From 16d399e40f7de36ec35528217e9b4f810c105ca5 Mon Sep 17 00:00:00 2001 From: Eric Renfro Date: Sun, 22 Nov 2015 16:13:53 -0500 Subject: [PATCH] Added support for ossec-analysisd completed --- ossec.fc | 21 +++++- ossec.te | 217 +++++++++++++++++++++++++++++++++++++++++++++++++++++-- 2 files changed, 228 insertions(+), 10 deletions(-) diff --git a/ossec.fc b/ossec.fc index 82bbd0b..1e059a3 100644 --- a/ossec.fc +++ b/ossec.fc @@ -10,16 +10,31 @@ /var/ossec/logs(/.*)? gen_context(system_u:object_r:ossec_log_t,s0) /var/ossec/queue(/.*)? gen_context(system_u:object_r:ossec_queue_t,s0) /var/ossec/stats(/.*)? gen_context(system_u:object_r:ossec_stats_t,s0) -/var/ossec/var(/.*)? gen_context(system_u:object_r:ossec_var_t,s0) /var/ossec/agentless(/.*)? gen_context(system_u:object_r:ossec_var_t,s0) +/var/ossec/var/run(/.*)? gen_context(system_u:object_r:ossec_var_run_t,s0) +/var/ossec/var(/.*)? gen_context(system_u:object_r:ossec_var_t,s0) + /var/ossec/tmp(/.*)? gen_context(system_u:object_r:ossec_tmp_t,s0) /var/ossec/etc(/.*)? gen_context(system_u:object_r:ossec_etc_t,s0) +/var/ossec/etc/shared(/.*)? gen_context(system_u:object_r:ossec_etc_share_t,s0) /var/ossec/rules(/.*)? gen_context(system_u:object_r:ossec_rule_t,s0) -/var/ossec/bin(/.*)? gen_context(system_u:object_r:bin_t,s0) /var/ossec/active-response(/.*)? gen_context(system_u:object_r:ossec_script_t,s0) -#/var/ossec/bin/ossec-control -- gen_context(system_u:object_r:ossec_exec_t,s0) +/etc/init.d/ossec-hids -- gen_context(system_u:object_r:ossec_initrc_exec_t,s0) +/var/ossec/bin/ossec-control -- gen_context(system_u:object_r:ossec_initrc_exec_t,s0) +/var/ossec/bin/ossec-server.sh -- gen_context(system_u:object_r:ossec_initrc_exec_t,s0) +/var/ossec/bin/ossec-maild -- gen_context(system_u:object_r:ossec_maild_exec_t,s0) +/var/ossec/bin/ossec-execd -- gen_context(system_u:object_r:ossec_execd_exec_t,s0) +/var/ossec/bin/ossec-analysisd -- gen_context(system_u:object_r:ossec_analysisd_exec_t,s0) +/var/ossec/bin/ossec-logcollector -- gen_context(system_u:object_r:ossec_logcollector_exec_t,s0) +/var/ossec/bin/ossec-remoted -- gen_context(system_u:object_r:ossec_remoted_exec_t,s0) +/var/ossec/bin/ossec-syscheckd -- gen_context(system_u:object_r:ossec_syscheckd_exec_t,s0) +/var/ossec/bin/ossec-monitord -- gen_context(system_u:object_r:ossec_monitord_exec_t,s0) +/var/ossec/bin/ossec-dbd -- gen_context(system_u:object_r:ossec_dbd_exec_t,s0) +/var/ossec/bin/ossec-csyslogd -- gen_context(system_u:object_r:ossec_csyslogd_exec_t,s0) +/var/ossec/bin/ossec-agentlessd -- gen_context(system_u:object_r:ossec_agentlessd_exec_t,s0) +/var/ossec/bin(/.*)? gen_context(system_u:object_r:bin_t,s0) diff --git a/ossec.te b/ossec.te index 0fc8a72..9299145 100644 --- a/ossec.te +++ b/ossec.te @@ -1,5 +1,5 @@ -policy_module(ossec,1.0.10) +policy_module(ossec,1.0.70) ######################################## # @@ -8,10 +8,49 @@ policy_module(ossec,1.0.10) type ossec_t; type ossec_bin_t; -type ossec_exec_t; -role system_r types ossec_t; -domain_type(ossec_t) -domain_entry_file(ossec_t, ossec_exec_t) + +type ossec_maild_t; +type ossec_maild_exec_t; +init_daemon_domain(ossec_maild_t, ossec_maild_exec_t) + +type ossec_execd_t; +type ossec_execd_exec_t; +init_daemon_domain(ossec_execd_t, ossec_execd_exec_t) + +type ossec_analysisd_t; +type ossec_analysisd_exec_t; +init_daemon_domain(ossec_analysisd_t, ossec_analysisd_exec_t) + +type ossec_logcollector_t; +type ossec_logcollector_exec_t; +init_daemon_domain(ossec_logcollector_t, ossec_logcollector_exec_t) + +type ossec_remoted_t; +type ossec_remoted_exec_t; +init_daemon_domain(ossec_remoted_t, ossec_remoted_exec_t) + +type ossec_syscheckd_t; +type ossec_syscheckd_exec_t; +init_daemon_domain(ossec_syscheckd_t, ossec_syscheckd_exec_t) + +type ossec_monitord_t; +type ossec_monitord_exec_t; +init_daemon_domain(ossec_monitord_t, ossec_monitord_exec_t) + +type ossec_dbd_t; +type ossec_dbd_exec_t; +init_daemon_domain(ossec_dbd_t, ossec_dbd_exec_t) + +type ossec_csyslogd_t; +type ossec_csyslogd_exec_t; +init_daemon_domain(ossec_csyslogd_t, ossec_csyslogd_exec_t) + +type ossec_agentlessd_t; +type ossec_agentlessd_exec_t; +init_daemon_domain(ossec_agentlessd_t, ossec_agentlessd_exec_t) + +type ossec_initrc_exec_t; +init_script_file(ossec_initrc_exec_t) optional_policy(` ossec_domtrans(httpd_t) @@ -20,6 +59,9 @@ optional_policy(` type ossec_var_t; files_type(ossec_var_t) +type ossec_var_run_t; +files_pid_file(ossec_var_run_t) + type ossec_tmp_t; files_tmp_file(ossec_tmp_t) @@ -29,6 +71,9 @@ logging_log_file(ossec_log_t) type ossec_etc_t; files_config_file(ossec_etc_t) +type ossec_etc_share_t; +files_config_file(ossec_etc_share_t) + type ossec_rule_t; files_config_file(ossec_rule_t) @@ -44,7 +89,28 @@ files_type(ossec_script_t) require { type ossec_t; type ossec_bin_t; - type ossec_exec_t; + + type ossec_maild_t; + type ossec_maild_exec_t; + type ossec_execd_t; + type ossec_execd_exec_t; + type ossec_analysisd_t; + type ossec_analysisd_exec_t; + type ossec_logcollector_t; + type ossec_logcollector_exec_t; + type ossec_remoted_t; + type ossec_remoted_exec_t; + type ossec_syscheckd_t; + type ossec_syscheckd_exec_t; + type ossec_monitord_t; + type ossec_monitord_exec_t; + type ossec_dbd_t; + type ossec_dbd_exec_t; + type ossec_csyslogd_t; + type ossec_csyslogd_exec_t; + type ossec_agentlessd_t; + type ossec_agentlessd_exec_t; + type ossec_var_t; type ossec_tmp_t; type ossec_log_t; @@ -56,6 +122,10 @@ require { type httpd_t; class file { rename read lock create write getattr unlink open append }; class dir { write getattr read remove_name create add_name }; + class capability { dac_override dac_read_search setuid setgid fsetid sys_chroot sys_nice }; + class tcp_socket { create name_bind name_connect }; + class udp_socket { create bind name_bind node_bind }; + } @@ -65,7 +135,140 @@ require { # -#============= ossec_t ============== +#============= ossec_maild_t ============== +auth_read_passwd(ossec_maild_t) + +# init +allow ossec_maild_t self:capability { dac_override dac_read_search setuid setgid sys_chroot }; #fsetid sys_nice }; +#allow ossec_t self:process { setsched }; + +# etc dir +search_dirs_pattern(ossec_maild_t, ossec_etc_t, ossec_etc_t) +read_lnk_files_pattern(ossec_maild_t, ossec_etc_t, ossec_etc_t) +read_files_pattern(ossec_maild_t, ossec_etc_t, ossec_etc_t) +sysnet_read_config(ossec_maild_t) + +# var dir +search_dirs_pattern(ossec_maild_t, ossec_var_t, ossec_var_t) + +# var run dir +manage_dirs_pattern(ossec_maild_t, ossec_var_run_t, ossec_var_run_t) +manage_files_pattern(ossec_maild_t, ossec_var_run_t, ossec_var_run_t) + +# logs +search_dirs_pattern(ossec_maild_t, ossec_log_t, ossec_log_t) +read_files_pattern(ossec_maild_t, ossec_log_t, ossec_log_t) +allow ossec_maild_t ossec_log_t:file { create_file_perms append_file_perms }; +logging_log_filetrans(ossec_maild_t, ossec_log_t, file) + +# Sockets +allow ossec_t self:udp_socket { create }; + + +#============= ossec_execd_t ============== + +# init +auth_read_passwd(ossec_execd_t) +allow ossec_execd_t self:capability { dac_override dac_read_search setgid }; + +# var dir +#search_dirs_pattern(ossec_execd_t, ossec_var_t, ossec_var_t) +rw_dirs_pattern(ossec_execd_t, ossec_var_t, ossec_var_t) +#rw_files_pattern(ossec_execd_t, ossec_var_t, ossec_var_t) +#create_files_pattern(ossec_execd_t, ossec_var_t, ossec_var_t) +manage_files_pattern(ossec_execd_t, ossec_var_t, ossec_var_t) + +# var run dir +manage_dirs_pattern(ossec_execd_t, ossec_var_run_t, ossec_var_run_t) +manage_files_pattern(ossec_execd_t, ossec_var_run_t, ossec_var_run_t) + +# queue dir +rw_dirs_pattern(ossec_execd_t, ossec_queue_t, ossec_queue_t) +manage_sock_files_pattern(ossec_execd_t, ossec_queue_t, ossec_queue_t); + +# logs +search_dirs_pattern(ossec_execd_t, ossec_log_t, ossec_log_t) +read_files_pattern(ossec_execd_t, ossec_log_t, ossec_log_t) +allow ossec_execd_t ossec_log_t:file { create_file_perms append_file_perms }; +logging_log_filetrans(ossec_execd_t, ossec_log_t, file) + +# etc dir +search_dirs_pattern(ossec_execd_t, ossec_etc_t, ossec_etc_t) +read_lnk_files_pattern(ossec_execd_t, ossec_etc_t, ossec_etc_t) +read_files_pattern(ossec_execd_t, ossec_etc_t, ossec_etc_t) +#sysnet_read_config(ossec_execd_t) + +# dgram socket +allow ossec_execd_t self:unix_dgram_socket { create bind getopt }; # connect sendto + +# Read urandom +dev_read_urand(ossec_execd_t) + + +#============= ossec_analysisd_t ============== + +# init +auth_read_passwd(ossec_analysisd_t) +allow ossec_analysisd_t self:capability { dac_override dac_read_search fsetid setuid setgid sys_chroot }; + +# var dir +search_dirs_pattern(ossec_analysisd_t, ossec_var_t, ossec_var_t) +#rw_dirs_pattern(ossec_execd_t, ossec_var_t, ossec_var_t) +##rw_files_pattern(ossec_execd_t, ossec_var_t, ossec_var_t) +##create_files_pattern(ossec_execd_t, ossec_var_t, ossec_var_t) +##manage_files_pattern(ossec_execd_t, ossec_var_t, ossec_var_t) + +# var run dir +manage_dirs_pattern(ossec_analysisd_t, ossec_var_run_t, ossec_var_run_t) +manage_files_pattern(ossec_analysisd_t, ossec_var_run_t, ossec_var_run_t) + +# queue dir +rw_dirs_pattern(ossec_analysisd_t, ossec_queue_t, ossec_queue_t) +rw_files_pattern(ossec_analysisd_t, ossec_queue_t, ossec_queue_t) +manage_sock_files_pattern(ossec_analysisd_t, ossec_queue_t, ossec_queue_t) + +# stats dir +rw_dirs_pattern(ossec_analysisd_t, ossec_stats_t, ossec_stats_t) +read_files_pattern(ossec_analysisd_t, ossec_stats_t, ossec_stats_t) + +# etc dir +search_dirs_pattern(ossec_analysisd_t, ossec_etc_t, ossec_etc_t) +read_lnk_files_pattern(ossec_analysisd_t, ossec_etc_t, ossec_etc_t) +read_files_pattern(ossec_analysisd_t, ossec_etc_t, ossec_etc_t) +#sysnet_read_config(ossec_maild_t) + +# etc share dir +search_dirs_pattern(ossec_analysisd_t, ossec_etc_share_t, ossec_etc_share_t) +manage_files_pattern(ossec_analysisd_t, ossec_etc_share_t, ossec_etc_share_t) + +# logs +#search_dirs_pattern(ossec_analysisd_t, ossec_log_t, ossec_log_t) +add_entry_dirs_pattern(ossec_analysisd_t, ossec_log_t, ossec_log_t) +manage_files_pattern(ossec_analysisd_t, ossec_log_t, ossec_log_t) +#read_files_pattern(ossec_analysisd_t, ossec_log_t, ossec_log_t) +#delete_files_pattern(ossec_analysisd_t, ossec_log_t, ossec_log_t) +#allow ossec_analysisd_t ossec_log_t:file { create_file_perms append_file_perms }; +logging_log_filetrans(ossec_analysisd_t, ossec_log_t, file) + +# rules dir +search_dirs_pattern(ossec_analysisd_t, ossec_rule_t, ossec_rule_t) +read_files_pattern(ossec_analysisd_t, ossec_rule_t, ossec_rule_t) + +# dgram socket +allow ossec_analysisd_t self:unix_dgram_socket { create bind getopt connect }; +allow ossec_analysisd_t ossec_execd_t:unix_dgram_socket { sendto }; + + +#============= ossec_logcollector_t ============== + +# init +##auth_read_passwd(ossec_execd_t) +allow ossec_logcollector_t self:capability { dac_override dac_read_search }; + +# etc dir +search_dirs_pattern(ossec_logcollector_t, ossec_etc_t, ossec_etc_t) +read_lnk_files_pattern(ossec_logcollector_t, ossec_etc_t, ossec_etc_t) +read_files_pattern(ossec_logcollector_t, ossec_etc_t, ossec_etc_t) #============= httpd_t ==============