0 0.016 0 database.py:271(_fix_outgoin
g) 5866 0.685 0 0.685 0 {method-keys-of-dict-
objects} 4376 0.008 0 0.008 0 {hasattr}
Domain Relationship Testing
Test five was to see if relationships between service, Boolean, and file context
could be obtained. Based on the model in chapter three (Figure 1 Service to Object
Relationship) searching on domain gives output on Services, Booleans and File Context
that were related to the search string inputted. This was coded into SII with a search
function called “searchrel” to gather and search across the dictionaries created from the
data pulled from the database.
SELINUX INTEGRITY INSTRUMENTATION
78
Figure 14 - Test for relationship by domain httpd
The example in Figure 14 was from system cent1 and conducted as part of a test
to search the different configuration areas of Service, Boolean and File Context based on
a domain. Full SII output for this testing is located in Appendix F.
Presentation and Discussion of Findings
Six SII algorithms were coded into a Python framework that interacted with
external shell commands and a nonSQL database, MongoDB, on four CIS lab systems,
running Linux with SELinux active, running paired tests. Test systems underwent a
series of configuration changes where the base systems did not. SII ran a series of tests
on both test and base systems with data collected in the database, exported to flat-files
and terminal output captured for analysis.
SELINUX INTEGRITY INSTRUMENTATION
79
Key algorithmic functions of SII were tested, and data from individual
configuration tuples were hashed as well as the SELinux areas of Service, Boolean and
File Context with fingerprint (chain-hashes) generated and recorded.
Summary of Chapter
SII testing framework was used in a series of configuration changes on test
systems with results captured on precision and performance. The results of the tests are
reviewed in chapter five along with observations and future work.
SELINUX INTEGRITY INSTRUMENTATION
80
CHAPTER FIVE
The SII framework was verified against the research questions with a series of
tests on test systems that underwent various OS and SELinux configuration changes.
Two similar base systems did not get any changes however still has the SII framework
loaded and run with each test. The findings and conclusions give results of the test
scenarios against the SII framework with sample output and full output in the appendices.
Findings and Conclusions
Testing was performed with the following conditions on the test systems with
results collected on both test and base systems.
Test 1: Initial baseline - Tests ran on all systems with verification of collection
and process of configuration. Process times and resources were also validated to be
recorded. These were performed in the following sub-tests:
1a - Data collection timings and resources used. SII.py framework successfully
used the cProfile package to record timings and calls by the algorithms.
1b - Validation of data collected. – Summary of data collected is exported from
the database, and framework output was recorded in Appendix C.
1c - Hash tables of baseline were created and saved. Appendix D has the SII
export of the data tables.
1b and 1c – SII framework successfully collected configuration tuples of Services,
Booleans, and File Context configuration on test and base systems. Individual tuples
were successfully generated, and hash values generated for configuration items to
monitor for change. The following JSON record was for the SELinux Boolean
SELINUX INTEGRITY INSTRUMENTATION
81
httpd_enable_cgi and values like default state; current state and domain were parsed and
used in the MD5 hash generation.
{ "_id" : ObjectId("54b167cc350a2b15f1a49f4a"), "Sys" : "cent1", "date" : ISODate("2015-01-10T12:56:28.110-05:00"), "State" : "on", "Boolean" : "httpd_enable_cgi", "Hash" : "01e6da02834fbe05909ec54d822c70ec", "Description" : "Allow httpd to enable cgi", "Default" : "on", "testnum" : "1", "Domain" : "httpd_suexec_t" }
Each configuration area (Services, Booleans and File Context) successfully had
fingerprint hash generated and recorded and recorded for each test in the results
collection. The following example JSON record:
{ "_id" : ObjectId("54b1683e350a2b15f1a4b622"), "contextFP" : "d680d3862526ccab257cf4cba8120a86", "Sys" : "cent1", "serviceFP" : "3db923b4e92df96202c5647b09c6c920", "booleanFP" : "09433755b60e36621246da3bbc20d298", "date" : ISODate("2015-01-10T12:58:22.535-05:00"), "testnum" : "1" }
The performance collected by the cProfile package in the SII.py and was
summarized by each function for all systems and tests.
SELINUX INTEGRITY INSTRUMENTATION
82
Figure 15 - Algorithm Performance by SII function
The performance summary (Figure 19) is the mean time in milliseconds for each
function over all tests. Functions that processed a larger amount of items took a longer
time. The File Context fingerprint with an average of 5,555 file context tuples and the
“stackdiff” function with 628K calls. Even the mean time for the larger processing of the
File Context fingerprint still completed in a reasonable time of 1.2 seconds or less on
both test and base systems.
Test 2: System Change - A collection and analysis were run after updates the
SELinux base policy followed by security in the following sub-tests:
Test 2a - Update the Apache service
Test 2b - Update to the selinux-policy-targeted package.
SELINUX INTEGRITY INSTRUMENTATION
83
Cent1
Test 2a Apache update did not change any of the Apache (httpd) SELinux service
configuration captured. The httpd JSON data indicated no changes to the domain or
context. Thus the hash did not change as shown in the following tuples:
JSON Cent1 Test 1 httpd:
{ "_id" : ObjectId("54b167c9350a2b15f1a49f10"), "Domain" : "httpd_t", "Hash" : "10b2c74a673065f708d93efb72595df2", "Service" : "httpd", "Sys" : "cent1", "Context" : "system_u:system_r:httpd_t:s0", "date" : ISODate("2015-01-10T12:56:25.917-05:00"), "testnum" : "1" }
JSON Cent1 Test2 httpd:
{ "_id" : ObjectId("54b16f8c350a2b58f855f769"), "Domain" : "httpd_t", "Hash" : "10b2c74a673065f708d93efb72595df2", "Service" : "httpd", "Sys" : "cent1", "Context" : "system_u:system_r:httpd_t:s0", "date" : ISODate("2015-01-10T13:29:32.035-05:00"), "testnum" : "2" }
SELINUX INTEGRITY INSTRUMENTATION
84
Test 2b was an update to the SELinux targeted policy, and the update triggered
fingerprint detections for Boolean and File Context.
Figure 16 - Test 2 system cent1 fingerprint change detections
Many Boolean changes were found post policy update and SII stackdiff has too
much for here (Appendix G has the full difference, and Appendix C has full SII output).
A few examples of the differences detected were:
SELinux policy update changed the Boolean mount_anyfile domain from
automount_t to mount_t, and this was reflected in the hash change and was detected.
SELINUX INTEGRITY INSTRUMENTATION
85
Figure 17 - Results from SII detection from domain change to Boolean mount_anyfile
The targeted policy update created any updated. However, the test scenarios
revolved around the following services:
• httpd – The Apache web server
• sshd – The secure shell server
• ftpd – The file transfer protocol server
• smbd – The Samba file server
• Plex - A free Media server
Moreover, the ability to detect any changes that may occur to them.
The Apache web service did see Boolean updates; an example is the ability to
allow Apache to use NFS experienced a domain change from httpd_suexec_t to httpd_t
(Figure 18).
SELINUX INTEGRITY INSTRUMENTATION
86
Figure 18 - Results from SII detection from domain change to Boolean httpd_use_nfs
File Context also underwent many changes from the policy update with
modifications, additions and removals of file context entries. System cent1 file context
collections for both test 1 and test 2 were exported (via mongoexport to CSV) and pulled
through the comparison application (Beyond Compare 4.0.5) with a full report on
Appendix G. An example of a configuration change to the security context of the path
/usr/sbin/puppetd was observed in testing:
SELINUX INTEGRITY INSTRUMENTATION
87
Figure 19 - Results from SII detection from context change to file context to /usr/sbin/puppetd
Fedora1, a test system that underwent the update, also observed large amounts of
SELinux changes from the policy update. The full list of the differences is in Appendix
G.
Cent1b
Cent1b was a base system and did not undergo any configuration changes, and the
expected results were no changes detected in the fingerprints were obtained (Figure 20).
Figure 20 - Results from SII fingerprints for cent1b
SELINUX INTEGRITY INSTRUMENTATION
88
Fedora 2 was also a base system that achieved the expected results of no fingerprint
differences detected (Figure 21).
Figure 21 - Results from SII fingerprints for fedora2
The large impact of an SELinux policy update led to numerous changes to
Booleans and File Context configurations. Release notes for the update may not have
uncovered any possible impacts however with the addition of SII running the update on a
test system allowed for details of what changed from the current baseline. An important
part of the test was no changes were detected in the two base systems thus demonstrating
the stability of the tuple and fingerprint hashing algorithms.
Test 3: System Change - The following changes to system services were done;
specifically security contexts changed to a service and some of its objects. A new
unprotected service was added, and an existing service removed with the following sub-
tests:
3a - New unprotected service – Installation of the Plex media service.
3b - Service removed – Removal of the Samba service.
3c - Object context change to http document root domain context from
httpd_sys_content_t to httpd_log_t .
The fingerprint hash values differences indicated service and file context
differences in both test systems, cent1, and fedora1. The sample results from test system
cent1 are as follows (Figure 22):
SELINUX INTEGRITY INSTRUMENTATION
89
Figure 22 - Results from SII fingerprints for cent1 test 3
The “stackdiff” results for service indicated only Samba (smb) present in test 1
(baseline) and not in test 2 as a result of service the removal. SII test framework output
(Figure 23) listed Samba (smb) in test 1. Similar output was observed for similar test
system fedora1 with only Samba (smb) shown in test 1.
Figure 23 - Results from SII test 3 removed service.
Test 3a was the addition of a new service and for the research the Plex media
server was installed on the two test systems.
SELINUX INTEGRITY INSTRUMENTATION
90
Figure 24 - Results from test 3a service fingerprint and added service detection
For test 3a, the Plex media service was installed and set to run. The service
fingerprint (Figure 24) and the new service listed in test 2 results show the
“plexmediaserver” running with no SELinux context (<<none>>). An important
observation was the newly installed services that are not active were not detected; the SII
framework only detected running services.
Test 3c encompassed a domain change, to httpd_log_t from httpd_sys_contet_t, to
the Apache home (/var/www) was detected in the File Context on test systems cent1 and
fedora1. The example SII test framework output for system cent1, in figure 25, shows
the Context from test 1 and test 2. This was detected from the hash difference during SII
analysis.
SELINUX INTEGRITY INSTRUMENTATION
91
Figure 25 - Results from SII context change to File Context item /var/www(/.*)?
As with other tests, SII ran on the base systems (where no changes were done),
and no differences were detected.
Test 4: Policy Changes - A series of changes to existing SELinux policies were
done in the following sub-tests:
4a - Policy state changes – A temporary allow on change to the httpd_use_nfs
Boolean and a default state change to on for the ftp_home_dir Boolean.
4b - Policy alteration – A policy created from an AVC denial message using the
audit2allow.
The Boolean changes were detected in the fingerprint comparisons between the
baseline (test 3) and the update (test 4). Example SII output from system cent2 (note: SII
test numbers and test case numbers may differ):
SELINUX INTEGRITY INSTRUMENTATION
92
Figure 26 - Results from SII fingerprints for cent2 test 4
Detailed differences found the two policies from sub-test 4a were detected.
Figure 27 - Results from SII for cent1 httpd_use_nfs Boolean state change
Figure 27 has the results from the difference for the httpd_use_nfs Boolean. The
state change, from off in test 1 to on in test 2, caused the tuple hash to change that was
then detected in the Boolean fingerprint hash. Figure 28 shows the detected changes to
the ftp_home_dir Boolean for both Boolean state and default to on.
SELINUX INTEGRITY INSTRUMENTATION
93
Figure 28 - Results from SII for cent1 ftp_home_dir Boolean state change
The audit2allow was only run on cent1, as Fedora1 did not have any AVC denials
in the audit log file that were usable. The audit2allow change was not detected by SII in
either the areas collected and analyzed. SII did not detect and differences in both base
systems (fedora2 and cent1b), where no configuration changes occurred.
Relationship between Configuration Items
A feature of the SII algorithm design is to allow for searching on a domain to
view all the Services, Booleans and File Context objects associated with it. The SII
framework used a lose Python search (searching with a “like” context). Results from
testing queries with ftpd (figure 29) and ftpd_t (figure 30) allowed for viewing the related
Services, Booleans and File Context related to the domain input.
SELINUX INTEGRITY INSTRUMENTATION
94
Figure 29 - Cent 1 Relationship search based on domain results.
The results returned were based on a loose search in Python (similar to a like) file
context type / domain names differed from the ones seen in Boolean and services. This
may return results, especially from file context, which may not directly apply. A more
exact search (search for ftpd_t over ftpd) produced the same relationships between
Booleans and the vsftp service, however, gave no file context results.
SELINUX INTEGRITY INSTRUMENTATION
95
Figure 30 – Domain results for ftpd_t
Further work to build a translation table for File Context to the Booleans and
services is a possibility.
Results
In a comparison of the test results to the research questions, the following was
observed. Tests 1 passed with verification of initial baselines were successful.
RQ1. Did collecting the relationship of service to policy to object by domain detect
changes to services and indicate related policies and object context?
Test 2a, an update to an existing service, passed from testing.
Test 3a, a new unprotected service, passed.
Test 3b, removal of an existing service, passed.
RQ2. Did collecting the relationship of service to policy to object by domain detect
changes to policies and indicate related services and object context?
SELINUX INTEGRITY INSTRUMENTATION
96
Test 4a, change to two Booleans with a temporary allow and persistent change,
both passed in testing.
Test 4b, policy creation from AVC denial, failed during testing. Any Audit2allow
changes during testing were not detected.
RQ3. Did collecting the relationship of service to policy (Boolean) to object by
domain detect changes to object context and indicate related services and policies?
Test 3c, file object context change, passed. Searching by domain allows to see
the relationship between services and Booleans.
RQ4. Did collecting the relationship of service to policy to object by domain detect
services not covered under any security policies?
Test 3a, a new unprotected service, passed. Services with the domain of
<<none>> were listed on the search.
Test 2b, SELinux targeted policy update, incurred a large amount of changes to
Booleans and File Context. Search on domain did successfully return a service, Boolean
to file context relationship.
Findings
SII algorithms successfully parsed configuration data and established a tuple for
each item with a hash of the tuple to allow identification of change between tests in
realistic processing times. A fingerprint hash was successfully generated for each
configuration area of Service, Boolean, and File Context. All tuple and areas hashing
was completed in under 500ms timeframes. Change detection was successful for items
parsed. Change using audit2allow and addition of an inactive service did not trigger any
change detection. Possible changes to the service parsing to add inactive services may
SELINUX INTEGRITY INSTRUMENTATION
97
allow for the additional service to be detected. In the scope of the test cases and with
fingerprint differences detected at 1.17ms and the larger stackdiff, to find individual
differences between configuration items, completing at an average of 1325ms.
Limitations of the Study
The base configuration data was initially pulled with a specific set of shell scripts
and parsing in the SII Python framework. Test results show that may have limited the
data input as later detection.
Implications for Practice
The SII algorithms can be adapted to an automated system to run with other
integrity tools, like Tripwire, to broaden the monitoring. Security and system
administrators of Linux systems using SELinux will find value in the ability to
understand the SELinux configuration and know of any changes to it.
Implications of Study and Recommendations for Future Research
Visualization of the relationships in aid of configuration auditing, management
and training is an area for possible work. The possibility exists of exporting the
relationship results to a semantic substrate or cluster dendrogram as part of the
visualization as suggested by Xu. Et al; “Information visualization [8] enables users to
explore, analyze, reason, and explain abstract information by taking advantage of their
visual cognition.” (Xu, Shehab, & Ahn, 2008, p. 1).
Refinements to parsing and detection with the addition of visualization of the
configuration relationships between the services, the Boolean and corresponding file
context.
SELINUX INTEGRITY INSTRUMENTATION
98
There is potential to code the SII into the semanage (policycoreutils-python)
application or as a standalone binary. Either implementation the fingerprint output could
be added to the /proc file system to allow it to be leveraged by external scripts or other
tools. Other possibilities are to leave SII in Python and move the dB to use the SQLite3
library to leverage a lightweight database that doesn’t require a separate server process.
SII opens the door to automation of the testing configuration to a baseline value
set to allow for scheduled automated audits with notification triggered by any fingerprint
difference. Further research and be done with extending SII by collection of remote data
to a central security monitoring system and possible evaluation the configuration against
possible threats, like pulling Metasploit information in, to look for security holes against
current threats.
Areas of improvement to SII that can be looked include; further testing with
audit2allow scenarios to determine if a new policy can be detected. Refine data
collection for all installed services not just running ones. Collect more domain
information from the Booleans, the source and target domain and collect deeper SELinux
configuration, like MLS settings, ports, and users.
Conclusion
The integrity of any security mechanism is vital, and SELinux is lacking facilities
to judge its configuration to current security goals. The algorithmic collection of service,
Boolean and file context settings to establish a baseline, detect changes and search
relationships based on SELinux domain is the core of the SELinux Integrity
Instrumentation (SII). SII algorithms were tested in a Python framework and have the
potential for deeper monitoring and automation that can be folded in with other open-
SELINUX INTEGRITY INSTRUMENTATION
99
source SELinux tools like sesearch or setools. SII combats complexity to ensure the
security reference monitor, “is protected: its function may not be maliciously or
accidentally modified by unauthorized forces.” (Biba, 1977, p. 7).
SELINUX INTEGRITY INSTRUMENTATION
100
REFERENCES
Ahn, G.-J. J., Xu, W., & Zhang, X. (2008). Systematic policy analysis for high-assurance
services in SELinux (pp. 3–10). Presented at the Proceedings of the 2006 IEEE
Workshop on Information Assurance, IEEE.
Amthor, P., Kuhnhauser, W. E., & al, E. (2011). Model-based safety analysis of SELinux
security policies, 208–215.
Anand, V., Saniie, J., & Oruklu, E. (2012). Security Policy Management Process within
Six Sigma Framework. Journal of Information Security, 3(1), 49–58.
Anderson, J. P. (1972a). Computer Security Technology Planning Study. Volume 1 (No.
ESD-TR-73-51) (Vol. 1). Hanscom AFB, Bedford, MA: DTIC Document.
Anderson, J. P. (1972b). Computer Security Technology Planning Study. Volume 2.
Aris, A., & Shneiderman, B. (2007). Designing semantic substrates for visual network
exploration. Information Visualization, 6(4), 281–300.
doi:10.1057/palgrave.ivs.9500162
Bai, J., & Zhai, G. (2012). Study on analysis for SELinux security policy (pp. 1231–
1235). Presented at the Systems and Informatics (ICSAI), 2012 International
Conference on.
Bell, D. E., & La Padula, L. J. (1976). Secure computer system: Unified exposition and
multics interpretation (No. ESDTR-75-306). Technical Report ESDTR-75-306,
The Mitre Corporation (1st ed.). Bedford, MA: The Mitre Corporation.
Biba, K. J. (1977). Integrity considerations for secure computer systems (No. ESDTR-76-
373). Technical Report ESDTR-76-373, The Mitre Corporation (1st ed.). Bedford
SELINUX INTEGRITY INSTRUMENTATION
101
MA, USA: Technical Report ESDTR-76-373, The Mitre Corporation, Bedford
MA, USA.
Blanc, M., & Lalande, J. F. (2012). Improving Mandatory Access Control for HPC
Clusters. Future Generation Computer Systems.
Chen, H. (2009). Analysis of access control policies in operating systems. ProQuest
Dissertations and Theses. Purdue University, Ann Arbor.
Chen, H., Li, N., & Mao, Z. (2009). Analyzing and comparing the protection quality of
security enhanced operating systems. Presented at the Proceedings of the 16th
Annual Network & Distributed System Security Symposium.
Cheng, L., Zhang, Y., & Han, Z. (2013). Quantitatively Measure Access Control
Mechanisms across Different Operating Systems (pp. 50–59). Presented at the
Software Security and Reliability (SERE), 2013 IEEE 7th International
Conference on IS - SN - VO -, IEEE. doi:10.1109/SERE.2013.12
Cheng, L., Zhang, Y., Han, Z., Deng, Y., Sun, X., & Feng, D. (2014). Evaluating and
comparing the quality of access control in different operating systems. Computers
& Security VL -, (0 SP - EP - PY - T2 -). doi:10.1016/j.cose.2014.05.001
Chew, E., Swanson, M., Stine, K. M., Bartol, N., Brown, A., & Robinson, W. (2008). SP
800-55 Rev. 1. Performance Measurement Guide for Information Security.
Cirstea, H., Moreau, P.-E., & de Oliveira, A. S. (2009). Rewrite Based Specification of
Access Control Policies. Electronic Notes in Theoretical Computer Science, 234,
37–54. doi:10.1016/j.entcs.2009.02.071
SELINUX INTEGRITY INSTRUMENTATION
102
Clemente, P., Kaba, B., & Rouzaud-Cornabas, J. (2012). SPTrack: Visual Analysis of
Information Flows within SELinux Policies and Attack Logs. Active Media
Technology, 7669 2012.
Critical Control 3: Secure Configurations for Hardware and Software on Mobile Devices,
Laptops, Workstations, and Servers. (n.d.). Critical Control 3: Secure
Configurations for Hardware and Software on Mobile Devices, Laptops,
Workstations, and Servers. Sans.org. Retrieved October 20, 2013, from
http://www.sans.org/critical-security-controls/control.php?id=3
Darivemula, A., Leangsuksun, C., Tikotekar, A., & Pourzandi, M. (2006). Work in
Progress: RASS Framework for a Cluster-Aware SELinux. (p. 29). Presented at
the Proceedings of the Sixth IEEE International Symposium on Cluster
Computing and the Grid Workshops (CCGRIDW'06).
doi:10.1109/CCGRID.2006.184
Department of Homeland Security. (2009, December 18). A Roadmap for Cybersecurity
Research. Retrieved November 19, 2012, from
Fang, W., Miller, B. P., & Kupsch, J. A. (2012). Automated tracing and visualization of
software security structure and properties (pp. 9–16). Presented at the Proceedings
of the Ninth International Symposium on Visualization for Cyber Security, ACM.
Gregory, M. B., & Reninger, A. S. (2009). Teaching SELinux in Introductory
Information Assurance Classes. (pp. 1–8). Presented at the Proceedings of the
42nd Hawaii International Conference on System Sciences.
doi:10.1109/HICSS.2009.419
SELINUX INTEGRITY INSTRUMENTATION
103
Guttman, J. D., Herzog, A. L., Ramsdell, J. D., & Skorupka, C. W. (2005). Verifying
information flow goals in Security‐Enhanced Linux. Journal of Computer
Security, 13(1), 115–134. doi:Article
Harrison, M. A., Ruzzo, W. L., & Ullman, J. D. (1976). Protection in operating systems.
Communications of the ACM.
Herman, I., Melançon, G., & Marshall, M. S. (2000). Graph visualization and navigation
in information visualization: A survey. Visualization and Computer Graphics,
IEEE Transactions on, 6(1), 24–43.
Herzog, A. L., Ramsdell, J. D., & Guttman, J. D. (2003). Information flow in operating
systems: Eager formal methods. Presented at the Proceedings of the Workshop on
Issues in the Theory of Security (WITS).
Hicks, B., Rueda, S., Clair, L. S., Jaeger, T., & McDaniel, P. (2010). A logical
specification and analysis for SELinux MLS policy (Vol. 13, p. 26). Presented at
the ACM Transactions on Information and System Security (TISSEC).
Hicks, B., Rueda, S., Jaeger, T., & McDaniel, P. (2007). Integrating SELinux with
security-typed languages. Presented at the Proceedings of the 3rd SELinux
Symposium.
Horie, T., Harada, T., & Tanaka, K. (2012). Adaptive access policy for the Linux kernel
(pp. 82–88). Presented at the Applications and the Internet, 2005. Proceedings.
The 2005 Symposium on. doi:10.1109/SAINT.2005.11
SELINUX INTEGRITY INSTRUMENTATION
104
Hu, H., & Feng, D. (2008). BIFI: Architectural Support for Information Flow Integrity
Measurement (pp. 605–609). Presented at the 2008 International Conference on
Computer Science and Software Engineering, IEEE. doi:10.1109/CSSE.2008.738
Hu, L., Mayo, J., & Wallace, C. (2013). An empirical study of three access control
systems (pp. 287–291). Presented at the the 6th International Conference, New
York, New York, USA: ACM Press. doi:10.1145/2523514.2523550
IEC/ISO. (2013). ISO/IEC 27001:2013 Information technology — Security techniques
— Information security management systems — Requirements. Iso/Iec.
Information Assurance (IA) Implementation. (2003). Information Assurance (IA)
Implementation. Retrieved from http://www.cac.mil/docs/DoDD-8500.2.pdf
Jaeger, T., Sailer, R., & Zhang, X. (2003). Analyzing integrity protection in the SELinux
example policy (Vol. 6). Presented at the Proceedings of the 12th USENIX
Security Symposium.
Kerner, S. M. (2013, April 17). NSA Building a Secure Version of OpenStack - Open
Source Software Institute. Oss-Institute.org. Retrieved June 17, 2013, from
http://www.oss-institute.org/latest-news/751-nsa-building-a-secure-version-of-
openstack
Lampson, B. W. (1973). A note on the confinement problem. Communications of the
ACM, 16(10), 613–615.
LeMay, M., Fatemieh, O., & Gunter, C. A. (2007). PolicyMorph: interactive policy
transformations for a logical attribute-based access control framework. Presented
at the SACMAT '07: Proceedings of the 12th ACM symposium on Access control
SELINUX INTEGRITY INSTRUMENTATION
105
models and technologies, ACM Request Permissions.
doi:10.1145/1266840.1266874
Lepreau, J., Spencer, R., Smalley, S. D., Loscocco, P., Hibler, M., & Andersen, D.
(1999). The Flask Security Architecture: System Support for Diverse Security
Policies (pp. 11–11). Presented at the Proceedings of the 8th USENIX Security
Symposium, SECURE COMPUTING CORP SAINT PAUL MN. Retrieved from
http://dl.acm.org/citation.cfm?id=1251421.1251432
Li, Y., Carr, S., Mayo, J., Shene, C.-K., & Wang, C. (2012). DTEvisual: a visualization
system for teaching access control using Domain Type Enforcement. Journal of
Computing Sciences in Colleges, 28(1), 125–132.
List of Linux adopters - Wikipedia, the free encyclopedia. (n.d.). List of Linux adopters -
Wikipedia, the free encyclopedia. En.Wikipedia.org. Retrieved June 17, 2013,
from https://en.wikipedia.org/wiki/List_of_Linux_adopters
Loscocco, P., & Smalley, S. D. (2001). Meeting critical security objectives with Security-
Enhanced Linux. Presented at the Ottawa Linux Symposium 2001.
Marouf, S., & Shehab, M. (2011). SEGrapher: Visualization-based SELinux policy
analysis (pp. 1–8). Presented at the 2011 4th Symposium on Configuration
Analytics and Automation (SAFECONFIG).
doi:10.1109/SafeConfig.2011.6111675
Mell, P., Scarfone, K., & Romanosky, S. (2007). A complete guide to the common
vulnerability scoring system version 2.0, 1–23.
National Institute of Standards and Technology, & Aroms, E. NIST Special Publication
800-53 Revision 3 Recommended Security Controls for Federal Information
SELINUX INTEGRITY INSTRUMENTATION
106
Systems and Organizations, NIST Special Publication 800-53 Revision 3
Recommended Security Controls for Federal Information Systems and
Organizations (3rd ed.). U.S. Department of Commerce.
Nimbalkar, R., Patel, P., & Meshram, B. B. (2013). Advanced Linux Security. American
Journal of Engineering Research (AJER), 02(03), 07–12.
Open Web Application Security Project (OWASP). (2010, October 16). Open Web
Application Security Project (OWASP). Retrieved January 13, 2013, from
http://www.owasp.org
Pan, L., Liu, N., & Zi, X. (2013). Visualization framework for inter-domain access
control policy integration. Communications, China, 10(3), 67–75.
doi:10.1109/CC.2013.6488831
Qian, Z., & Chen, Y. (2014). Fluency of visualizations: linking spatiotemporal
visualizations to improve cybersecurity visual analytics. Security Informatics,
3(1), 6. doi:10.1002/for.3980070102
Rueda Rodriguez, S. J. (2011). Methods for specifying and resolving security policy
compliance problems. ProQuest Dissertations and Theses. The Pennsylvania
State University, Ann Arbor.
Rushby, J. M. (1981). Design and verification of secure systems. Presented at the SOSP
'81: Proceedings of the eighth ACM symposium on Operating systems
principles, ACM Request Permissions. doi:10.1145/800216.806586
Sailer, R., Zhang, X., Jaeger, T., & Van Doorn, L. (2004). Design and implementation of
a TCG-based integrity measurement architecture. Presented at the Proceedings of
the 13th USENIX Security Symposium.
SELINUX INTEGRITY INSTRUMENTATION
107
Saltzer, J. H., & Schroeder, M. D. (1974). The protection of information in computer
systems. Communications of the ACM, 17(7).
Sarna-Starosta, B. (2005). Constraint-based analysis of security properties. ProQuest
Dissertations and Theses. State University of New York at Stony Brook, Ann
Arbor.
Sarna-Starosta, B., & Stoller, S. D. (2004). Policy analysis for security-enhanced linux.
Presented at the Proceedings of the Workshop on Issues in the Theory of Security
(WITS).
Sasturkar, A., Yang, P., Stoller, S. D., & Ramakrishnan, C. R. (2011). Policy analysis for
Administrative Role-Based Access Control. Theoretical Computer Science,
412(44), 6208–6234. doi:10.1016/j.tcs.2011.05.009
Schreuders, Z. C., McGill, T. J., & Payne, C. (2012). Towards usable application-
oriented access controls: qualitative results from a usability study of SELinux,
AppArmor and FBAC-LSM. International Journal of Information Security and
Privacy, 6(1), 57–76.
Schreuders, Z. C., McGill, T., & Payne, C. (2011). Empowering End Users to Confine
Their Own Applications: The Results of a Usability Study Comparing SELinux,
AppArmor, and FBAC-LSM. ACM Transactions on Information and System
Security, 14(2), 1–28. doi:10.1145/2019599.2019604
SELinux Future Work. (2009). SELinux Future Work. The National Security Agency.
Retrieved December 8, 2012, from
http://www.nsa.gov/research/selinux/todo.shtml
SELINUX INTEGRITY INSTRUMENTATION
108
Singh, S. (2012, November 10). Automatic verification of security policy
implementations. University of Illinois at Urbana-Champaign.
Smari, W. W., Spalazzi, L., & Zemali, Y. (2013). Recent developments in high
performance computing and security: An editorial. Future Generation Computer
Systems, 29(3), 782–787. doi:10.1016/j.future.2012.08.006
Thomas, J. D. (2011). Accommodative mandatory access control. ProQuest Dissertations
and Theses. Purdue University, Ann Arbor.
Weaver, G. A., Cheh, C., Rogers, E. J., Sanders, W. H., & Gammel, D. (2013). Toward a
cyber-physical topology language: applications to NERC CIP audit. Presented at
the SEGS '13: Proceedings of the first ACM workshop on Smart energy grid
security, ACM Request Permissions. doi:10.1145/2516930.2516934
Wichers, D. (2013). The 2013 OWASP Top 10. AppSec USA 2013.
Xu, W., Shehab, M., & Ahn, G.-J. J. (2008). Visualization based policy analysis: case
study in SELinux. Presented at the SACMAT '08: Proceedings of the 13th ACM
symposium on Access control models and technologies.
Xu, W., Shehab, M., & Ahn, G.-J. J. (2012). Visualization-based policy analysis for
SELinux: framework and user study. International Journal of Information
Security, 12(3), 155–171. doi:10.1007/s10207-012-0180-7
Zhai, G., Ma, W., Tian, M., Yang, N., Liu, C., & Yang, H. (2009). Design and
implementation of a tool for analyzing SELinux secure policy (pp. 446–451).
Presented at the Proceedings of the 2nd International Conference on Interaction
Sciences: Information Technology, Culture and Human, ACM.
SELINUX INTEGRITY INSTRUMENTATION
109
Zhao, C., Dong, W., Leucker, M., & Qi, Z. (2011). Security Goals Assurance Based on
Software Active Monitoring (pp. 70–79). Presented at the Secure Software
Integration and Reliability Improvement (SSIRI), 2011 Fifth International
Conference on IS - SN - VO -, IEEE. doi:10.1109/SSIRI.2011.34
SELINUX INTEGRITY INSTRUMENTATION
110
APPENDIX A
SII.py code # ################################################################ # SELinux Integrity Instrumentation # Mike Libassi # 2015 # Code source: https://github.com/mikejl/research # Feb2015 # - Fix to tab/space in collect function # - Fix Boolean parsing for default # ################################################################ # ################################################################ # Load environmental items # ################################################################ import md5 import os, sys import datetime import subprocess from pymongo import MongoClient import timeit import cProfile, StringIO ,pstats from tabulate import tabulate import csv # ################################################################ # Set Initial Vars # ################################################################ system = "localhost" testnum = 0 ip = "local" client = MongoClient('localhost', 27017) sfp = 0 cfp = 0 pfp = 0 # ################################################################ # Functions # ################################################################ # ################################################################ # Main menu Print # ################################################################ def printmm(): print "##############################################" print " SELinux Integrity Instrumentation (SII) " print "##############################################" print "Current Test#: ", testnum, "Test System: ", system print "--------------------------------------------------------------------------" print "Main Menu" print "1. Enter Test #" print "2. Enter System Name" print "3. Run Collect Scripts" print "4. Run Parsing (boolens, service and context)" print "5. Run / View Finger Prints" print "6. Search / View Diffs" print "7. Search / View Relationships" print "8. Tools and Utilities" print "9. Exit" print "--------------------------------------------------------------------------" return # ################################################################ # Fingerprint sub menu # ################################################################ def printfbsub(): print "Fingerprint menu" print "1 = Policy Finger Print" print "2 = FContext Finger Print" print "3 = Service Finger Print" print "4 = Save Results to dB" print "5 = Return to Main Menu"
SELINUX INTEGRITY INSTRUMENTATION
111
print "-------------------------" return # ################################################################ # Collect Raw Data from shell scripts # ################################################################ def collect(runanswer): if runanswer == "Y": print "Running collection scripts for system:", system, " Test#:", testnum # ------------------------------------- args = ['sudo', '/home/mike/research/boolean_collect.sh', testnum, 'stdout=None', 'stderr=None'] str_args = [ str(x) for x in args ] bstatus = subprocess.call(str_args) if bstatus == 0: print "Boolean Collection Done" else: print "Error in shell script" # ------------------------------------- args = ['sudo', '/home/mike/research/fcontext_collect.sh', testnum] str_args = [ str(x) for x in args ] cstatus = subprocess.call(str_args) if cstatus == 0: print "File Context Collection Done" else: print "Error in shell script" # ------------------------------------- args = ['sudo', '/home/mike/research/service_collect.sh', testnum] str_args = [ str(x) for x in args ] sstatus = subprocess.call(str_args) if sstatus == 0: print "Service Collection Done" else: print "Error in shell script" print "Script Colection Done" else: print "Test NOT run" return # ################################################################ # Hash Function - not using .. needs extra tuple joins # ################################################################ #def tohash(*hashstring): # htuple = [''.join(x) for x in hashstring] # htuple2 = ''.join(htuple) # return(md5.new(htuple2).hexdigest()) # ################################################################ # Boolean Parse and Load # ################################################################ def booleanparse(): #client = MongoClient('localhost', 27017) #db = client.booleans client = MongoClient('localhost', 27017) str(testnum) dbstr = testnum DBNAME = dbstr db = getattr(client,dbstr) # paths path = "/home/mike/" + str(testnum) + "/boolean.txt" dir_name='/home/mike/'+ str(testnum) + "/" base_filename='boolean_file' filename_suffix = '.domain' for text in open(path, 'r'): ## Parse the boolean.txt fields1 = text.split() fields2 = text.split(')', 1) #fields3 = text.split(',', 1) fields4 = text.rsplit('(') defaultb = fields4[1].split(',', 1) stateb = fields4[1].split(',', 1) Boolean = fields1[0].strip() Description = fields2[1].strip() #Default = defaultb[0].strip() # Parsing issue # Added to fix parse issue Default2 = defaultb[1].split(',', 2)
SELINUX INTEGRITY INSTRUMENTATION
112
Default3 = Default2[0].split(')') Default = Default3[0].strip() State = stateb[0].strip() base_filename = Boolean domain1 = open(os.path.join(dir_name, base_filename + filename_suffix), 'r') Domain = domain1.read().strip() tohash = Boolean+Default+State+Domain Hash = md5.new(tohash).hexdigest() docinsert = {"Sys": system, "testnum": testnum, "Boolean": Boolean, "Description": Description,"Default": Default,"State": State, "Hash": Hash, "Domain": Domain, "date": datetime.datetime.utcnow()} db.booleans.insert(docinsert) print "loaded into booleans: ", db.booleans.count() return # ################################################################ ## File context parse and load # ################################################################ def fcontextpase(): #client = MongoClient('localhost', 27017) #db = client.fcontext client = MongoClient('localhost', 27017) str(testnum) dbstr = testnum DBNAME = dbstr db = getattr(client,dbstr) path = "/home/mike/" + str(testnum) + "/fcontext.txt" for text in open(path, 'r'): fields1 = text.split() textlen = len(fields1) if textlen == 3: fpath = fields1[0] ftype = fields1[1] ftype2 = fields1[2] if "<<None>>" in fields1[2]: fcontext = "<<None>>" domain = "<<None>>" else: fcontext = fields1[2] if "<<None>>" in fcontext: domain = "<<None>>" else: dfield = fcontext.split(":") domain = dfield[2] elif textlen == 4: fpath = fields1[0] ftype = fields1[1] ftype2 = fields1[2] if not ":" in ftype2: ftype = ftype+ftype2 if "<<None>>" in fields1[2]: fcontext = "<<None>>" domain = "<<None>>" else: fcontext = fields1[3] if "<<None>>" in fcontext: domain = "<<None>>" else: dfield = fcontext.split(":") domain = dfield[2] tohash = fpath+ftype+fcontext Hash = md5.new(tohash).hexdigest() docinsert = {"Sys": system, "testnum": testnum, "Path": fpath, "Type": ftype, "Domain": domain, "Context": fcontext, "Hash": Hash, "date": datetime.datetime.utcnow()} db.fcontext.insert(docinsert) print "loaded into fcontext: ", db.fcontext.count() return # ################################################################ # Service data Parse and Load # ################################################################
SELINUX INTEGRITY INSTRUMENTATION
113
def serviceparse(): #client = MongoClient('localhost', 27017) #db = client.service client = MongoClient('localhost', 27017) str(testnum) dbstr = testnum DBNAME = dbstr db = getattr(client,dbstr) path = "/home/mike/" + str(testnum) + "/service.running" for service in open(path, 'r'): field1 = service.split() dfile1 = field1[0] dfile2 = dfile1.split('.') dfile3 = dfile2[0] dfile4 = dfile3 + ".info" fpath = "/home/mike/" + str(testnum) + "/" + dfile4 if os.path.exists(fpath): dfile5 = open(fpath,'r') dfile6 = dfile5.read().strip() if not dfile6: sdomain = "<<none>>" Context = "<<none>>" else: context1 = dfile6.split() for i in context1: context1 = i #print i break con = i.split(":") Context = i sdomain = con[2] #sdomain = "<<none>>" service = dfile2[0] tohash = service+sdomain+Context Hash = md5.new(tohash).hexdigest() docinsert = {"Sys": system, "testnum": testnum, "Service": service, "Domain": sdomain, "Context": Context, "Hash": Hash, "date": datetime.datetime.utcnow()} db.service.insert(docinsert) else: print "Done" #sdomain = "<<none>>" print "loaded into service: ", db.service.count() return # ################################################################ # Build fingerprints of service, policy and context # # ################################################################ # ################################################################ # MongoDB booleans collection # ################################################################ def boolsfp(): #client = MongoClient('localhost', 27017) #db = client.booleans client = MongoClient('localhost', 27017) str(testnum) dbstr = testnum DBNAME = dbstr db = getattr(client,dbstr) global pfp hash1 = "" hash2 = "" # perf wrapper start (i)pr where i=function # bpr = cProfile.Profile() bpr.enable() #start # Finger Print Hash Algorithm # sort? db.booleans.find({},{"Hash": 1}).sort(["Boolean"]) for item in db.booleans.find({},{"Hash": 1}):
SELINUX INTEGRITY INSTRUMENTATION
114
hash1 = item['Hash'] tohash = hash1+hash2 pfp = md5.new(tohash).hexdigest() hash2 = pfp bpr.disable() #stop boolcount = db.booleans.find().count() s = StringIO.StringIO() sortby = 'calls' ps = pstats.Stats(bpr, stream=s).sort_stats(sortby).strip_dirs() ps.print_stats() bfpPerfs = s.getvalue() print "***************************************************" print "Policy Finger Print: ", pfp print "Item Count: ", boolcount print "***************************************************" # Store results to dB ######## # note the xxxPerfs is a type <str> bfpPerfs1 = bfpPerfs.lstrip() perfline = bfpPerfs1.splitlines() smry = perfline[0] function_name = sys._getframe().f_code.co_name outFileName = system+"-"+function_name+"-"+"test"+testnum+".csv" with open(outFileName, "wb") as f: writer = csv.writer(f, delimiter=',', quotechar='|') for line in perfline: linepart = line.split() writer.writerow(linepart) # raw file outProfileName = system+"-"+function_name+"-"+"test"+testnum+".profile" ps.dump_stats(outProfileName) # Db db = client.prefdata print "Store cProfile results to perfdata dB?" YN=raw_input("Y/N: ") if YN == "Y": docinsert = {"Sys": system, "Testnum": testnum, "Function": function_name, "Perfdata": bfpPerfs, "Perfsmry": smry, "Count": boolcount, "Date": datetime.datetime.utcnow()} print "Saving..." db.prefdata.insert(docinsert) # perf wrapper end # printfbsub() return # ################################################################ # fContext collection # ################################################################ def fcontextfp(): #client = MongoClient('localhost', 27017) #db = client.fcontext client = MongoClient('localhost', 27017) str(testnum) dbstr = testnum DBNAME = dbstr db = getattr(client,dbstr) global cfp hash1 = "" hash2 = "" # perf wrapper start (i)pr where i=function # fcpr = cProfile.Profile() fcpr.enable() #start # Finger Print Hash Algorithm for item in db.fcontext.find({},{"Hash": 1}): hash1 = item['Hash'] tohash = hash1+hash2 cfp = md5.new(tohash).hexdigest() hash2 = cfp fcpr.disable() #stop fcontextcount = db.fcontext.find().count() s = StringIO.StringIO() sortby = 'calls' ps = pstats.Stats(fcpr, stream=s).sort_stats(sortby).strip_dirs()
SELINUX INTEGRITY INSTRUMENTATION
115
ps.print_stats() fcfpPerfs = s.getvalue() print "***************************************************" print "FContext Finger Print: ", cfp print "Item Count: ", fcontextcount print "***************************************************" # Store results to dB ######## # note the xxxPerfs is a type <str> # File Output fcfpPerfs1 = fcfpPerfs.lstrip() perfline = fcfpPerfs1.splitlines() smry = perfline[0] function_name = sys._getframe().f_code.co_name outFileName = system+"-"+function_name+"-"+"test"+testnum+".csv" with open(outFileName, "wb") as f: writer = csv.writer(f, delimiter=',', quotechar='|') for line in perfline: linepart = line.split() writer.writerow(linepart) # raw file outProfileName = system+"-"+function_name+"-"+"test"+testnum+".profile" ps.dump_stats(outProfileName) # DB Input db = client.prefdata print "Store cProfile results to perfdata dB?" YN=raw_input("Y/N: ") if YN == "Y": docinsert = {"Sys": system, "Testnum": testnum, "Function": function_name, "Count": fcontextcount, "Perfdata": fcfpPerfs, "Perfsmry": smry, "Date": datetime.datetime.utcnow()} print "Saving..." db.prefdata.insert(docinsert) # perf wrapper end # printfbsub() return # ################################################################ # service collection # ################################################################ def servicefp(): client = MongoClient('localhost', 27017) str(testnum) dbstr = testnum DBNAME = dbstr db = getattr(client,dbstr) global sfp hash1 = "" hash2 = "" # perf wrapper start (i)pr where i=function # spr = cProfile.Profile() spr.enable() #start # Finger Print Hash Algorithm for item in db.service.find({},{"Hash": 1}): hash1 = item['Hash'] tohash = hash1+hash2 sfp = md5.new(tohash).hexdigest() hash2 = sfp spr.disable() #stop servicefpcount = db.service.find().count() s = StringIO.StringIO() sortby = 'calls' ps = pstats.Stats(spr, stream=s).sort_stats(sortby).strip_dirs() ps.print_stats() sfpPerfs = s.getvalue() print "***************************************************" print "Service Finger Print: ", sfp print "Item Count: ", servicefpcount print "***************************************************" # Store results to dB ######## # note the xxxPerfs is a type <str> sfpPerfs1 = sfpPerfs.lstrip() perfline = sfpPerfs1.splitlines() smry = perfline[0]
SELINUX INTEGRITY INSTRUMENTATION
116
function_name = sys._getframe().f_code.co_name outFileName = system+"-"+function_name+"-"+"test"+testnum+".csv" with open(outFileName, "wb") as f: writer = csv.writer(f, delimiter=',', quotechar='|') for line in perfline: linepart = line.split() writer.writerow(linepart) # raw file outProfileName = system+"-"+function_name+"-"+"test"+testnum+".profile" ps.dump_stats(outProfileName) # Db db = client.prefdata print "Store cProfile results to perfdata dB?" YN=raw_input("Y/N: ") if YN == "Y": docinsert = {"Sys": system, "Testnum": testnum, "Function": function_name, "Count": servicefpcount, "Perfdata": sfpPerfs, "Perfsmry": smry, "Date": datetime.datetime.utcnow()} print "Saving..." db.prefdata.insert(docinsert) # perf wrapper end # printfbsub() return # ################################################################ # Save data to results table # ################################################################ def saveres(): client = MongoClient('localhost', 27017) db = client.results print "Enter test results for: ", system, "Test: ", testnum print "Current FPs. ServiceFP:",sfp," PolicyFP:",pfp," ContextFP:",cfp dbYN=raw_input("Y/N: ") if dbYN == "Y": docinsert = {"Sys": system, "testnum": testnum, "serviceFP": sfp, "booleanFP": pfp, "contextFP": cfp, "date": datetime.datetime.utcnow()} print "Saving...", docinsert db.results.insert(docinsert) printfbsub() return # ################################################################ # Fingerprint submenu # ################################################################ def fpsub(): #os.system('clear') printfbsub() while True: is_valid=0 while not is_valid : try : sel = int ( raw_input('Enter your choice [1-5] : ') ) is_valid = 1 ## set it to 1 to validate input and to terminate the while..not loop except ValueError, e : print ("'%s' is not a valid integer." % e.args[0].split(": ")[1]) if sel == 1: boolsfp() continue if sel == 2: fcontextfp() continue if sel == 3: servicefp() continue if sel == 4: saveres() elif sel == 5: return() return() # ################################################################ # Set Test Number # ################################################################ def settestnum(): global testnum print "Current test # is: ", testnum print "Enter Test Number"
SELINUX INTEGRITY INSTRUMENTATION
117
testnum=raw_input("test: ") if not testnum: raise ValueError('empty string') testnum = testnum print "Test Number set at: ", testnum return(testnum) # ################################################################ # Set system name # ################################################################ def setsysname(): global system print "Current System Name: ", system print "Enter New System Name or Q to keep" name=raw_input("Name: ") if name == "Q": print "Keeping current name" return system = name print "Test system name set at: ", system return(system) # ################################################################ # Run collect scripts # ################################################################ def runscripts(): print "Run input scripts" runanswer=raw_input("Y or N: ") if not runanswer: raise ValueError('empty string') if runanswer == "Y": collect(runanswer) return # ################################################################ # Run parsing # ################################################################ def runsparse(): print "Select Parse to Run" print "1. Service" print "2. Boolean" print "3. File Context" print "4. Back to Main" while True: sel=raw_input("Selection: ") if sel == "1": serviceparse() continue elif sel == "2": booleanparse() continue elif sel == "3": fcontextpase() continue elif sel == "4": print "Bye" break return # ################################################################ # Search Relationships # ################################################################ def searchrel(): #client = MongoClient('localhost', 27017) client = MongoClient('localhost', 27017) str(testnum) dbstr = testnum DBNAME = dbstr db = getattr(client,dbstr) # Service #db = client.service serviceres = list(db.service.find({},{"Service":1 ,"Domain":1,"Context":1,"_id":0})) distinctsvc = list(db.service.distinct('Domain')) # Poicy #db = client.booleans
SELINUX INTEGRITY INSTRUMENTATION
118
boolres = list(db.booleans.find({},{"Boolean":1 ,"Domain":1,"State":1, "Default":1, "Description":1,"_id":0})) distinctbols = list(db.booleans.distinct('Domain')) # File Context #db = client.fcontext contextres = list(db.fcontext.find({},{"Path":1 ,"Domain":1,"Context":1, "Type":1,"_id":0})) distinctfc = list(db.fcontext.distinct('Domain')) print "------------------------------------------------------------------------------------" print "Current Domains for test: " , testnum print "------------------------------------------------------------------------------------" print "Services Domains Found:" for item in distinctsvc: print item #print "----------" #print "Booleans:" #for item in distinctbols: # print item #print "----------" #print "File Context:" #for item in distinctfc: # print item print "------------------------------------------------------------------------------------" print "Enter domain to search for" dsel = raw_input("Domain: ") # Print Results print " " print "------------------------------------------------------------------------------------" print "Services:" print "------------------------------------------------------------------------------------" svc_matches = [svc for svc in serviceres if dsel in str(svc['Domain'])] print tabulate(svc_matches, headers="keys", tablefmt="pipe") print " " print "------------------------------------------------------------------------------------" print "Booleans:" print "------------------------------------------------------------------------------------" bol_matches = [bol for bol in boolres if dsel in str(bol['Domain'])] print tabulate(bol_matches, headers="keys", tablefmt="pipe") print " " print "------------------------------------------------------------------------------------" print "File Contexts:" print "------------------------------------------------------------------------------------" fc_matches = [fc for fc in contextres if dsel in str(fc['Domain'])] print tabulate(fc_matches, headers="keys", tablefmt="pipe") print "------------------------------------------------------------------------------------" return # ################################################################ # Diff Functions # ################################################################ def stackdiff(): client = MongoClient('localhost', 27017) # perf wrapper start (i)pr where i=function # stackpr = cProfile.Profile() stackpr.enable() #start #test set 1 data str(test1) dbstr = test1 DBNAME = dbstr db = getattr(client,dbstr) # Service t1svcStack = list(db.service.find({},{"Service":1 ,"Sys":1,"Context":1,"Hash":1}).sort("Service")) # Poicy t1bolStack = list(db.booleans.find({},{"Boolean":1 ,"Domain":1,"State":1, "Default":1,"Hash":1}).sort("Boolean")) # File Context t1fcStack = list(db.fcontext.find({},{"testnum":1 ,"Sys":1,"Context":1,"Path":1,"Hash":1}).sort("Path")) # Test set 2 data str(test2) dbstr = test2 DBNAME = dbstr db = getattr(client,dbstr) # Service t2svcStack = list(db.service.find({},{"Service":1 ,"Sys":1,"Context":1,"Hash":1}).sort("Service")) # Poicy
SELINUX INTEGRITY INSTRUMENTATION
119
t2bolStack = list(db.booleans.find({},{"Boolean":1 ,"Domain":1,"State":1, "Default":1,"Hash":1}).sort("Boolean")) # File Context t2fcStack = list(db.fcontext.find({},{"testnum":1 ,"Sys":1,"Context":1,"Path":1,"Hash":1}).sort("Path")) #Check for diffs in Service / Policy / File Context # Get count for each stack t1fclength = len(t1fcStack) t2fclength = len(t2fcStack) t1svclength = len(t1svcStack) t2svclength = len(t2svcStack) t1bollength = len(t1bolStack) t2bollength = len(t2bolStack) # Build dict objects for each test(1 AND 2) # Service test1svc_dic = {} for line1 in t1svcStack: svcname = line1.get("Service") svchash = line1.get("Hash") test1svc_dic[svcname] = svchash test2svc_dic = {} for line1 in t2svcStack: svcname = line1.get("Service") svchash = line1.get("Hash") test2svc_dic[svcname] = svchash # Booleans test1bol_dic = {} for line1 in t1bolStack: bolname = line1.get("Boolean") bolhash = line1.get("Hash") test1bol_dic[bolname] = bolhash test2bol_dic = {} for line1 in t2bolStack: bolname = line1.get("Boolean") bolhash = line1.get("Hash") test2bol_dic[bolname] = bolhash # fcontext test1fc_dic = {} for line1 in t1fcStack: fcpath = line1.get("Path") fchash = line1.get("Hash") test1fc_dic[fcpath] = fchash test2fc_dic = {} for line1 in t2fcStack: fcpath = line1.get("Path") fchash = line1.get("Hash") test2fc_dic[fcpath] = fchash # Service Checks print "########## Service Compare Test 1 to Test 2 ##########" svcdiff = test1svc_dic.viewitems()^ test2svc_dic.viewitems() #print tabulate(svcdiff) for diffitem in svcdiff: dname = diffitem[1] for xitem in t1svcStack: if xitem["Hash"] == dname: print "-------------------------- Test 1--------------------------" outitemsx = xitem.items() print tabulate(outitemsx,tablefmt="grid") for yitem in t2svcStack: if yitem["Hash"] == dname: print "-------------------------- Test 2 --------------------------" outitemsy = yitem.items() print tabulate(outitemsy,tablefmt="grid") print "---------------------------------------------------------------------" if t1svclength != t1svclength: print "Service Count difference" print "Set1:",t1svclength," vs ",t2svclength
SELINUX INTEGRITY INSTRUMENTATION
120
for k,v in test1svc_dic.iteritems(): if k not in list(test2svc_dic.keys()): print "Not in test2 service:" print k,v else: print "Both Service tests have same count of:", t1svclength print "---------------------------------------------------------------------" # Boolean checks print "########## Boolean Compare Test 1 to Test 2 ##########" boldiff = test1bol_dic.viewitems()^ test2bol_dic.viewitems() #print tabulate(boldiff) for diffitem in boldiff: dname = diffitem[1] for xitem in t1bolStack: if xitem["Hash"] == dname: print "-------------------------- Test 1--------------------------" outitemsx = xitem.items() print tabulate(outitemsx,tablefmt="grid") for yitem in t2bolStack: if yitem["Hash"] == dname: print "-------------------------- Test 2 --------------------------" outitemsy = yitem.items() print tabulate(outitemsy,tablefmt="grid") print "---------------------------------------------------------------------" if t1bollength != t2bollength: print "Boolean Service Count difference" print "Set1:",t1bollength," vs ",t2bollength for k,v in test1bol_dic.iteritems(): if k not in list(test2bol_dic.keys()): print "Not in test2 booleans:" print k,v else: print "Both Boolean Sets Same Count of:", t1bollength print "---------------------------------------------------------------------" # File Context checks print "########## File Context Compare Test 1 to Test 2 ##########" fcdiff = test1fc_dic.viewitems()^ test2fc_dic.viewitems() #print tabulate(fcdiff) for diffitem in fcdiff: dname = diffitem[1] for xitem in t1fcStack: if xitem["Hash"] == dname: print "-------------------------- Test 1--------------------------" outitemsx = xitem.items() print tabulate(outitemsx,tablefmt="grid") for yitem in t2fcStack: if yitem["Hash"] == dname: print "-------------------------- Test 2 --------------------------" outitemsy = yitem.items() print tabulate(outitemsy,tablefmt="grid") print "---------------------------------------------------------------------" if t1fclength != t2fclength: print "Fcontext Count difference" print "Set1:",t1fclength," vs ",t2fclength for k,v in test1fc_dic.iteritems(): if k not in list(test2fc_dic.keys()): print "Not in test2:" print k,v else: print "Both File Context test have same count of", t1fclength print "---------------------------------------------------------------------" stackpr.disable() #stop s = StringIO.StringIO() sortby = 'calls' ps = pstats.Stats(stackpr, stream=s).sort_stats(sortby).strip_dirs() ps.print_stats() stackDiffPerfs = s.getvalue() # Store results to dB ######## stackDiffPerfs1 = stackDiffPerfs.lstrip() perfline = stackDiffPerfs1.splitlines() smry = perfline[0] function_name = sys._getframe().f_code.co_name
SELINUX INTEGRITY INSTRUMENTATION
121
outFileName = system+"-"+function_name+"-"+"test"+testnum+".csv" with open(outFileName, "wb") as f: writer = csv.writer(f, delimiter=',', quotechar='|') for line in perfline: linepart = line.split() writer.writerow(linepart) # raw file outProfileName = system+"-"+function_name+"-"+"test"+testnum+".profile" ps.dump_stats(outProfileName) # Db db = client.prefdata print "Store cProfile results to perfdata dB?" YN=raw_input("Y/N: ") if YN == "Y": docinsert = {"Sys": system, "Testnum": testnum, "Function": function_name, "Count": 0, "Perfdata": stackDiffPerfs, "Perfsmry": smry, "Date": datetime.datetime.utcnow()} print "Saving..." db.prefdata.insert(docinsert) # perf wrapper end # return # ################################################################ # FP Diffs. Test main fingerprints for two tests. # ################################################################ def diffs(): global test1 global test2 # Get test1 and test 2 from input # print "Enter test # for test1" test1 = raw_input("Test1:") print "Enter test # for test2" test2 = raw_input("Test2:") print "Running main diffs for finger prints on test:",test1," vs test:",test2 # Connect to results client = MongoClient('localhost', 27017) db = client.results # perf wrapper start (i)pr where i=function # diffpr = cProfile.Profile() diffpr.enable() #start # Pull testresults data testres = list(db.results.find({},{"testnum":1 ,"contextFP":1,"serviceFP":1,"booleanFP":1, "_id":0})) resSet1 = [res for res in testres if test1 in str(res['testnum'])] resSet2 = [res for res in testres if test2 in str(res['testnum'])] # Main diff between both tests maindiff = cmp(resSet1, resSet2) #Extract fingerprints t1sfp = resSet1[0].get("serviceFP") t1bfp = resSet1[0].get("booleanFP") t1cfp = resSet1[0].get("contextFP") t2sfp = resSet2[0].get("serviceFP") t2bfp = resSet2[0].get("booleanFP") t2cfp = resSet2[0].get("contextFP") if maindiff != 0: sfpdiff = cmp(t1sfp,t2sfp) if sfpdiff != 0: print "************ Service FP DIFF!!" print "Run SPF stack diff" else: print "NO SPF Diff" bfpdiff = cmp(t1bfp,t2bfp) if bfpdiff != 0: print "************ Boolean FP DIFF!!" print "Run BPF stack diff" else: print "NO BFP Diff" cfpdiff = cmp(t1cfp,t2cfp)
SELINUX INTEGRITY INSTRUMENTATION
122
if cfpdiff != 0: print "************ File Context FP DIFF!!" print "Run CFP stack diff?" else: print "NO CFP Diff" else: print "NO DIFFs" diffpr.disable() #stop s = StringIO.StringIO() sortby = 'calls' ps = pstats.Stats(diffpr, stream=s).sort_stats(sortby).strip_dirs() ps.print_stats() DiffPerfs = s.getvalue() print "#####################################################" print "Finger Prints" print "#####################################################" print "Test 1" print tabulate(resSet1, headers="keys", tablefmt="pipe") print "Test 2" print tabulate(resSet2, headers="keys", tablefmt="pipe") print "" print "#####################################################" DiffPerfs1 = DiffPerfs.lstrip() perfline = DiffPerfs1.splitlines() smry = perfline[0] function_name = sys._getframe().f_code.co_name outFileName = system+"-"+function_name+"-"+"test"+testnum+".csv" with open(outFileName, "wb") as f: writer = csv.writer(f, delimiter=',', quotechar='|') for line in perfline: linepart = line.split() writer.writerow(linepart) # raw file outProfileName = system+"-"+function_name+"-"+"test"+testnum+".profile" ps.dump_stats(outProfileName) # Db db = client.prefdata print "Store cProfile results to perfdata dB?" YN=raw_input("Y/N: ") if YN == "Y": docinsert = {"Sys": system, "Testnum": testnum, "Function": function_name, "Count": 0, "Perfdata": DiffPerfs, "Perfsmry": smry, "Date": datetime.datetime.utcnow()} print "Saving..." db.prefdata.insert(docinsert) print "Run Hash Stack Analysis?" runanswer=raw_input("Y or N: ") if not runanswer: raise ValueError('empty string') if runanswer == "Y": stackdiff() return # ################################################################ # Tools - sub menu (put in items like clear db, backup results, etc) # ################################################################ #TODO def tools(): print "Tools menu - TODO" print "1. Export Results as CSV" print "2. Backup full dB" print "3. Clear DB!!" print "4. Return to Main" while True: sel=raw_input("Selection: ") if sel == "1": print "CSV export for test:", testnum #subprocess.call(['mongoexport --host localhost -d service -c service --csv -f "Sys,Service,Domain,Hash,date" > service.csv'], shell=True) str(testnum) soutcsvfile = system+"-"+"service"+"-"+"test"+testnum+".csv"
SELINUX INTEGRITY INSTRUMENTATION
123
svcexprt = 'mongoexport --host localhost -d' + " " + testnum + " " + '-c service --csv -f "Service,Domain,Hash,date" >' + " " + soutcsvfile subprocess.call([svcexprt], shell=True) #subprocess.call(['mongoexport --host localhost -d booleans -c booleans --csv -f "Boolean,Description,Default,State,Hash,date" > boolean.csv'], shell=True) boutcsvfile = system+"-"+"booleans"+"-"+"test"+testnum+".csv" bolexprt = 'mongoexport --host localhost -d' + " " + testnum + " " + '-c booleans --csv -f "Boolean,Description,Default,State,Hash,date" >' + " " + boutcsvfile subprocess.call([bolexprt], shell=True) #subprocess.call(['mongoexport --host localhost -d fcontext -c fcontext --csv -f "Path,Type,Context,Hash,date" > fcontext.csv'] fcoutcsvfile = system+"-"+"fcontext"+"-"+"test"+testnum+".csv" fcexprt = 'mongoexport --host localhost -d' + " " + testnum + " " + '-c fcontext --csv -f "Path,Type,Context,Hash,date" >' + " " + fcoutcsvfile subprocess.call([fcexprt], shell=True) #prefdata pdoutcsvfile = system+"-"+"prefdata"+"-"+"test"+testnum+".csv" pdexprt = 'mongoexport --host localhost -d' + " " + "prefdata" + " " + '-c prefdata --csv -f "Function,Count,Perfsmry,Testnum,Date" >' + " " + pdoutcsvfile subprocess.call([pdexprt], shell=True) #results routcsvfile = system+"-"+"results"+"-"+"test"+testnum+".csv" rexprt = 'mongoexport --host localhost -d' + " " + "results" + " " + '-c results --csv -f "contextFP,serviceFP,booleanFP,testnum,date" >' + " " + routcsvfile subprocess.call([rexprt], shell=True) continue elif sel == "2": print "run mongodump -o <hostname>" args = ['mongodump', '-o', system] str_args = [ str(x) for x in args ] dbexprt = subprocess.call(str_args) if dbexprt == 0: print "Mongodump Done" else: print "Error" continue elif sel == "3": print "Clear db" continue elif sel == "4": print "..." break return # ################################################################ # Main menu # ################################################################ #1. Enter Test #" #2. Enter System name" #3. Run Collect Scripts" #4. Run parsing (boolens, service and context) sub-menu " #5. Run / view finger prints" #6. Run / View Diffs" #7. Search / View Relationships" #8. Tools" #9. Exit" # ################################################################ def main(): while True: printmm() is_valid=0 while not is_valid : try : sel = int ( raw_input('Enter your choice [1-9] : ') ) is_valid = 1 ## set it to 1 to validate input and to terminate the while..not loop except ValueError, e : print ("'%s' is not a valid integer." % e.args[0].split(": ")[1]) if sel == 1: settestnum() continue elif sel == 2: setsysname() continue elif sel == 3: runscripts() continue
SELINUX INTEGRITY INSTRUMENTATION
124
elif sel == 4: runsparse() continue elif sel == 5: fpsub() continue elif sel == 6: diffs() continue elif sel == 7: searchrel() continue elif sel == 8: tools() continue elif sel == 9: print "Bye" break else: print "bad entry .. try agin" continue # ################################################################ # MAIN # ################################################################ if __name__ == "__main__": main() # ################################################################ # END OF CODE # ################################################################
SELINUX INTEGRITY INSTRUMENTATION
125
APPENDIX B
External Shell Scripts called from SII.py
boolean_collect.sh
#!/bin/bash #Pass in IPaddr TARGET=$1 #Working Dir cd /home/mike if [ ! -d "$TARGET" ]; then mkdir $TARGET fi cd $TARGET #ssh root@$TARGET "semanage boolean -ln" > boolean.txt && ssh root@$TARGET "semanage fcontext -ln" > fcontext.txt semanage boolean -ln > boolean.txt semanage fcontext -ln > fcontext.txt #List of bools for host cat boolean.txt | awk {'print $1'} > bools.list for p in $(cat bools.list) do #ssh root@$TARGET "sesearch -b $p -AC" > $p.info sesearch -b $p -AC > $p.info PD=`cat $p.info | head -2 | tail -1 | awk {'print $3'}` echo $PD > $p.domain echo $p","$PD >> boolean.dlist done # **** END OF CODE **** service_collect.sh #!/bin/bash # look at ps Z -C <service name> or ps Z -p <pid> TARGET=$1 cd /home/mike if [ ! -d "$TARGET" ]; then mkdir $TARGET fi cd $TARGET #ssh root@$TARGET "systemctl --type=service --no-legend" > service.txt systemctl --type=service --no-legend > service.txt # Chkconfig not needed with systemd may need it for SysVinit #ssh root@$TARGET "chkconfig --list" > chkconfig.txt #ssh root@$TARGET "ps -efZ" > psZ.txt ps -efZ > psZ.txt # this cuts off some of the information. Use psZ and service.txt #ssh root@$TARGET "ps axo pid,fname,context" > psaxo.txt cat service.txt | awk {'print $1'} > service.names cat service.txt | grep "running" | awk {'print $1'} > service.running cut -d. -f1 service.running > service.psnames for s in $(cat service.psnames)
SELINUX INTEGRITY INSTRUMENTATION
126
do #ssh root@$TARGET "ps -ejHZ | grep $s" > $s.info ps -ejHZ | grep $s > $s.info #ssh root@$TARGET "ps Z -C $s" > $s.info2 ps Z -C $s > $s.info2 done # **** END OF CODE **** fcontext_collect.sh #!/bin/bash TARGET=$1 cd /home/mike if [ ! -d "$TARGET" ]; then mkdir $TARGET fi cd $TARGET #ssh root@$TARGET "semanage fcontext -ln" > fcontext.org semanage fcontext -ln > fcontext.org cat fcontext.org | grep -v "=" > fcontext.txt # **** END OF CODE ****
SELINUX INTEGRITY INSTRUMENTATION
127
APPENDIX C
SII.py full output from second round of testing on system cent1b. ############################################## SELinux Integrity Instrumentation (SII) ############################################## Current Test#: 0 Test System: localhost -------------------------------------------------------------------------- Main Menu 1. Enter Test # 2. Enter System Name 3. Run Collect Scripts 4. Run Parsing (boolens, service and context) 5. Run / View Finger Prints 6. Search / View Diffs 7. Search / View Relationships 8. Tools and Utilities 9. Exit -------------------------------------------------------------------------- Enter your choice [1-9] : 1 Current test # is: 0 Enter Test Number test: 2 Test Number set at: 2 ############################################## SELinux Integrity Instrumentation (SII) ############################################## Current Test#: 2 Test System: localhost -------------------------------------------------------------------------- Main Menu 1. Enter Test # 2. Enter System Name 3. Run Collect Scripts 4. Run Parsing (boolens, service and context) 5. Run / View Finger Prints 6. Search / View Diffs 7. Search / View Relationships 8. Tools and Utilities 9. Exit -------------------------------------------------------------------------- Enter your choice [1-9] : 2 Current System Name: localhost Enter New System Name or Q to keep Name: cent2 Test system name set at: cent2 ############################################## SELinux Integrity Instrumentation (SII) ############################################## Current Test#: 2 Test System: cent2 -------------------------------------------------------------------------- Main Menu 1. Enter Test # 2. Enter System Name 3. Run Collect Scripts 4. Run Parsing (boolens, service and context) 5. Run / View Finger Prints 6. Search / View Diffs 7. Search / View Relationships 8. Tools and Utilities 9. Exit -------------------------------------------------------------------------- Enter your choice [1-9] : 3 Run input scripts Y or N: Y Running collection scripts for system: cent2 Test#: 2 cat: write error: Broken pipe cat: write error: Broken pipe cat: write error: Broken pipe cat: write error: Broken pipe cat: write error: Broken pipe Boolean Collection Done File Context Collection Done Service Collection Done ############################################## SELinux Integrity Instrumentation (SII) ############################################## Current Test#: 2 Test System: cent2 -------------------------------------------------------------------------- Main Menu 1. Enter Test # 2. Enter System Name 3. Run Collect Scripts 4. Run Parsing (boolens, service and context) 5. Run / View Finger Prints 6. Search / View Diffs 7. Search / View Relationships
SELINUX INTEGRITY INSTRUMENTATION
128
8. Tools and Utilities 9. Exit -------------------------------------------------------------------------- Enter your choice [1-9] : 4 Select Parse to Run 1. Service 2. Boolean 3. File Context 4. Back to Main Selection: 1 Done loaded into service: 42 Selection: 2 loaded into booleans: 285 Selection: 3 loaded into fcontext: 5625 Selection: 4 Bye ############################################## SELinux Integrity Instrumentation (SII) ############################################## Current Test#: 2 Test System: cent2 -------------------------------------------------------------------------- Main Menu 1. Enter Test # 2. Enter System Name 3. Run Collect Scripts 4. Run Parsing (boolens, service and context) 5. Run / View Finger Prints 6. Search / View Diffs 7. Search / View Relationships 8. Tools and Utilities 9. Exit -------------------------------------------------------------------------- Enter your choice [1-9] : 5 Fingerprint menu 1 = Policy Finger Print 2 = FContext Finger Print 3 = Service Finger Print 4 = Save Results to dB 5 = Return to Main Menu ------------------------- Enter your choice [1-5] : 1 *************************************************** Policy Finger Print: 7068b6ea02cf222f57b64d3e66bd9a37 Item Count: 285 *************************************************** Store cProfile results to perfdata dB? Y/N: Y Saving... Fingerprint menu 1 = Policy Finger Print 2 = FContext Finger Print 3 = Service Finger Print 4 = Save Results to dB 5 = Return to Main Menu ------------------------- Enter your choice [1-5] : 2 *************************************************** FContext Finger Print: 822fe95f4803ad021685cc5741a62a1a Item Count: 5625 *************************************************** Store cProfile results to perfdata dB? Y/N: Y Saving... Fingerprint menu 1 = Policy Finger Print 2 = FContext Finger Print 3 = Service Finger Print 4 = Save Results to dB 5 = Return to Main Menu ------------------------- Enter your choice [1-5] : 3 *************************************************** Service Finger Print: c7a7aeabbb0bff18d8e7313b6669d4b5 Item Count: 42 *************************************************** Store cProfile results to perfdata dB? Y/N: Y Saving... Fingerprint menu 1 = Policy Finger Print 2 = FContext Finger Print 3 = Service Finger Print 4 = Save Results to dB 5 = Return to Main Menu ------------------------- Enter your choice [1-5] : 4 Enter test results for: cent2 Test: 2 Current FPs. ServiceFP: c7a7aeabbb0bff18d8e7313b6669d4b5 PolicyFP: 7068b6ea02cf222f57b64d3e66bd9a37 ContextFP: 822fe95f4803ad021685cc5741a62a1a
SELINUX INTEGRITY INSTRUMENTATION
129
Y/N: Y Saving... {'contextFP': '822fe95f4803ad021685cc5741a62a1a', 'Sys': 'cent2', 'serviceFP': 'c7a7aeabbb0bff18d8e7313b6669d4b5', 'booleanFP': '7068b6ea02cf222f57b64d3e66bd9a37', 'date': datetime.datetime(2015, 2, 7, 15, 48, 29, 180670), 'testnum': '2'} Fingerprint menu 1 = Policy Finger Print 2 = FContext Finger Print 3 = Service Finger Print 4 = Save Results to dB 5 = Return to Main Menu ------------------------- Enter your choice [1-5] : 5 ############################################## SELinux Integrity Instrumentation (SII) ############################################## Current Test#: 2 Test System: cent2 -------------------------------------------------------------------------- Main Menu 1. Enter Test # 2. Enter System Name 3. Run Collect Scripts 4. Run Parsing (boolens, service and context) 5. Run / View Finger Prints 6. Search / View Diffs 7. Search / View Relationships 8. Tools and Utilities 9. Exit -------------------------------------------------------------------------- Enter your choice [1-9] : 9 Bye … ############################################## SELinux Integrity Instrumentation (SII) ############################################## Current Test#: 0 Test System: localhost -------------------------------------------------------------------------- Main Menu 1. Enter Test # 2. Enter System Name 3. Run Collect Scripts 4. Run Parsing (boolens, service and context) 5. Run / View Finger Prints 6. Search / View Diffs 7. Search / View Relationships 8. Tools and Utilities 9. Exit -------------------------------------------------------------------------- Enter your choice [1-9] : 1 Current test # is: 0 Enter Test Number test: 3 Test Number set at: 3 ############################################## SELinux Integrity Instrumentation (SII) ############################################## Current Test#: 3 Test System: localhost -------------------------------------------------------------------------- Main Menu 1. Enter Test # 2. Enter System Name 3. Run Collect Scripts 4. Run Parsing (boolens, service and context) 5. Run / View Finger Prints 6. Search / View Diffs 7. Search / View Relationships 8. Tools and Utilities 9. Exit -------------------------------------------------------------------------- Enter your choice [1-9] : 2 Current System Name: localhost Enter New System Name or Q to keep Name: cent2 Test system name set at: cent2 ############################################## SELinux Integrity Instrumentation (SII) ############################################## Current Test#: 3 Test System: cent2 -------------------------------------------------------------------------- Main Menu 1. Enter Test # 2. Enter System Name 3. Run Collect Scripts 4. Run Parsing (boolens, service and context) 5. Run / View Finger Prints 6. Search / View Diffs 7. Search / View Relationships 8. Tools and Utilities 9. Exit -------------------------------------------------------------------------- Enter your choice [1-9] : 3 Run input scripts
SELINUX INTEGRITY INSTRUMENTATION
130
Y or N: Y Running collection scripts for system: cent2 Test#: 3 cat: write error: Broken pipe cat: write error: Broken pipe cat: write error: Broken pipe cat: write error: Broken pipe cat: write error: Broken pipe Boolean Collection Done File Context Collection Done Service Collection Done ############################################## SELinux Integrity Instrumentation (SII) ############################################## Current Test#: 3 Test System: cent2 -------------------------------------------------------------------------- Main Menu 1. Enter Test # 2. Enter System Name 3. Run Collect Scripts 4. Run Parsing (boolens, service and context) 5. Run / View Finger Prints 6. Search / View Diffs 7. Search / View Relationships 8. Tools and Utilities 9. Exit -------------------------------------------------------------------------- Enter your choice [1-9] : 4 Select Parse to Run 1. Service 2. Boolean 3. File Context 4. Back to Main Selection: 1 Done loaded into service: 43 Selection: 2 loaded into booleans: 285 Selection: 3 loaded into fcontext: 5625 Selection: 4 Bye ############################################## SELinux Integrity Instrumentation (SII) ############################################## Current Test#: 3 Test System: cent2 -------------------------------------------------------------------------- Main Menu 1. Enter Test # 2. Enter System Name 3. Run Collect Scripts 4. Run Parsing (boolens, service and context) 5. Run / View Finger Prints 6. Search / View Diffs 7. Search / View Relationships 8. Tools and Utilities 9. Exit -------------------------------------------------------------------------- Enter your choice [1-9] : 5 Fingerprint menu 1 = Policy Finger Print 2 = FContext Finger Print 3 = Service Finger Print 4 = Save Results to dB 5 = Return to Main Menu ------------------------- Enter your choice [1-5] : 1 *************************************************** Policy Finger Print: 7653dc4122f79f313551769d41a9f49a Item Count: 285 *************************************************** Store cProfile results to perfdata dB? Y/N: Y Saving... Fingerprint menu 1 = Policy Finger Print 2 = FContext Finger Print 3 = Service Finger Print 4 = Save Results to dB 5 = Return to Main Menu ------------------------- Enter your choice [1-5] : 2 *************************************************** FContext Finger Print: 822fe95f4803ad021685cc5741a62a1a Item Count: 5625 *************************************************** Store cProfile results to perfdata dB? Y/N: Y Saving... Fingerprint menu 1 = Policy Finger Print 2 = FContext Finger Print
SELINUX INTEGRITY INSTRUMENTATION
131
3 = Service Finger Print 4 = Save Results to dB 5 = Return to Main Menu ------------------------- Enter your choice [1-5] : 3 *************************************************** Service Finger Print: e47528c7306dfe55e37ba70806187411 Item Count: 43 *************************************************** Store cProfile results to perfdata dB? Y/N: Y Saving... Fingerprint menu 1 = Policy Finger Print 2 = FContext Finger Print 3 = Service Finger Print 4 = Save Results to dB 5 = Return to Main Menu ------------------------- Enter your choice [1-5] : 4 Enter test results for: cent2 Test: 3 Current FPs. ServiceFP: e47528c7306dfe55e37ba70806187411 PolicyFP: 7653dc4122f79f313551769d41a9f49a ContextFP: 822fe95f4803ad021685cc5741a62a1a Y/N: Y Saving... {'contextFP': '822fe95f4803ad021685cc5741a62a1a', 'Sys': 'cent2', 'serviceFP': 'e47528c7306dfe55e37ba70806187411', 'booleanFP': '7653dc4122f79f313551769d41a9f49a', 'date': datetime.datetime(2015, 2, 7, 16, 0, 10, 610261), 'testnum': '3'} Fingerprint menu 1 = Policy Finger Print 2 = FContext Finger Print 3 = Service Finger Print 4 = Save Results to dB 5 = Return to Main Menu ------------------------- Enter your choice [1-5] : 5 ############################################## SELinux Integrity Instrumentation (SII) ############################################## Current Test#: 3 Test System: cent2 -------------------------------------------------------------------------- Main Menu 1. Enter Test # 2. Enter System Name 3. Run Collect Scripts 4. Run Parsing (boolens, service and context) 5. Run / View Finger Prints 6. Search / View Diffs 7. Search / View Relationships 8. Tools and Utilities 9. Exit -------------------------------------------------------------------------- Enter your choice [1-9] : 6 Enter test # for test1 Test1:2 Enter test # for test2 Test2:3 Running main diffs for finger prints on test: 2 vs test: 3 ************ Service FP DIFF!! Run SPF stack diff ************ Boolean FP DIFF!! Run BPF stack diff NO CFP Diff ##################################################### Finger Prints ##################################################### Test 1 | testnum | serviceFP | contextFP | booleanFP | |----------:|:---------------------------------|:---------------------------------|:---------------------------------| | 2 | c7a7aeabbb0bff18d8e7313b6669d4b5 | 822fe95f4803ad021685cc5741a62a1a | 7068b6ea02cf222f57b64d3e66bd9a37 | Test 2 | testnum | serviceFP | contextFP | booleanFP | |----------:|:---------------------------------|:---------------------------------|:---------------------------------| | 3 | e47528c7306dfe55e37ba70806187411 | 822fe95f4803ad021685cc5741a62a1a | 7653dc4122f79f313551769d41a9f49a | ##################################################### Store cProfile results to perfdata dB? Y/N: Y Saving... Run Hash Stack Analysis? Y or N: Y ########## Service Compare Test 1 to Test 2 ########## -------------------------- Test 2 -------------------------- +---------+----------------------------------+ | Sys | cent2 | +---------+----------------------------------+ | _id | 54d6364aaeff00204e22b0bc | +---------+----------------------------------+ | Hash | d944c93efbdb7327fa62e9a88fb84816 | +---------+----------------------------------+ | Context | <<none>> | +---------+----------------------------------+
SELINUX INTEGRITY INSTRUMENTATION
132
| Service | plexmediaserver | +---------+----------------------------------+ --------------------------------------------------------------------- Both Service tests have same count of: 42 --------------------------------------------------------------------- ########## Boolean Compare Test 1 to Test 2 ########## -------------------------- Test 2 -------------------------- +---------+----------------------------------+ | Domain | httpd_t | +---------+----------------------------------+ | Hash | be9964d2661ff42a34456a85da168f5f | +---------+----------------------------------+ | Default | off | +---------+----------------------------------+ | State | on | +---------+----------------------------------+ | Boolean | httpd_use_nfs | +---------+----------------------------------+ | _id | 54d6364daeff00204e22b17e | +---------+----------------------------------+ -------------------------- Test 1-------------------------- +---------+----------------------------------+ | Domain | ftpd_t | +---------+----------------------------------+ | Hash | 2c06ad6f4e46c31b3e243e3443f24ab8 | +---------+----------------------------------+ | Default | off | +---------+----------------------------------+ | State | off | +---------+----------------------------------+ | Boolean | ftp_home_dir | +---------+----------------------------------+ | _id | 54d633a7aeff00149c8085dd | +---------+----------------------------------+ -------------------------- Test 2 -------------------------- +---------+----------------------------------+ | Domain | ftpd_t | +---------+----------------------------------+ | Hash | 74fd67e4b4ed34d01c637242f93639d6 | +---------+----------------------------------+ | Default | on | +---------+----------------------------------+ | State | on | +---------+----------------------------------+ | Boolean | ftp_home_dir | +---------+----------------------------------+ | _id | 54d6364caeff00204e22b0cb | +---------+----------------------------------+ -------------------------- Test 1-------------------------- +---------+----------------------------------+ | Domain | httpd_t | +---------+----------------------------------+ | Hash | 5ba20c11dc96406cbea97d502bb1902c | +---------+----------------------------------+ | Default | off | +---------+----------------------------------+ | State | off | +---------+----------------------------------+ | Boolean | httpd_use_nfs | +---------+----------------------------------+ | _id | 54d633a7aeff00149c808690 | +---------+----------------------------------+ --------------------------------------------------------------------- Both Boolean Sets Same Count of: 285 --------------------------------------------------------------------- ########## File Context Compare Test 1 to Test 2 ########## --------------------------------------------------------------------- Both File Context test have same count of 5625 --------------------------------------------------------------------- Store cProfile results to perfdata dB? Y/N: Y Saving... ############################################## SELinux Integrity Instrumentation (SII) ############################################## Current Test#: 3 Test System: cent2 -------------------------------------------------------------------------- Main Menu 1. Enter Test # 2. Enter System Name 3. Run Collect Scripts 4. Run Parsing (boolens, service and context) 5. Run / View Finger Prints 6. Search / View Diffs 7. Search / View Relationships 8. Tools and Utilities 9. Exit -------------------------------------------------------------------------- Enter your choice [1-9] : 7 ------------------------------------------------------------------------------------ Current Domains for test: 3
SELINUX INTEGRITY INSTRUMENTATION
133
------------------------------------------------------------------------------------ Services Domains Found: <<none>> abrt_t accountsd_t crond_t kernel_t avahi_t bluetooth_t chronyd_t colord_t cupsd_t system_dbusd_t firewalld_t xdm_t httpd_t mdadm_t ksmtuned_t virtd_t modemmanager_t mongod_t NetworkManager_t policykit_t postfix_master_t rpcbind_t syslogd_t rtkit_daemon_t fsdaemon_t sshd_t systemd_logind_t udev_t tuned_t unconfined_t devicekit_power_t ftpd_t ------------------------------------------------------------------------------------ Enter domain to search for Domain: <<none>> ------------------------------------------------------------------------------------ Services: ------------------------------------------------------------------------------------ | Domain | Context | Service | |:---------|:----------|:-----------------| | <<none>> | <<none>> | abrt-oops | | <<none>> | <<none>> | abrt-xorg | | <<none>> | <<none>> | alsa-state | | <<none>> | <<none>> | libstoragemgmt | | <<none>> | <<none>> | lvm2-lvmetad | | <<none>> | <<none>> | nfs-lock | | <<none>> | <<none>> | plexmediaserver | | <<none>> | <<none>> | systemd-journald | ------------------------------------------------------------------------------------ Booleans: ------------------------------------------------------------------------------------ | k | e | y | s | || ------------------------------------------------------------------------------------ File Contexts: ------------------------------------------------------------------------------------ | k | e | y | s | || ------------------------------------------------------------------------------------ ############################################## SELinux Integrity Instrumentation (SII) ############################################## Current Test#: 3 Test System: cent2 -------------------------------------------------------------------------- Main Menu 1. Enter Test # 2. Enter System Name 3. Run Collect Scripts 4. Run Parsing (boolens, service and context) 5. Run / View Finger Prints 6. Search / View Diffs 7. Search / View Relationships 8. Tools and Utilities 9. Exit -------------------------------------------------------------------------- Enter your choice [1-9] : 7 ------------------------------------------------------------------------------------ Current Domains for test: 3 ------------------------------------------------------------------------------------ Services Domains Found: <<none>> abrt_t accountsd_t crond_t kernel_t
SELINUX INTEGRITY INSTRUMENTATION
134
avahi_t bluetooth_t chronyd_t colord_t cupsd_t system_dbusd_t firewalld_t xdm_t httpd_t mdadm_t ksmtuned_t virtd_t modemmanager_t mongod_t NetworkManager_t policykit_t postfix_master_t rpcbind_t syslogd_t rtkit_daemon_t fsdaemon_t sshd_t systemd_logind_t udev_t tuned_t unconfined_t devicekit_power_t ftpd_t ------------------------------------------------------------------------------------ Enter domain to search for Domain: httpd_t ------------------------------------------------------------------------------------ Services: ------------------------------------------------------------------------------------ | Domain | Context | Service | |:---------|:-----------------------------|:----------| | httpd_t | system_u:system_r:httpd_t:s0 | httpd | ------------------------------------------------------------------------------------ Booleans: ------------------------------------------------------------------------------------ | Default | Domain | State | Boolean | Description | |:----------|:---------|:--------|:----------------------------------|:-------------------------------------------| | off | httpd_t | off | httpd_can_network_relay | Allow httpd to can network relay | | off | httpd_t | off | httpd_use_gpg | Allow httpd to use gpg | | off | httpd_t | off | httpd_can_connect_mythtv | Allow httpd to can connect mythtv | | off | httpd_t | off | httpd_can_network_connect_db | Allow httpd to can network connect db | | off | httpd_t | off | httpd_dbus_sssd | Allow httpd to dbus sssd | | off | httpd_t | off | httpd_verify_dns | Allow httpd to verify dns | | off | httpd_t | off | git_system_use_cifs | Allow git to system use cifs | | off | httpd_t | off | httpd_anon_write | Allow httpd to anon write | | off | httpd_t | off | httpd_use_cifs | Allow httpd to use cifs | | off | httpd_t | off | httpd_enable_homedirs | Allow httpd to enable homedirs | | off | httpd_t | off | git_system_use_nfs | Allow git to system use nfs | | off | httpd_t | off | httpd_run_stickshift | Allow httpd to run stickshift | | off | httpd_t | off | httpd_use_fusefs | Allow httpd to use fusefs | | off | httpd_t | off | httpd_can_connect_ldap | Allow httpd to can connect ldap | | off | httpd_t | off | httpd_use_sasl | Allow httpd to use sasl | | on | httpd_t | on | httpd_graceful_shutdown | Allow httpd to graceful shutdown | | off | httpd_t | off | httpd_can_connect_ftp | Allow httpd to can connect ftp | | off | httpd_t | off | httpd_read_user_content | Allow httpd to read user content | | off | httpd_t | on | httpd_use_nfs | Allow httpd to use nfs | | off | httpd_t | off | httpd_can_connect_zabbix | Allow httpd to can connect zabbix | | off | httpd_t | off | httpd_manage_ipa | Allow httpd to manage ipa | | on | httpd_t | on | httpd_builtin_scripting | Allow httpd to builtin scripting | | off | httpd_t | off | httpd_can_check_spam | Allow httpd to can check spam | | off | httpd_t | off | httpd_can_network_memcache | Allow httpd to can network memcache | | off | httpd_t | off | httpd_can_network_connect_cobbler | Allow httpd to can network connect cobbler | | off | httpd_t | off | httpd_serve_cobbler_files | Allow httpd to serve cobbler files | | off | httpd_t | off | httpd_execmem | Allow httpd to execmem | | off | httpd_t | off | httpd_ssi_exec | Allow httpd to ssi exec | | off | httpd_t | off | httpd_enable_ftp_server | Allow httpd to enable ftp server | | off | httpd_t | off | httpd_setrlimit | Allow httpd to setrlimit | ------------------------------------------------------------------------------------ File Contexts: ------------------------------------------------------------------------------------ | Path | Domain | Type | Context | |:-------------------------------------|:------------|:---------|:---------------------------------| | /var/run/user/apache(/.*)? | httpd_tmp_t | allfiles | system_u:object_r:httpd_tmp_t:s0 | | /var/www/openshift/console/tmp(/.*)? | httpd_tmp_t | allfiles | system_u:object_r:httpd_tmp_t:s0 | ------------------------------------------------------------------------------------ ############################################## SELinux Integrity Instrumentation (SII) ############################################## Current Test#: 3 Test System: cent2 -------------------------------------------------------------------------- Main Menu 1. Enter Test # 2. Enter System Name
SELINUX INTEGRITY INSTRUMENTATION
135
3. Run Collect Scripts 4. Run Parsing (boolens, service and context) 5. Run / View Finger Prints 6. Search / View Diffs 7. Search / View Relationships 8. Tools and Utilities 9. Exit -------------------------------------------------------------------------- Enter your choice [1-9] : 7 ------------------------------------------------------------------------------------ Current Domains for test: 3 ------------------------------------------------------------------------------------ Services Domains Found: <<none>> abrt_t accountsd_t crond_t kernel_t avahi_t bluetooth_t chronyd_t colord_t cupsd_t system_dbusd_t firewalld_t xdm_t httpd_t mdadm_t ksmtuned_t virtd_t modemmanager_t mongod_t NetworkManager_t policykit_t postfix_master_t rpcbind_t syslogd_t rtkit_daemon_t fsdaemon_t sshd_t systemd_logind_t udev_t tuned_t unconfined_t devicekit_power_t ftpd_t ------------------------------------------------------------------------------------ Enter domain to search for Domain: ftpd_t ------------------------------------------------------------------------------------ Services: ------------------------------------------------------------------------------------ | Domain | Context | Service | |:---------|:----------------------------------------|:----------| | ftpd_t | system_u:system_r:ftpd_t:s0-s0:c0.c1023 | vsftpd | ------------------------------------------------------------------------------------ Booleans: ------------------------------------------------------------------------------------ | Default | Domain | State | Boolean | Description | |:----------|:-------------|:--------|:----------------------------|:-------------------------------------| | on | ftpd_t | on | ftp_home_dir | Allow ftp to home dir | | off | ftpd_t | off | ftpd_use_cifs | Allow ftpd to use cifs | | off | ftpd_t | off | ftpd_use_fusefs | Allow ftpd to use fusefs | | off | ftpd_t | off | ftpd_connect_db | Allow ftpd to connect db | | off | ftpd_t | off | ftpd_full_access | Allow ftpd to full access | | off | tftpd_t | off | tftp_home_dir | Allow tftp to home dir | | off | sftpd_t | off | sftpd_enable_homedirs | Allow sftpd to enable homedirs | | off | ftpd_t | off | ftpd_use_passive_mode | Allow ftpd to use passive mode | | off | sftpd_t | off | sftpd_write_ssh_home | Allow sftpd to write ssh home | | off | ftpd_t | off | ftpd_use_nfs | Allow ftpd to use nfs | | off | ftpd_t | off | ftpd_connect_all_unreserved | Allow ftpd to connect all unreserved | | off | sftpd_t | off | sftpd_full_access | Allow sftpd to full access | | off | tftpd_t | off | tftp_anon_write | Allow tftp to anon write | | off | ftpd_t | off | ftpd_anon_write | Allow ftpd to anon write | | off | anon_sftpd_t | off | sftpd_anon_write | Allow sftpd to anon write | ------------------------------------------------------------------------------------ File Contexts: ------------------------------------------------------------------------------------ | k | e | y | s | || ------------------------------------------------------------------------------------ ############################################## SELinux Integrity Instrumentation (SII) ############################################## Current Test#: 3 Test System: cent2 -------------------------------------------------------------------------- Main Menu 1. Enter Test #
SELINUX INTEGRITY INSTRUMENTATION
136
2. Enter System Name 3. Run Collect Scripts 4. Run Parsing (boolens, service and context) 5. Run / View Finger Prints 6. Search / View Diffs 7. Search / View Relationships 8. Tools and Utilities 9. Exit -------------------------------------------------------------------------- Enter your choice [1-9] : 7 ------------------------------------------------------------------------------------ Current Domains for test: 3 ------------------------------------------------------------------------------------ Services Domains Found: <<none>> abrt_t accountsd_t crond_t kernel_t avahi_t bluetooth_t chronyd_t colord_t cupsd_t system_dbusd_t firewalld_t xdm_t httpd_t mdadm_t ksmtuned_t virtd_t modemmanager_t mongod_t NetworkManager_t policykit_t postfix_master_t rpcbind_t syslogd_t rtkit_daemon_t fsdaemon_t sshd_t systemd_logind_t udev_t tuned_t unconfined_t devicekit_power_t ftpd_t ------------------------------------------------------------------------------------ Enter domain to search for Domain: sshd_t ------------------------------------------------------------------------------------ Services: ------------------------------------------------------------------------------------ | Domain | Context | Service | |:---------|:----------------------------------------|:----------| | sshd_t | system_u:system_r:sshd_t:s0-s0:c0.c1023 | sshd | ------------------------------------------------------------------------------------ Booleans: ------------------------------------------------------------------------------------ | k | e | y | s | || ------------------------------------------------------------------------------------ File Contexts: ------------------------------------------------------------------------------------ | k | e | y | s | || ------------------------------------------------------------------------------------ ############################################## SELinux Integrity Instrumentation (SII) ############################################## Current Test#: 3 Test System: cent2 -------------------------------------------------------------------------- Main Menu 1. Enter Test # 2. Enter System Name 3. Run Collect Scripts 4. Run Parsing (boolens, service and context) 5. Run / View Finger Prints 6. Search / View Diffs 7. Search / View Relationships 8. Tools and Utilities 9. Exit -------------------------------------------------------------------------- Enter your choice [1-9] : 8 …
SELINUX INTEGRITY INSTRUMENTATION
137
APPENDIX D
Sample MongoDB table data exported to csv. Cent2 results table. The fingerprint hash results for each test. contextFP serviceFP booleanFP test
num date
d680d3862526ccab257cf4cba8120a86
3db923b4e92df96202c5647b09c6c920
09433755b60e36621246da3bbc20d298
1 2015-01-10T17:58:57.934Z
822fe95f4803ad021685cc5741a62a1a
c7a7aeabbb0bff18d8e7313b6669d4b5
7068b6ea02cf222f57b64d3e66bd9a37
2 2015-02-07T15:48:29.180Z
822fe95f4803ad021685cc5741a62a1a
e47528c7306dfe55e37ba70806187411
7653dc4122f79f313551769d41a9f49a
3 2015-02-07T16:00:10.610Z
Sample service table. Service Domain Hash date
abrt-oops <<none>> c0f3eba7ca2c3089d41e452c792a5c5b 2015-02-07T15:59:06.246Z
abrt-xorg <<none>> 83060677d68bb6773155410c9bb656cc 2015-02-07T15:59:06.509Z
abrtd abrt_t a2601acb8e80ec21f9555e7b08a123d7 2015-02-07T15:59:06.533Z
accounts-daemon accountsd_t ed902b24eab3329af763eb21fc7ed8fc 2015-02-07T15:59:06.534Z
alsa-state <<none>> 05fe8cce403c8445125d611b94603814 2015-02-07T15:59:06.534Z
atd crond_t fa547e4a43fde1347c5f401d7782b924 2015-02-07T15:59:06.535Z
auditd kernel_t 0e443efc27d06c1f8652801693e617d2 2015-02-07T15:59:06.535Z
avahi-daemon avahi_t c38399f183307798cf531201b7fd246c 2015-02-07T15:59:06.535Z
bluetooth bluetooth_t 833118869c9efa390d1bfd8a82967d8a 2015-02-07T15:59:06.536Z
chronyd chronyd_t ccd08a6edc254c0f67eb29b8b426e4c4 2015-02-07T15:59:06.536Z
colord colord_t b153ee572a63dccbb7c8486fd1cd604d 2015-02-07T15:59:06.537Z
crond crond_t 68a8833df7b4cde967dc693d257b47d0 2015-02-07T15:59:06.537Z
cups cupsd_t e48351516b79759851fe02140a059a35 2015-02-07T15:59:06.538Z
dbus system_dbusd_t e872d7a4bff572613ea9d7335fd764ef 2015-02-07T15:59:06.538Z
firewalld firewalld_t 958c9fe04fa7932e05fdb4a4b1e822e7 2015-02-07T15:59:06.538Z
gdm xdm_t 49521359b641730d260017ab6670413a 2015-02-07T15:59:06.539Z
httpd httpd_t 10b2c74a673065f708d93efb72595df2 2015-02-07T15:59:06.539Z
… Sample Booleans table Boolean Description Defau
lt State
Hash date
ftp_home_dir Allow ftp to home dir on on 74fd67e4b4ed34d01c637242f93639d6
2015-02-07T15:59:08.963Z
smartmon_3ware Allow smartmon to 3ware off off 5aa39e46316f7349a24005568758857e
2015-02-07T15:59:08.964Z
mpd_enable_homedirs Allow mpd to enable homedirs off off 8d19c3441ddbff54a363a615a1f6aacc
2015-02-07T15:59:08.965Z
xdm_sysadm_login Allow xdm to sysadm login off off 87dbb38184a1de87293e47da95e2410d
2015-02-07T15:59:08.965Z
xen_use_nfs Allow xen to use nfs off off ea11be95861625b64982793b67c3603a
2015-02-07T15:59:08.966Z
mozilla_read_content Allow mozilla to read content
off off ca2fca3ef49d3f71a9abaecd2d0671a3
2015-02-07T15:59:08.966Z
ssh_chroot_rw_homedirs
Allow ssh to chroot rw homedirs
off off 80e199d7f89070f154f20551a4679eef
2015-02-07T15:59:08.967Z
mount_anyfile Allow mount to anyfile on on 3f5a9c614b54461d785c70a86345b519
2015-02-07T15:59:08.967Z
SELINUX INTEGRITY INSTRUMENTATION
138
icecast_use_any_tcp_ports
Allow icecast to use any tcp ports
off off 7f97779733cf1a4d6a68f386a74d2b2a
2015-02-07T15:59:08.967Z
openvpn_can_network_connect
Allow openvpn to can network connect
on on 9741d188cdd9a278410f367a3e6796b5
2015-02-07T15:59:08.968Z
zoneminder_anon_write Allow zoneminder to anon write
off off 23a654335f625e53fac2aa54f49da547
2015-02-07T15:59:08.968Z
telepathy_connect_all_ports
Allow telepathy to connect all ports
off off afeabce2bd6120071d7490f39cb0f119
2015-02-07T15:59:08.969Z
spamassassin_can_network
Allow spamassassin to can network
off off 98e840a8a2fd8bd0f1031e435ece8f57
2015-02-07T15:59:08.969Z
gluster_anon_write Allow gluster to anon write off off 546e78de9aa489d16876cc6936e7238c
2015-02-07T15:59:08.970Z
deny_ptrace Allow deny to ptrace off off 77ecf1f8501acdcd5a350ce947208cfb
2015-02-07T15:59:08.970Z
selinuxuser_execmod Allow selinuxuser to execmod on on 271cad3b3f7ea71ec88eaf13af1d5691
2015-02-07T15:59:08.970Z
httpd_can_network_relay
Allow httpd to can network relay
off off a119a95d17afb10078dbc4d252e01438
2015-02-07T15:59:08.971Z
openvpn_enable_homedirs
Allow openvpn to enable homedirs
on on a471ee8f490585cc90df36ea87db8213
2015-02-07T15:59:08.971Z
glance_use_execmem Allow glance to use execmem off off 54b2e96aa5f4bdb5fc713b3ce5cf2919
2015-02-07T15:59:08.972Z
… Sample File Context table export Path Type Context Hash date
/ directory system_u:object_r:root_t:s0 78205059f0d2071e0ee9f830bb75792e
2015-02-07T15:59:10.803Z
/.* allfiles system_u:object_r:default_t:s0 e177694205972e449b3ced95ca1a908f
2015-02-07T15:59:10.804Z
/[^/]+ regularfile
system_u:object_r:etc_runtime_t:s0
82a29596e66462a8191852c8532bc7cc
2015-02-07T15:59:10.805Z
/\.autofsck regularfile
system_u:object_r:etc_runtime_t:s0
899c90cc1d328ff31668d6135038d23d
2015-02-07T15:59:10.805Z
/\.autorelabel regularfile
system_u:object_r:etc_runtime_t:s0
3c4ad866a36d966deb8cd88360201639
2015-02-07T15:59:10.805Z
/\.ismount-test-file
regularfile
system_u:object_r:sosreport_tmp_t:s0
83ed14222ed312be535352a6875a78c8
2015-02-07T15:59:10.806Z
/\.journal allfiles <<None>> e12afb87a8e70230276e7badd6461a96
2015-02-07T15:59:10.806Z
/\.suspended regularfile
system_u:object_r:etc_runtime_t:s0
e105d93ddef4f0140ac730b15c117dc2
2015-02-07T15:59:10.806Z
/a?quota\.(user|group)
regularfile
system_u:object_r:quota_db_t:s0
43828c1c294d281cc220dff2f07a8a00
2015-02-07T15:59:10.807Z
/afs directory system_u:object_r:mnt_t:s0 465100e28fee95ac5a4a7bb07ca60603
2015-02-07T15:59:10.807Z
/bacula(/.*)? allfiles system_u:object_r:bacula_store_t:s0
d768a5f9086eed57b7440959cc923d4c
2015-02-07T15:59:10.808Z
/bin allfiles system_u:object_r:bin_t:s0 5e87a2443d9c78788b797930d6490b02
2015-02-07T15:59:10.808Z
/bin/.* allfiles system_u:object_r:bin_t:s0 3e16636cfa6449cc8596374ad7dc9387
2015-02-07T15:59:10.808Z
/bin/alsaunmute regularfile
system_u:object_r:alsa_exec_t:s0
aa378f13633d0a2471a1bdc90bfb3206
2015-02-07T15:59:10.809Z
/bin/bash regularfile
system_u:object_r:shell_exec_t:s0
58602325457d9085e4b39d31f681814d
2015-02-07T15:59:10.809Z
…
SELINUX INTEGRITY INSTRUMENTATION
139
APPENDIX E
Profile output (Python cProfle performance output from cent1 tests) and summary
performance results prefdata table.
Sample csv export of cProfile 1079993 function calls (1079975 primitive calls) in 1.849 seconds
Random listing order was used
ncalls tottime percall cumtime percall filename:lineno(function)
20 0 0 0 0 {time.time}
30 0 0 0 0 son.py:122(__iter__)
10 0 0 0 0 {method-random-of-_random.Random-objects}
10 0 0 0 0 {method-add-of-set-objects}
8 0 0 0 0 common.py:431(__get_write_concern)
107787 0.054 0 0.054 0 {len}
24089 0.019 0 0.019 0 {method-get-of-dict-objects}
18 0 0 0 0 mongo_client.py:505(__member_property)
11965 0.036 0 0.126 0 __init__.py:213(_get_oid)
34 0 0 0 0 tabulate.py:455(_format)
18 0 0 0 0 son.py:102(__setitem__)
71709 0.179 0 1.475 0 __init__.py:314(_element_to_dict)
20 0 0 0 0 thread_util.py:49(acquire)
… Prefdata table from system cent1 Function Count Perfsmry Testnum Date
boolsfp 280 3900 function calls in 0.009 seconds 1 2015-01-10T17:58:02.896Z
fcontextfp 5596 73012 function calls in 0.128 seconds 1 2015-01-10T17:58:09.991Z
servicefp 43 728 function calls in 0.002 seconds 1 2015-01-10T17:58:15.567Z
boolsfp 285 3965 function calls in 0.009 seconds 2 2015-01-10T18:30:40.647Z
fcontextfp 5625 73389 function calls in 0.125 seconds 2 2015-01-10T18:30:45.503Z
servicefp 43 728 function calls in 0.002 seconds 2 2015-01-10T18:30:49.391Z
diffs 0 189 function calls in 0.001 seconds 2 2015-01-10T18:33:09.407Z
stackdiff 0 235878 function calls in 1.173 seconds 2 2015-01-10T18:33:54.238Z
boolsfp 285 3965 function calls in 0.009 seconds 3 2015-01-10T18:54:06.618Z
fcontextfp 5625 73389 function calls in 0.124 seconds 3 2015-01-10T18:54:11.266Z
servicefp 42 715 function calls in 0.002 seconds 3 2015-01-10T18:54:18.218Z
diffs 0 194 function calls in 0.001 seconds 3 2015-01-10T18:56:17.825Z
stackdiff 0 157809 function calls in 0.337 seconds 3 2015-01-10T18:56:22.633Z
boolsfp 285 3965 function calls in 0.009 seconds 4 2015-01-10T19:34:10.568Z
SELINUX INTEGRITY INSTRUMENTATION
140
fcontextfp 5625 73389 function calls in 0.123 seconds 4 2015-01-10T19:34:14.184Z
servicefp 42 715 function calls in 0.002 seconds 4 2015-01-10T19:34:20.368Z
diffs 0 199 function calls in 0.001 seconds 4 2015-01-10T19:40:56.486Z
stackdiff 0 158315 function calls in 0.337 seconds 4 2015-01-10T19:41:04.870Z
SELINUX INTEGRITY INSTRUMENTATION
141
APPENDIX F
Full Relation Test Output from system cent1 test
############################################## SELinux Integrity Instrumentation (SII) ############################################## Current Test#: 0 Test System: localhost -------------------------------------------------------------------------- Main Menu 1. Enter Test # 2. Enter System Name 3. Run Collect Scripts 4. Run Parsing (boolens, service and context) 5. Run / View Finger Prints 6. Search / View Diffs 7. Search / View Relationships 8. Tools and Utilities 9. Exit -------------------------------------------------------------------------- Enter your choice [1-9] : 1 Current test # is: 0 Enter Test Number test: 4 Test Number set at: 4 ############################################## SELinux Integrity Instrumentation (SII) ############################################## Current Test#: 4 Test System: localhost -------------------------------------------------------------------------- Main Menu 1. Enter Test # 2. Enter System Name 3. Run Collect Scripts 4. Run Parsing (boolens, service and context) 5. Run / View Finger Prints 6. Search / View Diffs 7. Search / View Relationships 8. Tools and Utilities 9. Exit -------------------------------------------------------------------------- Enter your choice [1-9] : 2 Current System Name: localhost Enter New System Name or Q to keep Name: cent1 Test system name set at: cent1 ############################################## SELinux Integrity Instrumentation (SII) ############################################## Current Test#: 4 Test System: cent1 -------------------------------------------------------------------------- Main Menu 1. Enter Test # 2. Enter System Name 3. Run Collect Scripts 4. Run Parsing (boolens, service and context) 5. Run / View Finger Prints 6. Search / View Diffs 7. Search / View Relationships 8. Tools and Utilities 9. Exit -------------------------------------------------------------------------- Enter your choice [1-9] : 7 ------------------------------------------------------------------------------------ Current Domains for test: 4 ------------------------------------------------------------------------------------ Services Domains Found: <<none>> abrt_t accountsd_t crond_t kernel_t avahi_t bluetooth_t chronyd_t colord_t cupsd_t system_dbusd_t firewalld_t xdm_t httpd_t mdadm_t ksmtuned_t virtd_t modemmanager_t mongod_t NetworkManager_t policykit_t postfix_master_t rpcbind_t syslogd_t rtkit_daemon_t fsdaemon_t sshd_t systemd_logind_t udev_t tuned_t unconfined_t devicekit_power_t ftpd_t ------------------------------------------------------------------------------------ Enter domain to search for Domain: httpd ------------------------------------------------------------------------------------
SELINUX INTEGRITY INSTRUMENTATION
142
Services: ------------------------------------------------------------------------------------ | Domain | Context | Service | |:---------|:-----------------------------|:----------| | httpd_t | system_u:system_r:httpd_t:s0 | httpd | ------------------------------------------------------------------------------------ Booleans: ------------------------------------------------------------------------------------ | Default | Domain | State | Boolean | Description | |:----------|:--------------------|:--------|:----------------------------------|:-------------------------------------------| | off | httpd_t | off | httpd_can_network_relay | Allow httpd to can network relay | | off | httpd_t | off | httpd_use_gpg | Allow httpd to use gpg | | off | httpd_t | off | httpd_can_connect_mythtv | Allow httpd to can connect mythtv | | off | httpd_t | off | httpd_can_network_connect_db | Allow httpd to can network connect db | | off | httpd_t | off | httpd_dbus_sssd | Allow httpd to dbus sssd | | on | httpd_suexec_t | on | httpd_enable_cgi | Allow httpd to enable cgi | | off | httpd_t | off | httpd_verify_dns | Allow httpd to verify dns | | off | httpd_git_script_t | off | git_cgi_enable_homedirs | Allow git to cgi enable homedirs | | off | httpd_t | off | git_system_use_cifs | Allow git to system use cifs | | off | httpd_t | off | httpd_anon_write | Allow httpd to anon write | | off | httpd_t | off | httpd_use_cifs | Allow httpd to use cifs | | off | httpd_t | off | httpd_enable_homedirs | Allow httpd to enable homedirs | | off | httpd_t | off | git_system_use_nfs | Allow git to system use nfs | | off | httpd_user_script_t | off | httpd_unified | Allow httpd to unified | | off | httpd_t | off | httpd_run_stickshift | Allow httpd to run stickshift | | off | httpd_t | off | httpd_use_fusefs | Allow httpd to use fusefs | | off | httpd_t | off | httpd_can_connect_ldap | Allow httpd to can connect ldap | | off | httpd_suexec_t | off | httpd_can_network_connect | Allow httpd to can network connect | | off | httpd_t | off | httpd_use_sasl | Allow httpd to use sasl | | off | httpd_suexec_t | off | httpd_tty_comm | Allow httpd to tty comm | | off | httpd_sys_script_t | off | httpd_sys_script_anon_write | Allow httpd to sys script anon write | | off | httpd_git_script_t | off | git_cgi_use_nfs | Allow git to cgi use nfs | | on | httpd_t | on | httpd_graceful_shutdown | Allow httpd to graceful shutdown | | off | httpd_t | off | httpd_can_connect_ftp | Allow httpd to can connect ftp | | off | httpd_t | off | httpd_read_user_content | Allow httpd to read user content | | on | httpd_t | on | httpd_use_nfs | Allow httpd to use nfs | | off | httpd_t | off | httpd_can_connect_zabbix | Allow httpd to can connect zabbix | | off | httpd_sys_script_t | off | httpd_tmp_exec | Allow httpd to tmp exec | | off | httpd_t | off | httpd_manage_ipa | Allow httpd to manage ipa | | off | httpd_suexec_t | off | httpd_can_sendmail | Allow httpd to can sendmail | | on | httpd_t | on | httpd_builtin_scripting | Allow httpd to builtin scripting | | off | httpd_t | off | httpd_can_check_spam | Allow httpd to can check spam | | off | httpd_t | off | httpd_can_network_memcache | Allow httpd to can network memcache | | off | httpd_t | off | httpd_can_network_connect_cobbler | Allow httpd to can network connect cobbler | | off | httpd_t | off | httpd_serve_cobbler_files | Allow httpd to serve cobbler files | | off | httpd_git_script_t | off | git_cgi_use_cifs | Allow git to cgi use cifs | | off | httpd_t | off | httpd_execmem | Allow httpd to execmem | | off | httpd_t | off | httpd_ssi_exec | Allow httpd to ssi exec | | off | httpd_sys_script_t | off | httpd_use_openstack | Allow httpd to use openstack | | off | httpd_t | off | httpd_enable_ftp_server | Allow httpd to enable ftp server | | off | httpd_t | off | httpd_setrlimit | Allow httpd to setrlimit | ------------------------------------------------------------------------------------ File Contexts: ------------------------------------------------------------------------------------ | Path | Domain | Type | Context | |:------------------------------------------------|:----------------------------------|:------------|:-------------------------------------------------------| | /etc/WebCalendar(/.*)? | httpd_sys_rw_content_t | allfiles | system_u:object_r:httpd_sys_rw_content_t:s0 | | /etc/apache(2)?(/.*)? | httpd_config_t | allfiles | system_u:object_r:httpd_config_t:s0 | | /etc/apache-ssl(2)?(/.*)? | httpd_config_t | allfiles | system_u:object_r:httpd_config_t:s0 | | /etc/cherokee(/.*)? | httpd_config_t | allfiles | system_u:object_r:httpd_config_t:s0 | | /etc/drupal.* | httpd_sys_rw_content_t | allfiles | system_u:object_r:httpd_sys_rw_content_t:s0 | | /etc/glpi(/.*)? | httpd_sys_rw_content_t | allfiles | system_u:object_r:httpd_sys_rw_content_t:s0 | | /etc/horde(/.*)? | httpd_sys_rw_content_t | allfiles | system_u:object_r:httpd_sys_rw_content_t:s0 | | /etc/htdig(/.*)? | httpd_sys_content_t | allfiles | system_u:object_r:httpd_sys_content_t:s0 | | /etc/httpd(/.*)? | httpd_config_t | allfiles | system_u:object_r:httpd_config_t:s0 | | /etc/httpd/conf/keytab | httpd_keytab_t | regularfile | system_u:object_r:httpd_keytab_t:s0 | | /etc/httpd/logs | httpd_log_t | allfiles | system_u:object_r:httpd_log_t:s0 | | /etc/httpd/modules | httpd_modules_t | allfiles | system_u:object_r:httpd_modules_t:s0 | | /etc/init\.d/cherokee | httpd_initrc_exec_t | regularfile | system_u:object_r:httpd_initrc_exec_t:s0 | | /etc/lighttpd(/.*)? | httpd_config_t | allfiles | system_u:object_r:httpd_config_t:s0 | | /etc/mock/koji(/.*)? | httpd_sys_rw_content_t | allfiles | system_u:object_r:httpd_sys_rw_content_t:s0 | | /etc/nginx(/.*)? | httpd_config_t | allfiles | system_u:object_r:httpd_config_t:s0 | | /etc/owncloud(/.*)? | httpd_sys_rw_content_t | allfiles | system_u:object_r:httpd_sys_rw_content_t:s0 | | /etc/rc\.d/init\.d/httpd | httpd_initrc_exec_t | regularfile | system_u:object_r:httpd_initrc_exec_t:s0 | | /etc/rc\.d/init\.d/lighttpd | httpd_initrc_exec_t | regularfile | system_u:object_r:httpd_initrc_exec_t:s0 | | /etc/thttpd\.conf | httpd_config_t | regularfile | system_u:object_r:httpd_config_t:s0 | | /etc/vhosts | httpd_config_t | regularfile | system_u:object_r:httpd_config_t:s0 | | /etc/z-push(/.*)? | httpd_sys_rw_content_t | allfiles | system_u:object_r:httpd_sys_rw_content_t:s0 | | /etc/zabbix/web(/.*)? | httpd_sys_rw_content_t | allfiles | system_u:object_r:httpd_sys_rw_content_t:s0 | | /opt/.*\.cgi | httpd_sys_script_exec_t | regularfile | system_u:object_r:httpd_sys_script_exec_t:s0 | | /opt/dirsrv/var/run/dirsrv/dsgw/cookies(/.*)? | httpd_var_run_t | allfiles | system_u:object_r:httpd_var_run_t:s0 |
SELINUX INTEGRITY INSTRUMENTATION
143
| /srv/([^/]*/)?www(/.*)? | httpd_sys_content_t | allfiles | system_u:object_r:httpd_sys_content_t:s0 | | /srv/([^/]*/)?www/logs(/.*)? | httpd_log_t | allfiles | system_u:object_r:httpd_log_t:s0 | | /srv/gallery2(/.*)? | httpd_sys_content_t | allfiles | system_u:object_r:httpd_sys_content_t:s0 | | /srv/gallery2/smarty(/.*)? | httpd_sys_rw_content_t | allfiles | system_u:object_r:httpd_sys_rw_content_t:s0 | | /usr/.*\.cgi | httpd_sys_script_exec_t | regularfile | system_u:object_r:httpd_sys_script_exec_t:s0 | | /usr/bin/htsslpass | httpd_helper_exec_t | regularfile | system_u:object_r:httpd_helper_exec_t:s0 | | /usr/bin/mojomojo_fastcgi\.pl | httpd_mojomojo_script_exec_t | regularfile | system_u:object_r:httpd_mojomojo_script_exec_t:s0 | | /usr/bin/mongrel_rails | httpd_exec_t | regularfile | system_u:object_r:httpd_exec_t:s0 | | /usr/lib/apache(/.*)? | httpd_modules_t | allfiles | system_u:object_r:httpd_modules_t:s0 | | /usr/lib/apache(2)?/suexec(2)? | httpd_suexec_exec_t | regularfile | system_u:object_r:httpd_suexec_exec_t:s0 | | /usr/lib/apache-ssl/.+ | httpd_exec_t | regularfile | system_u:object_r:httpd_exec_t:s0 | | /usr/lib/apache2/modules(/.*)? | httpd_modules_t | allfiles | system_u:object_r:httpd_modules_t:s0 | | /usr/lib/cgi-bin(/.*)? | httpd_sys_script_exec_t | allfiles | system_u:object_r:httpd_sys_script_exec_t:s0 | | /usr/lib/cgi-bin/(nph-)?cgiwrap(d)? | httpd_suexec_exec_t | regularfile | system_u:object_r:httpd_suexec_exec_t:s0 | | /usr/lib/cgi-bin/check | httpd_w3c_validator_script_exec_t | allfiles | system_u:object_r:httpd_w3c_validator_script_exec_t:s0 | | /usr/lib/cgi-bin/nagios(/.+)? | httpd_nagios_script_exec_t | allfiles | system_u:object_r:httpd_nagios_script_exec_t:s0 | | /usr/lib/cgi-bin/netsaint(/.*)? | httpd_nagios_script_exec_t | allfiles | system_u:object_r:httpd_nagios_script_exec_t:s0 | | /usr/lib/cherokee(/.*)? | httpd_modules_t | allfiles | system_u:object_r:httpd_modules_t:s0 | | /usr/lib/dirsrv/cgi-bin(/.*)? | httpd_dirsrvadmin_script_exec_t | allfiles | system_u:object_r:httpd_dirsrvadmin_script_exec_t:s0 | | /usr/lib/dirsrv/dsgw-cgi-bin(/.*)? | httpd_dirsrvadmin_script_exec_t | allfiles | system_u:object_r:httpd_dirsrvadmin_script_exec_t:s0 | | /usr/lib/httpd(/.*)? | httpd_modules_t | allfiles | system_u:object_r:httpd_modules_t:s0 | | /usr/lib/icinga/cgi(/.*)? | httpd_nagios_script_exec_t | allfiles | system_u:object_r:httpd_nagios_script_exec_t:s0 | | /usr/lib/lighttpd(/.*)? | httpd_modules_t | allfiles | system_u:object_r:httpd_modules_t:s0 | | /usr/lib/man2html/cgi-bin/man/man2html | httpd_man2html_script_exec_t | regularfile | system_u:object_r:httpd_man2html_script_exec_t:s0 | | /usr/lib/man2html/cgi-bin/man/mansec | httpd_man2html_script_exec_t | regularfile | system_u:object_r:httpd_man2html_script_exec_t:s0 | | /usr/lib/man2html/cgi-bin/man/manwhatis | httpd_man2html_script_exec_t | regularfile | system_u:object_r:httpd_man2html_script_exec_t:s0 | | /usr/lib/mediawiki/math/texvc | httpd_mediawiki_script_exec_t | regularfile | system_u:object_r:httpd_mediawiki_script_exec_t:s0 | | /usr/lib/mediawiki/math/texvc_tes | httpd_mediawiki_script_exec_t | regularfile | system_u:object_r:httpd_mediawiki_script_exec_t:s0 | | /usr/lib/mediawiki/math/texvc_tex | httpd_mediawiki_script_exec_t | regularfile | system_u:object_r:httpd_mediawiki_script_exec_t:s0 | | /usr/lib/nagios/cgi(/.*)? | httpd_nagios_script_exec_t | allfiles | system_u:object_r:httpd_nagios_script_exec_t:s0 | | /usr/lib/nagios/cgi-bin(/.*)? | httpd_nagios_script_exec_t | allfiles | system_u:object_r:httpd_nagios_script_exec_t:s0 | | /usr/lib/squid/cachemgr\.cgi | httpd_squid_script_exec_t | regularfile | system_u:object_r:httpd_squid_script_exec_t:s0 | | /usr/lib/systemd/system/httpd.* | httpd_unit_file_t | regularfile | system_u:object_r:httpd_unit_file_t:s0 | | /usr/lib/systemd/system/jetty.* | httpd_unit_file_t | regularfile | system_u:object_r:httpd_unit_file_t:s0 | | /usr/lib/systemd/system/nginx.* | httpd_unit_file_t | regularfile | system_u:object_r:httpd_unit_file_t:s0 | | /usr/lib/systemd/system/php-fpm.* | httpd_unit_file_t | regularfile | system_u:object_r:httpd_unit_file_t:s0 | | /usr/libexec/httpd-ssl-pass-dialog | httpd_passwd_exec_t | regularfile | system_u:object_r:httpd_passwd_exec_t:s0 | | /usr/libexec/zoneminder/cgi-bin(/.*)? | httpd_zoneminder_script_exec_t | allfiles | system_u:object_r:httpd_zoneminder_script_exec_t:s0 | | /usr/s?bin/(oo|rhc)-restorer-wrapper.sh | httpd_openshift_script_exec_t | regularfile | system_u:object_r:httpd_openshift_script_exec_t:s0 | | /usr/sbin/apache(2)? | httpd_exec_t | regularfile | system_u:object_r:httpd_exec_t:s0 | | /usr/sbin/apache-ssl(2)? | httpd_exec_t | regularfile | system_u:object_r:httpd_exec_t:s0 | | /usr/sbin/cherokee | httpd_exec_t | regularfile | system_u:object_r:httpd_exec_t:s0 | | /usr/sbin/htcacheclean | httpd_exec_t | regularfile | system_u:object_r:httpd_exec_t:s0 | | /usr/sbin/httpd(\.worker)? | httpd_exec_t | regularfile | system_u:object_r:httpd_exec_t:s0 | | /usr/sbin/httpd\.event | httpd_exec_t | regularfile | system_u:object_r:httpd_exec_t:s0 | | /usr/sbin/lighttpd | httpd_exec_t | regularfile | system_u:object_r:httpd_exec_t:s0 | | /usr/sbin/nginx | httpd_exec_t | regularfile | system_u:object_r:httpd_exec_t:s0 | | /usr/sbin/php-fpm | httpd_exec_t | regularfile | system_u:object_r:httpd_exec_t:s0 | | /usr/sbin/rotatelogs | httpd_rotatelogs_exec_t | regularfile | system_u:object_r:httpd_rotatelogs_exec_t:s0 | | /usr/sbin/suexec | httpd_suexec_exec_t | regularfile | system_u:object_r:httpd_suexec_exec_t:s0 | | /usr/sbin/thttpd | httpd_exec_t | regularfile | system_u:object_r:httpd_exec_t:s0 | | /usr/share/awstats/wwwroot(/.*)? | httpd_awstats_content_t | allfiles | system_u:object_r:httpd_awstats_content_t:s0 | | /usr/share/awstats/wwwroot/cgi-bin(/.*)? | httpd_awstats_script_exec_t | allfiles | system_u:object_r:httpd_awstats_script_exec_t:s0 | | /usr/share/bugzilla(/.*)? | httpd_bugzilla_content_t | allfiles | system_u:object_r:httpd_bugzilla_content_t:s0 | | /usr/share/bugzilla/.*\.cgi | httpd_bugzilla_script_exec_t | regularfile | system_u:object_r:httpd_bugzilla_script_exec_t:s0 |
SELINUX INTEGRITY INSTRUMENTATION
144
| /usr/share/collectd/collection3/bin/.*\.cgi | httpd_collectd_script_exec_t | regularfile | system_u:object_r:httpd_collectd_script_exec_t:s0 | | /usr/share/cvsweb/cvsweb\.cgi | httpd_cvs_script_exec_t | regularfile | system_u:object_r:httpd_cvs_script_exec_t:s0 | | /usr/share/doc/ghc/html(/.*)? | httpd_sys_content_t | allfiles | system_u:object_r:httpd_sys_content_t:s0 | | /usr/share/drupal.* | httpd_sys_content_t | allfiles | system_u:object_r:httpd_sys_content_t:s0 | | /usr/share/dspam-web/dspam\.cgi | httpd_dspam_script_exec_t | regularfile | system_u:object_r:httpd_dspam_script_exec_t:s0 | | /usr/share/glpi(/.*)? | httpd_sys_content_t | allfiles | system_u:object_r:httpd_sys_content_t:s0 | | /usr/share/htdig(/.*)? | httpd_sys_content_t | allfiles | system_u:object_r:httpd_sys_content_t:s0 | | /usr/share/icecast(/.*)? | httpd_sys_content_t | allfiles | system_u:object_r:httpd_sys_content_t:s0 | | /usr/share/jetty/bin/jetty.sh | httpd_exec_t | regularfile | system_u:object_r:httpd_exec_t:s0 | | /usr/share/joomla(/.*)? | httpd_sys_rw_content_t | allfiles | system_u:object_r:httpd_sys_rw_content_t:s0 | | /usr/share/lightsquid/cgi(/.*)? | httpd_squid_script_exec_t | allfiles | system_u:object_r:httpd_squid_script_exec_t:s0 | | /usr/share/mediawiki(/.*)? | httpd_mediawiki_content_t | allfiles | system_u:object_r:httpd_mediawiki_content_t:s0 | | /usr/share/mojomojo/root(/.*)? | httpd_mojomojo_content_t | allfiles | system_u:object_r:httpd_mojomojo_content_t:s0 | | /usr/share/mythtv(/.*)? | httpd_mythtv_content_t | allfiles | system_u:object_r:httpd_mythtv_content_t:s0 | | /usr/share/mythtv/mythweather/scripts(/.*)? | httpd_mythtv_script_exec_t | allfiles | system_u:object_r:httpd_mythtv_script_exec_t:s0 | | /usr/share/mythweb(/.*)? | httpd_mythtv_content_t | allfiles | system_u:object_r:httpd_mythtv_content_t:s0 | | /usr/share/mythweb/mythweb\.pl | httpd_mythtv_script_exec_t | regularfile | system_u:object_r:httpd_mythtv_script_exec_t:s0 | | /usr/share/ntop/html(/.*)? | httpd_sys_content_t | allfiles | system_u:object_r:httpd_sys_content_t:s0 | | /usr/share/openca/htdocs(/.*)? | httpd_sys_content_t | allfiles | system_u:object_r:httpd_sys_content_t:s0 | | /usr/share/prewikka/cgi-bin(/.*)? | httpd_prewikka_script_exec_t | allfiles | system_u:object_r:httpd_prewikka_script_exec_t:s0 | | /usr/share/selinux-policy[^/]*/html(/.*)? | httpd_sys_content_t | allfiles | system_u:object_r:httpd_sys_content_t:s0 | | /usr/share/smokeping/cgi(/.*)? | httpd_smokeping_cgi_script_exec_t | allfiles | system_u:object_r:httpd_smokeping_cgi_script_exec_t:s0 | | /usr/share/w3c-markup-validator(/.*)? | httpd_w3c_validator_content_t | allfiles | system_u:object_r:httpd_w3c_validator_content_t:s0 | | /usr/share/w3c-markup-validator/cgi-bin(/.*)? | httpd_w3c_validator_script_exec_t | allfiles | system_u:object_r:httpd_w3c_validator_script_exec_t:s0 | | /usr/share/wordpress-mu/wp-config\.php | httpd_sys_script_exec_t | regularfile | system_u:object_r:httpd_sys_script_exec_t:s0 | | /usr/share/wordpress-mu/wp-content(/.*)? | httpd_sys_rw_content_t | allfiles | system_u:object_r:httpd_sys_rw_content_t:s0 | | /usr/share/wordpress/.*\.php | httpd_sys_script_exec_t | regularfile | system_u:object_r:httpd_sys_script_exec_t:s0 | | /usr/share/wordpress/wp-content/upgrade(/.*)? | httpd_sys_rw_content_t | allfiles | system_u:object_r:httpd_sys_rw_content_t:s0 | | /usr/share/wordpress/wp-content/uploads(/.*)? | httpd_sys_rw_content_t | allfiles | system_u:object_r:httpd_sys_rw_content_t:s0 | | /usr/share/wordpress/wp-includes/.*\.php | httpd_sys_script_exec_t | regularfile | system_u:object_r:httpd_sys_script_exec_t:s0 | | /usr/share/z-push(/.*)? | httpd_sys_content_t | allfiles | system_u:object_r:httpd_sys_content_t:s0 | | /var/cache/cgit(/.*)? | httpd_git_rw_content_t | allfiles | system_u:object_r:httpd_git_rw_content_t:s0 | | /var/cache/gitweb-caching(/.*)? | httpd_git_rw_content_t | allfiles | system_u:object_r:httpd_git_rw_content_t:s0 | | /var/cache/httpd(/.*)? | httpd_cache_t | allfiles | system_u:object_r:httpd_cache_t:s0 | | /var/cache/lighttpd(/.*)? | httpd_cache_t | allfiles | system_u:object_r:httpd_cache_t:s0 | | /var/cache/man2html(/.*)? | httpd_man2html_script_cache_t | allfiles | system_u:object_r:httpd_man2html_script_cache_t:s0 | | /var/cache/mason(/.*)? | httpd_cache_t | allfiles | system_u:object_r:httpd_cache_t:s0 | | /var/cache/mediawiki(/.*)? | httpd_cache_t | allfiles | system_u:object_r:httpd_cache_t:s0 | | /var/cache/mod_.* | httpd_cache_t | allfiles | system_u:object_r:httpd_cache_t:s0 | | /var/cache/mod_gnutls(/.*)? | httpd_cache_t | allfiles | system_u:object_r:httpd_cache_t:s0 | | /var/cache/mod_proxy(/.*)? | httpd_cache_t | allfiles | system_u:object_r:httpd_cache_t:s0 | | /var/cache/mod_ssl(/.*)? | httpd_cache_t | allfiles | system_u:object_r:httpd_cache_t:s0 | | /var/cache/php-.* | httpd_cache_t | allfiles | system_u:object_r:httpd_cache_t:s0 | | /var/cache/php-eaccelerator(/.*)? | httpd_cache_t | allfiles | system_u:object_r:httpd_cache_t:s0 | | /var/cache/php-mmcache(/.*)? | httpd_cache_t | allfiles | system_u:object_r:httpd_cache_t:s0 | | /var/cache/rt(3|4)(/.*)? | httpd_cache_t | allfiles | system_u:object_r:httpd_cache_t:s0 | | /var/cache/ssl.*\.sem | httpd_cache_t | regularfile | system_u:object_r:httpd_cache_t:s0 | | /var/lib/bugzilla(/.*)? | httpd_bugzilla_rw_content_t | allfiles | system_u:object_r:httpd_bugzilla_rw_content_t:s0 | | /var/lib/cacti/rra(/.*)? | httpd_sys_content_t | allfiles | system_u:object_r:httpd_sys_content_t:s0 | | /var/lib/cherokee(/.*)? | httpd_var_lib_t | allfiles | system_u:object_r:httpd_var_lib_t:s0 | | /var/lib/dav(/.*)? | httpd_var_lib_t | allfiles | system_u:object_r:httpd_var_lib_t:s0 | | /var/lib/dokuwiki(/.*)? | httpd_sys_rw_content_t | allfiles | system_u:object_r:httpd_sys_rw_content_t:s0 | | /var/lib/drupal.* | httpd_sys_rw_content_t | allfiles | system_u:object_r:httpd_sys_rw_content_t:s0 | | /var/lib/dspam/data(/.*)? | httpd_dspam_rw_content_t | allfiles | system_u:object_r:httpd_dspam_rw_content_t:s0 | | /var/lib/glpi(/.*)? | httpd_var_lib_t | allfiles | system_u:object_r:httpd_var_lib_t:s0 |
SELINUX INTEGRITY INSTRUMENTATION
145
| /var/lib/htdig(/.*)? | httpd_sys_content_t | allfiles | system_u:object_r:httpd_sys_content_t:s0 | | /var/lib/httpd(/.*)? | httpd_var_lib_t | allfiles | system_u:object_r:httpd_var_lib_t:s0 | | /var/lib/lighttpd(/.*)? | httpd_var_lib_t | allfiles | system_u:object_r:httpd_var_lib_t:s0 | | /var/lib/mod_security(/.*)? | httpd_var_lib_t | allfiles | system_u:object_r:httpd_var_lib_t:s0 | | /var/lib/mojomojo(/.*)? | httpd_mojomojo_rw_content_t | allfiles | system_u:object_r:httpd_mojomojo_rw_content_t:s0 | | /var/lib/moodle(/.*)? | httpd_sys_rw_content_t | allfiles | system_u:object_r:httpd_sys_rw_content_t:s0 | | /var/lib/nginx(/.*)? | httpd_var_lib_t | allfiles | system_u:object_r:httpd_var_lib_t:s0 | | /var/lib/openshift/\.httpd\.d(/.*)? | httpd_config_t | allfiles | system_u:object_r:httpd_config_t:s0 | | /var/lib/openshift/\.log/httpd(/.*)? | httpd_log_t | allfiles | system_u:object_r:httpd_log_t:s0 | | /var/lib/owncloud(/.*)? | httpd_sys_rw_content_t | allfiles | system_u:object_r:httpd_sys_rw_content_t:s0 | | /var/lib/php(/.*)? | httpd_var_lib_t | allfiles | system_u:object_r:httpd_var_lib_t:s0 | | /var/lib/php/session(/.*)? | httpd_var_run_t | allfiles | system_u:object_r:httpd_var_run_t:s0 | | /var/lib/php/wsdlcache(/.*)? | httpd_var_run_t | allfiles | system_u:object_r:httpd_var_run_t:s0 | | /var/lib/pootle/po(/.*)? | httpd_sys_rw_content_t | allfiles | system_u:object_r:httpd_sys_rw_content_t:s0 | | /var/lib/rt(3|4)/data/RT-Shredder(/.*)? | httpd_var_lib_t | allfiles | system_u:object_r:httpd_var_lib_t:s0 | | /var/lib/squirrelmail/prefs(/.*)? | httpd_squirrelmail_t | allfiles | system_u:object_r:httpd_squirrelmail_t:s0 | | /var/lib/stickshift/\.httpd\.d(/.*)? | httpd_config_t | allfiles | system_u:object_r:httpd_config_t:s0 | | /var/lib/svn(/.*)? | httpd_sys_rw_content_t | allfiles | system_u:object_r:httpd_sys_rw_content_t:s0 | | /var/lib/trac(/.*)? | httpd_sys_content_t | allfiles | system_u:object_r:httpd_sys_content_t:s0 | | /var/lib/z-push(/.*)? | httpd_var_lib_t | allfiles | system_u:object_r:httpd_var_lib_t:s0 | | /var/log/apache(2)?(/.*)? | httpd_log_t | allfiles | system_u:object_r:httpd_log_t:s0 | | /var/log/apache-ssl(2)?(/.*)? | httpd_log_t | allfiles | system_u:object_r:httpd_log_t:s0 | | /var/log/cacti(/.*)? | httpd_log_t | allfiles | system_u:object_r:httpd_log_t:s0 | | /var/log/cgiwrap\.log.* | httpd_log_t | regularfile | system_u:object_r:httpd_log_t:s0 | | /var/log/cherokee(/.*)? | httpd_log_t | allfiles | system_u:object_r:httpd_log_t:s0 | | /var/log/dirsrv/admin-serv(/.*)? | httpd_log_t | allfiles | system_u:object_r:httpd_log_t:s0 | | /var/log/glpi(/.*)? | httpd_log_t | allfiles | system_u:object_r:httpd_log_t:s0 | | /var/log/horizon(/.*)? | httpd_log_t | allfiles | system_u:object_r:httpd_log_t:s0 | | /var/log/httpd(/.*)? | httpd_log_t | allfiles | system_u:object_r:httpd_log_t:s0 | | /var/log/lighttpd(/.*)? | httpd_log_t | allfiles | system_u:object_r:httpd_log_t:s0 | | /var/log/nginx(/.*)? | httpd_log_t | allfiles | system_u:object_r:httpd_log_t:s0 | | /var/log/php-fpm(/.*)? | httpd_log_t | allfiles | system_u:object_r:httpd_log_t:s0 | | /var/log/php_errors\.log.* | httpd_log_t | regularfile | system_u:object_r:httpd_log_t:s0 | | /var/log/roundcubemail(/.*)? | httpd_log_t | allfiles | system_u:object_r:httpd_log_t:s0 | | /var/log/suphp\.log.* | httpd_log_t | regularfile | system_u:object_r:httpd_log_t:s0 | | /var/log/thttpd\.log.* | httpd_log_t | regularfile | system_u:object_r:httpd_log_t:s0 | | /var/log/z-push(/.*)? | httpd_sys_rw_content_t | allfiles | system_u:object_r:httpd_sys_rw_content_t:s0 | | /var/run/apache.* | httpd_var_run_t | allfiles | system_u:object_r:httpd_var_run_t:s0 | | /var/run/cherokee\.pid | httpd_var_run_t | regularfile | system_u:object_r:httpd_var_run_t:s0 | | /var/run/dirsrv/admin-serv.* | httpd_var_run_t | allfiles | system_u:object_r:httpd_var_run_t:s0 | | /var/run/gcache_port | httpd_var_run_t | socket | system_u:object_r:httpd_var_run_t:s0 | | /var/run/httpd.* | httpd_var_run_t | allfiles | system_u:object_r:httpd_var_run_t:s0 | | /var/run/lighttpd(/.*)? | httpd_var_run_t | allfiles | system_u:object_r:httpd_var_run_t:s0 | | /var/run/mod_.* | httpd_var_run_t | allfiles | system_u:object_r:httpd_var_run_t:s0 | | /var/run/nginx.* | httpd_var_run_t | allfiles | system_u:object_r:httpd_var_run_t:s0 | | /var/run/php-fpm(/.*)? | httpd_var_run_t | allfiles | system_u:object_r:httpd_var_run_t:s0 | | /var/run/thttpd\.pid | httpd_var_run_t | regularfile | system_u:object_r:httpd_var_run_t:s0 | | /var/run/user/apache(/.*)? | httpd_tmp_t | allfiles | system_u:object_r:httpd_tmp_t:s0 | | /var/run/wsgi.* | httpd_var_run_t | socket | system_u:object_r:httpd_var_run_t:s0 | | /var/spool/gosa(/.*)? | httpd_sys_rw_content_t | allfiles | system_u:object_r:httpd_sys_rw_content_t:s0 | | /var/spool/viewvc(/.*)? | httpd_sys_rw_content_t | allfiles | system_u:object_r:httpd_sys_rw_content_t:s0 | | /var/www(/.*)? | httpd_log_t | allfiles | system_u:object_r:httpd_log_t:s0 | | /var/www(/.*)?/logs(/.*)? | httpd_log_t | allfiles | system_u:object_r:httpd_log_t:s0 | | /var/www/[^/]*/cgi-bin(/.*)? | httpd_sys_script_exec_t | allfiles | system_u:object_r:httpd_sys_script_exec_t:s0 | | /var/www/apcupsd/multimon\.cgi | httpd_apcupsd_cgi_script_exec_t | regularfile | system_u:object_r:httpd_apcupsd_cgi_script_exec_t:s0 |
SELINUX INTEGRITY INSTRUMENTATION
146
| /var/www/apcupsd/upsfstats\.cgi | httpd_apcupsd_cgi_script_exec_t | regularfile | system_u:object_r:httpd_apcupsd_cgi_script_exec_t:s0 | | /var/www/apcupsd/upsimage\.cgi | httpd_apcupsd_cgi_script_exec_t | regularfile | system_u:object_r:httpd_apcupsd_cgi_script_exec_t:s0 | | /var/www/apcupsd/upsstats\.cgi | httpd_apcupsd_cgi_script_exec_t | regularfile | system_u:object_r:httpd_apcupsd_cgi_script_exec_t:s0 | | /var/www/cgi-bin(/.*)? | httpd_sys_script_exec_t | allfiles | system_u:object_r:httpd_sys_script_exec_t:s0 | | /var/www/cgi-bin/apcgui(/.*)? | httpd_apcupsd_cgi_script_exec_t | allfiles | system_u:object_r:httpd_apcupsd_cgi_script_exec_t:s0 | | /var/www/cgi-bin/cgit | httpd_git_script_exec_t | regularfile | system_u:object_r:httpd_git_script_exec_t:s0 | | /var/www/cgi-bin/cvsweb\.cgi | httpd_cvs_script_exec_t | regularfile | system_u:object_r:httpd_cvs_script_exec_t:s0 | | /var/www/cgi-bin/munin.* | httpd_munin_script_exec_t | allfiles | system_u:object_r:httpd_munin_script_exec_t:s0 | | /var/www/dspam(/.*?) | httpd_dspam_content_t | allfiles | system_u:object_r:httpd_dspam_content_t:s0 | | /var/www/dspam/.*\.cgi | httpd_dspam_script_exec_t | regularfile | system_u:object_r:httpd_dspam_script_exec_t:s0 | | /var/www/gallery/albums(/.*)? | httpd_sys_rw_content_t | allfiles | system_u:object_r:httpd_sys_rw_content_t:s0 | | /var/www/git(/.*)? | httpd_git_content_t | allfiles | system_u:object_r:httpd_git_content_t:s0 | | /var/www/git/gitweb\.cgi | httpd_git_script_exec_t | regularfile | system_u:object_r:httpd_git_script_exec_t:s0 | | /var/www/gitweb-caching/gitweb\.cgi | httpd_git_script_exec_t | regularfile | system_u:object_r:httpd_git_script_exec_t:s0 | | /var/www/html(/.*)?/sites/default/files(/.*)? | httpd_sys_rw_content_t | allfiles | system_u:object_r:httpd_sys_rw_content_t:s0 | | /var/www/html(/.*)?/sites/default/settings\.php | httpd_sys_rw_content_t | regularfile | system_u:object_r:httpd_sys_rw_content_t:s0 | | /var/www/html(/.*)?/uploads(/.*)? | httpd_sys_rw_content_t | allfiles | system_u:object_r:httpd_sys_rw_content_t:s0 | | /var/www/html(/.*)?/wp-content(/.*)? | httpd_sys_rw_content_t | allfiles | system_u:object_r:httpd_sys_rw_content_t:s0 | | /var/www/html/[^/]*/cgi-bin(/.*)? | httpd_sys_script_exec_t | allfiles | system_u:object_r:httpd_sys_script_exec_t:s0 | | /var/www/html/cgi/munin.* | httpd_munin_script_exec_t | allfiles | system_u:object_r:httpd_munin_script_exec_t:s0 | | /var/www/html/configuration\.php | httpd_sys_rw_content_t | allfiles | system_u:object_r:httpd_sys_rw_content_t:s0 | | /var/www/html/munin(/.*)? | httpd_munin_content_t | allfiles | system_u:object_r:httpd_munin_content_t:s0 | | /var/www/html/munin/cgi(/.*)? | httpd_munin_script_exec_t | allfiles | system_u:object_r:httpd_munin_script_exec_t:s0 | | /var/www/html/owncloud/data(/.*)? | httpd_sys_rw_content_t | allfiles | system_u:object_r:httpd_sys_rw_content_t:s0 | | /var/www/icons(/.*)? | httpd_sys_content_t | allfiles | system_u:object_r:httpd_sys_content_t:s0 | | /var/www/miq/vmdb/log(/.*)? | httpd_log_t | allfiles | system_u:object_r:httpd_log_t:s0 | | /var/www/moodle/data(/.*)? | httpd_sys_rw_content_t | allfiles | system_u:object_r:httpd_sys_rw_content_t:s0 | | /var/www/moodledata(/.*)? | httpd_sys_rw_content_t | allfiles | system_u:object_r:httpd_sys_rw_content_t:s0 | | /var/www/nut-cgi-bin/upsimage\.cgi | httpd_nutups_cgi_script_exec_t | regularfile | system_u:object_r:httpd_nutups_cgi_script_exec_t:s0 | | /var/www/nut-cgi-bin/upsset\.cgi | httpd_nutups_cgi_script_exec_t | regularfile | system_u:object_r:httpd_nutups_cgi_script_exec_t:s0 | | /var/www/nut-cgi-bin/upsstats\.cgi | httpd_nutups_cgi_script_exec_t | regularfile | system_u:object_r:httpd_nutups_cgi_script_exec_t:s0 | | /var/www/openshift/broker/httpd/logs(/.*)? | httpd_log_t | allfiles | system_u:object_r:httpd_log_t:s0 | | /var/www/openshift/broker/httpd/run(/.*)? | httpd_var_run_t | allfiles | system_u:object_r:httpd_var_run_t:s0 | | /var/www/openshift/console/httpd/logs(/.*)? | httpd_log_t | allfiles | system_u:object_r:httpd_log_t:s0 | | /var/www/openshift/console/httpd/run(/.*)? | httpd_var_run_t | allfiles | system_u:object_r:httpd_var_run_t:s0 | | /var/www/openshift/console/log(/.*)? | httpd_log_t | allfiles | system_u:object_r:httpd_log_t:s0 | | /var/www/openshift/console/tmp(/.*)? | httpd_tmp_t | allfiles | system_u:object_r:httpd_tmp_t:s0 | | /var/www/perl(/.*)? | httpd_sys_script_exec_t | allfiles | system_u:object_r:httpd_sys_script_exec_t:s0 | | /var/www/stickshift/[^/]*/log(/.*)? | httpd_log_t | allfiles | system_u:object_r:httpd_log_t:s0 | | /var/www/svn(/.*)? | httpd_sys_rw_content_t | allfiles | system_u:object_r:httpd_sys_rw_content_t:s0 | | /var/www/svn/conf(/.*)? | httpd_sys_content_t | allfiles | system_u:object_r:httpd_sys_content_t:s0 | | /var/www/svn/hooks(/.*)? | httpd_sys_script_exec_t | allfiles | system_u:object_r:httpd_sys_script_exec_t:s0 | | /var/www/usage(/.*)? | httpd_webalizer_content_t | allfiles | system_u:object_r:httpd_webalizer_content_t:s0 | | /var/www/wiki(/.*)? | httpd_mediawiki_rw_content_t | allfiles | system_u:object_r:httpd_mediawiki_rw_content_t:s0 | | /var/www/wiki/.*\.php | httpd_mediawiki_content_t | regularfile | system_u:object_r:httpd_mediawiki_content_t:s0 | ------------------------------------------------------------------------------------ ############################################## SELinux Integrity Instrumentation (SII) ############################################## Current Test#: 4 Test System: cent1 -------------------------------------------------------------------------- Main Menu 1. Enter Test # 2. Enter System Name 3. Run Collect Scripts 4. Run Parsing (boolens, service and context) 5. Run / View Finger Prints 6. Search / View Diffs 7. Search / View Relationships 8. Tools and Utilities 9. Exit -------------------------------------------------------------------------- Enter your choice [1-9] : 7 ------------------------------------------------------------------------------------ Current Domains for test: 4
SELINUX INTEGRITY INSTRUMENTATION
147
------------------------------------------------------------------------------------ Services Domains Found: <<none>> abrt_t accountsd_t crond_t kernel_t avahi_t bluetooth_t chronyd_t colord_t cupsd_t system_dbusd_t firewalld_t xdm_t httpd_t mdadm_t ksmtuned_t virtd_t modemmanager_t mongod_t NetworkManager_t policykit_t postfix_master_t rpcbind_t syslogd_t rtkit_daemon_t fsdaemon_t sshd_t systemd_logind_t udev_t tuned_t unconfined_t devicekit_power_t ftpd_t ------------------------------------------------------------------------------------ Enter domain to search for Domain: ftpd ------------------------------------------------------------------------------------ Services: ------------------------------------------------------------------------------------ | Domain | Context | Service | |:---------|:----------------------------------------|:----------| | ftpd_t | system_u:system_r:ftpd_t:s0-s0:c0.c1023 | vsftpd | ------------------------------------------------------------------------------------ Booleans: ------------------------------------------------------------------------------------ | Default | Domain | State | Boolean | Description | |:----------|:-------------|:--------|:----------------------------|:-------------------------------------| | on | ftpd_t | on | ftp_home_dir | Allow ftp to home dir | | off | ftpd_t | off | ftpd_use_cifs | Allow ftpd to use cifs | | off | ftpd_t | off | ftpd_use_fusefs | Allow ftpd to use fusefs | | off | ftpd_t | off | ftpd_connect_db | Allow ftpd to connect db | | off | ftpd_t | off | ftpd_full_access | Allow ftpd to full access | | off | tftpd_t | off | tftp_home_dir | Allow tftp to home dir | | off | sftpd_t | off | sftpd_enable_homedirs | Allow sftpd to enable homedirs | | off | ftpd_t | off | ftpd_use_passive_mode | Allow ftpd to use passive mode | | off | sftpd_t | off | sftpd_write_ssh_home | Allow sftpd to write ssh home | | off | ftpd_t | off | ftpd_use_nfs | Allow ftpd to use nfs | | off | ftpd_t | off | ftpd_connect_all_unreserved | Allow ftpd to connect all unreserved | | off | sftpd_t | off | sftpd_full_access | Allow sftpd to full access | | off | tftpd_t | off | tftp_anon_write | Allow tftp to anon write | | off | ftpd_t | off | ftpd_anon_write | Allow ftpd to anon write | | off | anon_sftpd_t | off | sftpd_anon_write | Allow sftpd to anon write | ------------------------------------------------------------------------------------ File Contexts: ------------------------------------------------------------------------------------ | Path | Domain | Type | Context | |:---------------------------|:-------------------|:------------|:----------------------------------------| | /etc/cron\.monthly/proftpd | ftpd_exec_t | regularfile | system_u:object_r:ftpd_exec_t:s0 | | /etc/proftpd\.conf | ftpd_etc_t | regularfile | system_u:object_r:ftpd_etc_t:s0 | | /etc/rc\.d/init\.d/proftpd | ftpd_initrc_exec_t | regularfile | system_u:object_r:ftpd_initrc_exec_t:s0 | | /etc/rc\.d/init\.d/vsftpd | ftpd_initrc_exec_t | regularfile | system_u:object_r:ftpd_initrc_exec_t:s0 | | /etc/xinetd\.d/tftp | tftpd_etc_t | regularfile | system_u:object_r:tftpd_etc_t:s0 | | /tftpboot | tftpdir_t | directory | system_u:object_r:tftpdir_t:s0 | | /tftpboot/.* | tftpdir_t | allfiles | system_u:object_r:tftpdir_t:s0 | | /usr/bin/ftpdctl | ftpdctl_exec_t | regularfile | system_u:object_r:ftpdctl_exec_t:s0 | | /usr/kerberos/sbin/ftpd | ftpd_exec_t | regularfile | system_u:object_r:ftpd_exec_t:s0 | | /usr/sbin/atftpd | tftpd_exec_t | regularfile | system_u:object_r:tftpd_exec_t:s0 | | /usr/sbin/ftpwho | ftpd_exec_t | regularfile | system_u:object_r:ftpd_exec_t:s0 | | /usr/sbin/in\.ftpd | ftpd_exec_t | regularfile | system_u:object_r:ftpd_exec_t:s0 | | /usr/sbin/in\.tftpd | tftpd_exec_t | regularfile | system_u:object_r:tftpd_exec_t:s0 | | /usr/sbin/muddleftpd | ftpd_exec_t | regularfile | system_u:object_r:ftpd_exec_t:s0 | | /usr/sbin/proftpd | ftpd_exec_t | regularfile | system_u:object_r:ftpd_exec_t:s0 | | /usr/sbin/vsftpd | ftpd_exec_t | regularfile | system_u:object_r:ftpd_exec_t:s0 | | /var/lib/tftpboot(/.*)? | tftpdir_rw_t | allfiles | system_u:object_r:tftpdir_rw_t:s0 | | /var/lock/subsys/*.ftpd | ftpd_lock_t | regularfile | system_u:object_r:ftpd_lock_t:s0 | | /var/run/proftpd.* | ftpd_var_run_t | allfiles | system_u:object_r:ftpd_var_run_t:s0 | ------------------------------------------------------------------------------------ ############################################## SELinux Integrity Instrumentation (SII) ############################################## Current Test#: 4 Test System: cent1 -------------------------------------------------------------------------- Main Menu 1. Enter Test # 2. Enter System Name 3. Run Collect Scripts 4. Run Parsing (boolens, service and context) 5. Run / View Finger Prints 6. Search / View Diffs 7. Search / View Relationships 8. Tools and Utilities 9. Exit -------------------------------------------------------------------------- Enter your choice [1-9] : 7 ------------------------------------------------------------------------------------
SELINUX INTEGRITY INSTRUMENTATION
148
Current Domains for test: 4 ------------------------------------------------------------------------------------ Services Domains Found: <<none>> abrt_t accountsd_t crond_t kernel_t avahi_t bluetooth_t chronyd_t colord_t cupsd_t system_dbusd_t firewalld_t xdm_t httpd_t mdadm_t ksmtuned_t virtd_t modemmanager_t mongod_t NetworkManager_t policykit_t postfix_master_t rpcbind_t syslogd_t rtkit_daemon_t fsdaemon_t sshd_t systemd_logind_t udev_t tuned_t unconfined_t devicekit_power_t ftpd_t ------------------------------------------------------------------------------------ Enter domain to search for Domain: unconfined ------------------------------------------------------------------------------------ Services: ------------------------------------------------------------------------------------ | Domain | Context | Service | |:-------------|:------------------------------------------------------|:----------| | unconfined_t | unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 | udisks2 | ------------------------------------------------------------------------------------ Booleans: ------------------------------------------------------------------------------------ | Default | Domain | State | Boolean | Description | |:----------|:-------------|:--------|:-------------------------------------|:----------------------------------------------| | on | unconfined_t | on | unconfined_mozilla_plugin_transition | Allow unconfined to mozilla plugin transition | | off | unconfined_t | off | docker_transition_unconfined | Allow docker to transition unconfined | | on | unconfined_t | on | unconfined_login | Allow unconfined to login | | on | unconfined_t | on | unconfined_chrome_sandbox_transition | Allow unconfined to chrome sandbox transition | ------------------------------------------------------------------------------------ File Contexts: ------------------------------------------------------------------------------------ | Path | Domain | Type | Context | |:-------------------------------------------|:-------------------------------------|:------------|:----------------------------------------------------------| | /etc/[mg]dm/Init(/.*)? | xdm_unconfined_exec_t | allfiles | system_u:object_r:xdm_unconfined_exec_t:s0 | | /etc/[mg]dm/PostLogin(/.*)? | xdm_unconfined_exec_t | allfiles | system_u:object_r:xdm_unconfined_exec_t:s0 | | /etc/[mg]dm/PostSession(/.*)? | xdm_unconfined_exec_t | allfiles | system_u:object_r:xdm_unconfined_exec_t:s0 | | /etc/[mg]dm/PreSession(/.*)? | xdm_unconfined_exec_t | allfiles | system_u:object_r:xdm_unconfined_exec_t:s0 | | /etc/openvpn/scripts(/.*)? | openvpn_unconfined_script_exec_t | allfiles | system_u:object_r:openvpn_unconfined_script_exec_t:s0 | | /etc/qemu-ga/fsfreeze-hook.d(/.*)? | virt_qemu_ga_unconfined_exec_t | allfiles | system_u:object_r:virt_qemu_ga_unconfined_exec_t:s0 | | /etc/watchdog\.d(/.*)? | watchdog_unconfined_exec_t | allfiles | system_u:object_r:watchdog_unconfined_exec_t:s0 | | /usr/bin/vncserver | unconfined_exec_t | regularfile | system_u:object_r:unconfined_exec_t:s0 | | /usr/lib/dirsrv/cgi-bin/ds_create | dirsrvadmin_unconfined_script_exec_t | regularfile | system_u:object_r:dirsrvadmin_unconfined_script_exec_t:s0 | | /usr/lib/dirsrv/cgi-bin/ds_remove | dirsrvadmin_unconfined_script_exec_t | regularfile | system_u:object_r:dirsrvadmin_unconfined_script_exec_t:s0 | | /usr/lib/ipa/certmonger(/.*)? | certmonger_unconfined_exec_t | allfiles | system_u:object_r:certmonger_unconfined_exec_t:s0 | | /usr/lib/nagios/plugins/.* | nagios_unconfined_plugin_exec_t | regularfile | system_u:object_r:nagios_unconfined_plugin_exec_t:s0 | | /usr/libexec/qemu-ga/fsfreeze-hook.d(/.*)? | virt_qemu_ga_unconfined_exec_t | allfiles | system_u:object_r:virt_qemu_ga_unconfined_exec_t:s0 | | /usr/libexec/watchdog/scripts(/.*)? | watchdog_unconfined_exec_t | allfiles | system_u:object_r:watchdog_unconfined_exec_t:s0 | | /usr/sbin/xrdp | unconfined_exec_t | regularfile | system_u:object_r:unconfined_exec_t:s0 | | /usr/sbin/xrdp-sesman | unconfined_exec_t | regularfile | system_u:object_r:unconfined_exec_t:s0 | | /usr/share/munin/plugins/.* | unconfined_munin_plugin_exec_t | regularfile | system_u:object_r:unconfined_munin_plugin_exec_t:s0 | | /var/lib/samba/scripts(/.*)? | samba_unconfined_script_exec_t | allfiles | system_u:object_r:samba_unconfined_script_exec_t:s0 | | /var/run/qemu-ga/fsfreeze-hook.d(/.*)? | virt_qemu_ga_unconfined_exec_t | allfiles | system_u:object_r:virt_qemu_ga_unconfined_exec_t:s0 | ------------------------------------------------------------------------------------ ############################################## SELinux Integrity Instrumentation (SII) ############################################## Current Test#: 4 Test System: cent1 -------------------------------------------------------------------------- Main Menu 1. Enter Test #
SELINUX INTEGRITY INSTRUMENTATION
149
2. Enter System Name 3. Run Collect Scripts 4. Run Parsing (boolens, service and context) 5. Run / View Finger Prints 6. Search / View Diffs 7. Search / View Relationships 8. Tools and Utilities 9. Exit -------------------------------------------------------------------------- Enter your choice [1-9] : 7 ------------------------------------------------------------------------------------ Current Domains for test: 4 ------------------------------------------------------------------------------------ Services Domains Found: <<none>> abrt_t accountsd_t crond_t kernel_t avahi_t bluetooth_t chronyd_t colord_t cupsd_t system_dbusd_t firewalld_t xdm_t httpd_t mdadm_t ksmtuned_t virtd_t modemmanager_t mongod_t NetworkManager_t policykit_t postfix_master_t rpcbind_t syslogd_t rtkit_daemon_t fsdaemon_t sshd_t systemd_logind_t udev_t tuned_t unconfined_t devicekit_power_t ftpd_t ------------------------------------------------------------------------------------ Enter domain to search for Domain: sshd ------------------------------------------------------------------------------------ Services: ------------------------------------------------------------------------------------ | Domain | Context | Service | |:---------|:----------------------------------------|:----------| | sshd_t | system_u:system_r:sshd_t:s0-s0:c0.c1023 | sshd | ------------------------------------------------------------------------------------ Booleans: ------------------------------------------------------------------------------------ | k | e | y | s | || ------------------------------------------------------------------------------------ File Contexts: ------------------------------------------------------------------------------------ | Path | Domain | Type | Context | |:--------------------------------------|:------------------------|:------------|:---------------------------------------------| | /etc/rc\.d/init\.d/sshd | sshd_initrc_exec_t | regularfile | system_u:object_r:sshd_initrc_exec_t:s0 | | /etc/ssh/primes | sshd_key_t | regularfile | system_u:object_r:sshd_key_t:s0 | | /etc/ssh/ssh_host.*_key | sshd_key_t | regularfile | system_u:object_r:sshd_key_t:s0 | | /etc/ssh/ssh_host.*_key\.pub | sshd_key_t | regularfile | system_u:object_r:sshd_key_t:s0 | | /usr/lib/systemd/system/sshd-keygen.* | sshd_keygen_unit_file_t | regularfile | system_u:object_r:sshd_keygen_unit_file_t:s0 | | /usr/lib/systemd/system/sshd.* | sshd_unit_file_t | regularfile | system_u:object_r:sshd_unit_file_t:s0 | | /usr/sbin/gsisshd | sshd_exec_t | regularfile | system_u:object_r:sshd_exec_t:s0 | | /usr/sbin/sshd | sshd_exec_t | regularfile | system_u:object_r:sshd_exec_t:s0 | | /usr/sbin/sshd-keygen | sshd_keygen_exec_t | regularfile | system_u:object_r:sshd_keygen_exec_t:s0 | | /var/run/sshd\.init\.pid | sshd_var_run_t | regularfile | system_u:object_r:sshd_var_run_t:s0 | | /var/run/sshd\.pid | sshd_var_run_t | regularfile | system_u:object_r:sshd_var_run_t:s0 | ------------------------------------------------------------------------------------ ############################################## SELinux Integrity Instrumentation (SII) ############################################## Current Test#: 4 Test System: cent1 -------------------------------------------------------------------------- Main Menu 1. Enter Test # 2. Enter System Name 3. Run Collect Scripts 4. Run Parsing (boolens, service and context) 5. Run / View Finger Prints 6. Search / View Diffs 7. Search / View Relationships 8. Tools and Utilities 9. Exit -------------------------------------------------------------------------- Enter your choice [1-9] : 7 ------------------------------------------------------------------------------------ Current Domains for test: 4 ------------------------------------------------------------------------------------ Services Domains Found: <<none>> abrt_t accountsd_t crond_t kernel_t avahi_t bluetooth_t chronyd_t
SELINUX INTEGRITY INSTRUMENTATION
150
colord_t cupsd_t system_dbusd_t firewalld_t xdm_t httpd_t mdadm_t ksmtuned_t virtd_t modemmanager_t mongod_t NetworkManager_t policykit_t postfix_master_t rpcbind_t syslogd_t rtkit_daemon_t fsdaemon_t sshd_t systemd_logind_t udev_t tuned_t unconfined_t devicekit_power_t ftpd_t ------------------------------------------------------------------------------------ Enter domain to search for Domain: ssh ------------------------------------------------------------------------------------ Services: ------------------------------------------------------------------------------------ | Domain | Context | Service | |:---------|:----------------------------------------|:----------| | sshd_t | system_u:system_r:sshd_t:s0-s0:c0.c1023 | sshd | ------------------------------------------------------------------------------------ Booleans: ------------------------------------------------------------------------------------ | Default | Domain | State | Boolean | Description | |:----------|:--------------|:--------|:------------|:---------------------| | off | ssh_t | off | ssh_keysign | Allow ssh to keysign | | off | sge_job_ssh_t | off | sge_use_nfs | Allow sge to use nfs | ------------------------------------------------------------------------------------ File Contexts: ------------------------------------------------------------------------------------ | Path | Domain | Type | Context | |:------------------------------------------|:--------------------------|:------------|:-----------------------------------------------| | /etc/rc\.d/init\.d/sshd | sshd_initrc_exec_t | regularfile | system_u:object_r:sshd_initrc_exec_t:s0 | | /etc/ssh/primes | sshd_key_t | regularfile | system_u:object_r:sshd_key_t:s0 | | /etc/ssh/ssh_host.*_key | sshd_key_t | regularfile | system_u:object_r:sshd_key_t:s0 | | /etc/ssh/ssh_host.*_key\.pub | sshd_key_t | regularfile | system_u:object_r:sshd_key_t:s0 | | /opt/NX/home/nx/\.ssh(/.*)? | nx_server_home_ssh_t | allfiles | system_u:object_r:nx_server_home_ssh_t:s0 | | /root/\.shosts | ssh_home_t | allfiles | system_u:object_r:ssh_home_t:s0 | | /root/\.ssh(/.*)? | ssh_home_t | allfiles | system_u:object_r:ssh_home_t:s0 | | /usr/NX/home/nx/\.ssh(/.*)? | nx_server_home_ssh_t | allfiles | system_u:object_r:nx_server_home_ssh_t:s0 | | /usr/bin/rssh | rssh_exec_t | regularfile | system_u:object_r:rssh_exec_t:s0 | | /usr/bin/ssh | ssh_exec_t | regularfile | system_u:object_r:ssh_exec_t:s0 | | /usr/bin/ssh-agent | ssh_agent_exec_t | regularfile | system_u:object_r:ssh_agent_exec_t:s0 | | /usr/bin/ssh-keygen | ssh_keygen_exec_t | regularfile | system_u:object_r:ssh_keygen_exec_t:s0 | | /usr/lib/openssh/ssh-keysign | ssh_keysign_exec_t | regularfile | system_u:object_r:ssh_keysign_exec_t:s0 | | /usr/lib/systemd/system/sshd-keygen.* | sshd_keygen_unit_file_t | regularfile | system_u:object_r:sshd_keygen_unit_file_t:s0 | | /usr/lib/systemd/system/sshd.* | sshd_unit_file_t | regularfile | system_u:object_r:sshd_unit_file_t:s0 | | /usr/libexec/nm-ssh-service | ssh_exec_t | regularfile | system_u:object_r:ssh_exec_t:s0 | | /usr/libexec/openssh/ssh-keysign | ssh_keysign_exec_t | regularfile | system_u:object_r:ssh_keysign_exec_t:s0 | | /usr/libexec/rssh_chroot_helper | rssh_chroot_helper_exec_t | regularfile | system_u:object_r:rssh_chroot_helper_exec_t:s0 | | /usr/sbin/gsisshd | sshd_exec_t | regularfile | system_u:object_r:sshd_exec_t:s0 | | /usr/sbin/sshd | sshd_exec_t | regularfile | system_u:object_r:sshd_exec_t:s0 | | /usr/sbin/sshd-keygen | sshd_keygen_exec_t | regularfile | system_u:object_r:sshd_keygen_exec_t:s0 | | /var/lib/[^/]+/\.ssh(/.*)? | ssh_home_t | allfiles | system_u:object_r:ssh_home_t:s0 | | /var/lib/amanda/\.ssh(/.*)? | ssh_home_t | allfiles | system_u:object_r:ssh_home_t:s0 | | /var/lib/gitolite/\.ssh(/.*)? | ssh_home_t | allfiles | system_u:object_r:ssh_home_t:s0 | | /var/lib/gitolite3/\.ssh(/.*)? | ssh_home_t | allfiles | system_u:object_r:ssh_home_t:s0 | | /var/lib/nocpulse/\.ssh(/.*)? | ssh_home_t | allfiles | system_u:object_r:ssh_home_t:s0 | | /var/lib/nxserver/home/.ssh(/.*)? | nx_server_home_ssh_t | allfiles | system_u:object_r:nx_server_home_ssh_t:s0 | | /var/lib/one/\.ssh(/.*)? | ssh_home_t | allfiles | system_u:object_r:ssh_home_t:s0 | | /var/lib/openshift/[^/]+/\.ssh(/.*)? | ssh_home_t | allfiles | system_u:object_r:ssh_home_t:s0 | | /var/lib/openshift/gear/[^/]+/\.ssh(/.*)? | ssh_home_t | allfiles | system_u:object_r:ssh_home_t:s0 | | /var/lib/pgsql/\.ssh(/.*)? | ssh_home_t | allfiles | system_u:object_r:ssh_home_t:s0 | | /var/lib/stickshift/[^/]+/\.ssh(/.*)? | ssh_home_t | allfiles | system_u:object_r:ssh_home_t:s0 | | /var/run/sshd\.init\.pid | sshd_var_run_t | regularfile | system_u:object_r:sshd_var_run_t:s0 | | /var/run/sshd\.pid | sshd_var_run_t | regularfile | system_u:object_r:sshd_var_run_t:s0 | ------------------------------------------------------------------------------------ ############################################## SELinux Integrity Instrumentation (SII) ############################################## Current Test#: 4 Test System: cent1 -------------------------------------------------------------------------- Main Menu 1. Enter Test # 2. Enter System Name 3. Run Collect Scripts 4. Run Parsing (boolens, service and context) 5. Run / View Finger Prints 6. Search / View Diffs 7. Search / View Relationships 8. Tools and Utilities 9. Exit -------------------------------------------------------------------------- Enter your choice [1-9] : 9 Bye
SELINUX INTEGRITY INSTRUMENTATION
151
APPENDIX G
SELinux policy update differences Booleans table analysis output from Beyond Compare
4.0 application.
Cent1 Test 1 vs Test 2 File Context Diff Produced: 2/20/15 3:34:39 PM Mode: Differences Left file: /Users/mike/Dropbox/SII-results/cent1-booleans-test1.csv Right file: /Users/mike/Dropbox/SII-results/cent1-booleans-test2.csv mount_anyfile,Allow mount to anyfile,on,on,3a9bbf4882abec1d75cff73096138ae2
<> mount_anyfile,Allow mount to anyfile,on,on,3f5a9c614b54461d785c70a86345b519
telepathy_connect_all_ports,Allow telepathy to connect all ports,off,off,4b9cec82afe240449b7ab476c9763f61
<> telepathy_connect_all_ports,Allow telepathy to connect all ports,off,off,afeabce2bd6120071d7490f39cb0f119
deny_ptrace,Allow deny to ptrace,off,off,50b2b805ca2720a21eede6c3d852f662
<> deny_ptrace,Allow deny to ptrace,off,off,77ecf1f8501acdcd5a350ce947208cfb
selinuxuser_execmod,Allow selinuxuser to execmod,on,on,38b8a18285cba4595c3439f6bae28001
selinuxuser_execmod,Allow selinuxuser to execmod,on,on,271cad3b3f7ea71ec88eaf13af1d5691
gpg_agent_env_file,Allow gpg to agent env file,off,off,bd42004d6f629ef91738a0de5d63c562
<> glance_use_execmem,Allow glance to use execmem,off,off,54b2e96aa5f4bdb5fc713b3ce5cf2919
telepathy_tcp_connect_generic_network_ports,Allow telepathy to tcp connect generic network ports,on,on,18ae66133dd10c8ddab179350d6484c0
telepathy_tcp_connect_generic_network_ports,Allow telepathy to tcp connect generic network ports,on,on,f882650ec774d0402f5daef03bf944d2
httpd_can_network_connect_db,Allow httpd to can network connect db,off,off,a9344e3da9abf314d11aff85b81ca78b
<> httpd_can_network_connect_db,Allow httpd to can network connect db,off,off,7d9eafc8bd6cc88dd59fa4d5c29ef045
use_ecryptfs_home_dirs,Allow use to ecryptfs home dirs,off,off,27a6cd311e3076c0d9412200c46fc3af
use_ecryptfs_home_dirs,Allow use to ecryptfs home dirs,off,off,2037467d374e3c6d0f3922a15e303d4c
xserver_clients_write_xshm,Allow xserver to clients write xshm,off,off,51a1b18744e6ab53e9ef4fe6a356526a
<> xserver_clients_write_xshm,Allow xserver to clients write xshm,off,off,47a016166429f8c6e4e1b095d4bdb062
virt_use_nfs,Allow virt to use nfs,off,off,39a41e011de9f0056677723702ef209b
<> virt_use_nfs,Allow virt to use nfs,off,off,e49c7e72f73e671b608fd46b24202990
irssi_use_full_network,Allow irssi to use full network,off,off,e94922c7972a8d0a956a2f6f7beacd52
<> swift_can_network,Allow swift to can network,off,off,ef3b9c219af25cabeba8ef90066fa587
git_system_use_cifs,Allow git to system use cifs,off,off,5ecf56ce6f5e33720c1c65f6f71636f3
<> git_system_use_cifs,Allow git to system use cifs,off,off,c4a369ef997ffa033ec8095420d9789d
nscd_use_shm,Allow nscd to use shm,on,on,4c52f198d509cbaa2c0f05d451eccf87
<> nscd_use_shm,Allow nscd to use shm,on,on,1148fe3f9a6e1e92d69eb1bac50dd490
httpd_use_cifs,Allow httpd to use cifs,off,off,83b3f3d917b5bf54fd9bf1caf83f4e67
<> httpd_use_cifs,Allow httpd to use cifs,off,off,7c272a2ec2b0bc2fb149e06d538e1739
secure_mode,Allow secure to mode,off,off,cf1e4cbdae8d07686a2541ce839ae7b5
<> secure_mode,Allow secure to mode,off,off,bcacbc1b61f67dbd6e664eebe5ec5026
use_samba_home_dirs,Allow use to samba home dirs,off,off,87024ff36b4cd45ae147e5fc0a8fb3bc
<> use_samba_home_dirs,Allow use to samba home dirs,off,off,340120715cfb16490eb8ed7c4c5ec133
selinuxuser_rw_noexattrfile,Allow selinuxuser to rw noexattrfile,on,on,3998a0b20bfbfd713670bd00f040216f
<> selinuxuser_rw_noexattrfile,Allow selinuxuser to rw noexattrfile,on,on,e1653bc16ce84f3651b9113c5f376b52
authlogin_nsswitch_use_ldap,Allow authlogin to nsswitch use ldap,off,off,eb1fd04d6e8075286374f835248bcbc3
authlogin_nsswitch_use_ldap,Allow authlogin to nsswitch use ldap,off,off,aa884f61038b96c0cd0f4bf7fd579946
zabbix_can_network,Allow zabbix to can network,off,off,7aece7c32a26fd6bf8a2c7a88a18752d
<> zabbix_can_network,Allow zabbix to can network,off,off,e4ca9552d6a207959ee0e0f05ef3e9bc
httpd_enable_homedirs,Allow httpd to enable homedirs,off,off,86abba1237d377c0927905c5b8b0c06d
<> httpd_enable_homedirs,Allow httpd to enable homedirs,off,off,65ca8266c570042a13b69e97f52cbd34
-+ glance_use_fusefs,Allow glance to use
fusefs,off,off,bd691cc5b517671d9e49c11d36f2519e pppd_for_user,Allow pppd to for user,off,off,93cdeb7ba3c996faa98937f28629197e
<> pppd_for_user,Allow pppd to for user,off,off,71bb6b90b0798780a88b5b5e00662850
selinuxuser_use_ssh_chroot,Allow selinuxuser to use ssh chroot,off,off,7b0f3d5fe7113caef098ace0f2112ec6
selinuxuser_use_ssh_chroot,Allow selinuxuser to use ssh chroot,off,off,4aacee0812c0cdbdd1443d9ed2e62aea
fips_mode,Allow fips to <> fips_mode,Allow fips to
SELINUX INTEGRITY INSTRUMENTATION
152
mode,on,on,77f1704cd47819ad0540f56a036d9dda mode,on,on,ae18970fe41e27d85ccdfeae04f66a3c git_system_use_nfs,Allow git to system use nfs,off,off,a9000283f5edf6e3634c85a4349c0a2f
<> git_system_use_nfs,Allow git to system use nfs,off,off,f5c7a2953231bdf2aa78c9b4f49c6e24
httpd_unified,Allow httpd to unified,off,off,e528887c28c32ea0fbc50c0bc7352463
<> httpd_unified,Allow httpd to unified,off,off,599c4d182ba0e1c1e4c5fdca34144b1e
httpd_mod_auth_pam,Allow httpd to mod auth pam,off,off,72e634592fa8f5ec708faf90b0b5f03d
<> httpd_mod_auth_pam,Allow httpd to mod auth pam,off,off,70c359586aeed6d17830aba6d224313e
-+ gpg_agent_env_file,Allow gpg to agent env
file,off,off,bd42004d6f629ef91738a0de5d63c562 authlogin_yubikey,Allow authlogin to yubikey,off,off,61a9378dd0bf22a72246efd7580e3efd
<> authlogin_yubikey,Allow authlogin to yubikey,off,off,9f1b1c3bc18f37ad8fe1e9c31ba1a1e3
httpd_use_fusefs,Allow httpd to use fusefs,off,off,41ed8c8e9b3cc60ec94c7624eeecfd3a
<> httpd_use_fusefs,Allow httpd to use fusefs,off,off,eaf43c5d6cd2218a0c58c076153436db
httpd_can_network_connect,Allow httpd to can network connect,off,off,6e0a73f08d434ea87741e607e6f86009
<> httpd_can_network_connect,Allow httpd to can network connect,off,off,c132e0f9cb4ddffcf0dfffa34a3799d4
login_console_enabled,Allow login to console enabled,on,on,770cd3d292a353076a6c9e2c362c52c2
login_console_enabled,Allow login to console enabled,on,on,b2bcd0ca8385140d13da6d96ca17d3f0
selinuxuser_postgresql_connect_enabled,Allow selinuxuser to postgresql connect enabled,off,off,5f0885a97d1b59a87bd9fe4f3f19f557
<> selinuxuser_postgresql_connect_enabled,Allow selinuxuser to postgresql connect enabled,off,off,00a521e2ee74c0b22718294a4f64c81e
mplayer_execstack,Allow mplayer to execstack,off,off,396db8058b18233ab42061211e779ae3
<> mplayer_execstack,Allow mplayer to execstack,off,off,26486eb6048c204545c35b72ec92c009
use_fusefs_home_dirs,Allow use to fusefs home dirs,off,off,df479c1916e9d9c83e998fc9ca52f625
<> use_fusefs_home_dirs,Allow use to fusefs home dirs,off,off,37fec8a1518d61bc1c4107c366d2177d
selinuxuser_execheap,Allow selinuxuser to execheap,off,off,1c8fc0fe6b5c8ac1924c00ab2009f4dc
selinuxuser_execheap,Allow selinuxuser to execheap,off,off,bb89d1fdfd3ae184dcc586640ef4e27a
nis_enabled,Allow nis to enabled,off,off,82696bc74fa8a3cf162701fbebd81c78
<> nis_enabled,Allow nis to enabled,off,off,d6383c9ec1bdad41445e4836963f29fd
unconfined_login,Allow unconfined to login,on,on,72a5aff28835e535da4f51116e526654
unconfined_login,Allow unconfined to login,on,on,d00f1966d0b8288fe371fb2b171c5d66
secure_mode_insmod,Allow secure to mode insmod,off,off,9ee41c0014a1b5057b1db4671b213598
secure_mode_insmod,Allow secure to mode insmod,off,off,bbca0a2e14e3a3c9ab5190de1b893e81
selinuxuser_execstack,Allow selinuxuser to execstack,on,on,e8c34c10844243b4ce726a4f8b6919da
<> selinuxuser_execstack,Allow selinuxuser to execstack,on,on,742d9c909a8eada15cdf25ab8be868f7
samba_domain_controller,Allow samba to domain controller,off,off,9913d50ca70a1d6560a630c92fe1d398
samba_domain_controller,Allow samba to domain controller,off,off,de7544884183d2fdc362bec08caba7c3
pcp_bind_all_unreserved_ports,Allow pcp to bind all unreserved ports,off,off,f478d1a020b16f1bdb36d8fbfac15021
<> puppetagent_manage_all_files,Allow puppetagent to manage all files,off,off,0dbe309e3f4125c0cf7c299bdec5b8bb
httpd_read_user_content,Allow httpd to read user content,off,off,f4b4bf5fe392e40e83b33bcaaa9ab482
httpd_read_user_content,Allow httpd to read user content,off,off,650fcf28b3c64df987798c566ec11cf6
httpd_use_nfs,Allow httpd to use nfs,off,off,2876e5b8f3af4fd51d975d2b6643e82f
httpd_use_nfs,Allow httpd to use nfs,off,off,5ba20c11dc96406cbea97d502bb1902c
unconfined_chrome_sandbox_transition,Allow unconfined to chrome sandbox transition,on,on,b9aca9f962a59f732163c6afede313df
unconfined_chrome_sandbox_transition,Allow unconfined to chrome sandbox transition,on,on,3bbfbd4318b207c23a858497cd468bc3
sge_use_nfs,Allow sge to use nfs,off,off,41cc9bedff9fbd376303a70601f11ad1
<> sge_use_nfs,Allow sge to use nfs,off,off,0c8bafdb2acf5ffbd7fb2046fa46b76d
xguest_use_bluetooth,Allow xguest to use bluetooth,on,on,f72704d690d01ac5b2a368bbdfb01370
xguest_use_bluetooth,Allow xguest to use bluetooth,on,on,1f3c1fa1cd7fff70680f5b638541962c
zarafa_setrlimit,Allow zarafa to setrlimit,off,off,086a860273db7e927dd4340a91cf44dd
<> zarafa_setrlimit,Allow zarafa to setrlimit,off,off,35b1a387e3b4798a20e526771ebfee4e
httpd_can_sendmail,Allow httpd to can sendmail,off,off,272e440c86469f3e081c40f47c7d0ff2
<> httpd_can_sendmail,Allow httpd to can sendmail,off,off,cc1f66a346c741fc63406fdc3e80c778
mmap_low_allowed,Allow mmap to low allowed,off,off,3457855f76f217fe7d2b417ccf4a2d29
<> mmap_low_allowed,Allow mmap to low allowed,off,off,f497f9c15ea4f743ea904e0d309b71ca
httpd_dbus_avahi,Allow httpd to dbus avahi,off,off,47529560281dc3c404987f233c2ea765
<> httpd_dbus_avahi,Allow httpd to dbus avahi,off,off,efe97f4efc548ec3d300bb924b57b6dd
kerberos_enabled,Allow kerberos to enabled,on,on,b3f43272df238d74267636c6ced48cf6
<> kerberos_enabled,Allow kerberos to enabled,on,on,fcccd8277d190a7f22bd5626c48de9d9
git_session_users,Allow git to session users,off,off,918928fdc82abb674ff042db478da8fa
<> git_session_users,Allow git to session users,off,off,4f65bcd99c51b06a3bc55e03e63216ec
deny_execmem,Allow deny to execmem,off,off,1570f8b009f49299a2991c1a1e9960c3
<> deny_execmem,Allow deny to execmem,off,off,1caf42e3e1cc6dcfd4c362e6bb575855
SELINUX INTEGRITY INSTRUMENTATION
153
<> neutron_can_network,Allow neutron to can
network,off,off,cdd31abf4b22b3270e126ee8ae73c139 use_nfs_home_dirs,Allow use to nfs home dirs,off,off,16ea2dc1effc6e1a07f7281922a5d4fb
use_nfs_home_dirs,Allow use to nfs home dirs,off,off,c3a637d5ad147409722341768f30ff32
-+ glance_api_can_network,Allow glance to api can
network,off,off,2b782af7a2de6c516a2aa8b14b7791b9 abrt_handle_event,Allow abrt to handle event,off,off,5a6a245cbd8bf9c63f29855211761a1d
<> abrt_handle_event,Allow abrt to handle event,off,off,b8fbeb4db31a6a444402f7ecfbf510c7
httpd_execmem,Allow httpd to execmem,off,off,fcf0a58fad9864d4683850b037b3e3b4
<> httpd_execmem,Allow httpd to execmem,off,off,b46e478ad1e174c4325e6622c67e29dd
puppet_manage_all_files,Allow puppet to manage all files,off,off,e60b550a1e0abc275fea4ced8ab62720
+-
-+ irssi_use_full_network,Allow irssi to use full
network,off,off,e94922c7972a8d0a956a2f6f7beacd52 -+ pcp_bind_all_unreserved_ports,Allow pcp to bind all
unreserved ports,off,off,f478d1a020b16f1bdb36d8fbfac15021
ssh_sysadm_login,Allow ssh to sysadm login,off,off,cd0d99826562c95d5319a93cc7b11a11
<> ssh_sysadm_login,Allow ssh to sysadm login,off,off,67e5a30d89c26ad950de79671ecb717d
virt_use_samba,Allow virt to use samba,off,off,0304fe6dbe779d540b4d523c2791007a
<> virt_use_samba,Allow virt to use samba,off,off,ed38e4f5f254b64ef2ea1a9f37e1c5cd
cluster_use_execmem,Allow cluster to use execmem,off,off,539ac2074243be58362dcad041a5853e
cluster_use_execmem,Allow cluster to use execmem,off,off,4d281049346b7501471abef638ed689b
sftpd_anon_write,Allow sftpd to anon write,off,off,3801baff8ee1a921f6cafb6890a84d83
<> sftpd_anon_write,Allow sftpd to anon write,off,off,b96418d8735ae576f3e1461955dd2134