policy_module(ossec,1.0.45) ######################################## # # Declarations # type ossec_t; type ossec_bin_t; type ossec_exec_t; #role system_r types ossec_t; #domain_type(ossec_t) #domain_entry_file(ossec_t, ossec_exec_t) init_daemon_domain(ossec_t, ossec_exec_t) optional_policy(` ossec_domtrans(httpd_t) ') type ossec_initrc_exec_t; init_script_file(ossec_initrc_exec_t) type ossec_var_t; files_type(ossec_var_t) type ossec_var_run_t; files_pid_file(ossec_var_run_t) type ossec_tmp_t; files_tmp_file(ossec_tmp_t) type ossec_log_t; logging_log_file(ossec_log_t) type ossec_etc_t; files_config_file(ossec_etc_t) type ossec_etc_share_t; files_config_file(ossec_etc_share_t) type ossec_rule_t; files_config_file(ossec_rule_t) type ossec_stats_t; files_type(ossec_stats_t) type ossec_queue_t; files_type(ossec_queue_t) type ossec_script_t; files_type(ossec_script_t) type ossec_port_t; corenet_port(ossec_port_t) #create_port_type_interfaces(ossec_port_t, tcp,1514,s0, udp,1514,s0) #create_packet_interfaces($1_client) #create_packet_interfaces($1_server) #network_port(ossec_port_t, tcp,1514,s0) #network_port(ossec, tcp,1514,s0, udp,1514,s0) require { type ossec_t; type ossec_initrc_exec_t; type ossec_var_run_t; type ossec_bin_t; type ossec_exec_t; type ossec_var_t; type ossec_tmp_t; type ossec_log_t; type ossec_etc_t; type ossec_etc_share_t; type ossec_rule_t; type ossec_stats_t; type ossec_queue_t; type ossec_script_t; type ossec_port_t; type httpd_t; type initrc_t; type node_t; class file { rename read lock create write getattr unlink open append }; class dir { write getattr read remove_name create add_name }; class capability { dac_override dac_read_search setuid setgid fsetid sys_chroot sys_nice }; class tcp_socket { create name_bind name_connect }; class udp_socket { create bind name_bind node_bind }; class unix_dgram_socket { create bind getopt connect sendto }; class sock_file { unlink }; class process { setsched }; } ######################################## # # ossec local policy # #============= ossec_t ============== auth_read_passwd(ossec_t) # Read /proc/meminfo kernel_read_system_state(ossec_t) # Read urandom dev_read_urand(ossec_t) # init allow ossec_t self:capability { dac_override dac_read_search setuid setgid fsetid sys_chroot sys_nice }; allow ossec_t self:process { setsched }; # etc dir #files_read_etc_files(ossec_t) sysnet_read_config(ossec_t) # var dir rw_dirs_pattern(ossec_t, ossec_var_t, ossec_var_t) #rw_files_pattern(ossec_t, ossec_var_t, ossec_var_t) #create_files_pattern(ossec_t, ossec_var_t, ossec_var_t) manage_files_pattern(ossec_t, ossec_var_t, ossec_var_t) manage_sock_files_pattern(ossec_t, ossec_var_t, ossec_var_t) # queue dir rw_dirs_pattern(ossec_t, ossec_queue_t, ossec_queue_t) rw_files_pattern(ossec_t, ossec_queue_t, ossec_queue_t) manage_sock_files_pattern(ossec_t, ossec_queue_t, ossec_queue_t) # stats dir rw_dirs_pattern(ossec_t, ossec_stats_t, ossec_stats_t) rw_files_pattern(ossec_t, ossec_stats_t, ossec_stats_t) # rules dir read_files_pattern(ossec_t, ossec_rule_t, ossec_rule_t) # logs #logging_log_filetrans(ossec_t, ossec_log_t, file) #create_files_pattern(ossec_t, ossec_log_t, ossec_log_t) #read_files_pattern(ossec_t, ossec_log_t, ossec_log_t) #append_files_pattern(ossec_t, ossec_log_t, ossec_log_t) #delete_files_pattern(ossec_t, ossec_log_t, ossec_log_t) manage_files_pattern(ossec_t, ossec_log_t, ossec_log_t) ossec_log_filetrans(ossec_t, ossec_log_t, file) # system logs logging_read_all_logs(ossec_t) # Allow reading ossec config allow ossec_t ossec_etc_t:dir list_dir_perms; read_files_pattern(ossec_t, ossec_etc_t, ossec_etc_t) read_lnk_files_pattern(ossec_t, ossec_etc_t, ossec_etc_t) # Allow rw etc/shared rw_dirs_pattern(ossec_t, ossec_etc_share_t, ossec_etc_share_t); manage_files_pattern(ossec_t, ossec_etc_share_t, ossec_etc_share_t); # Sockets allow ossec_t self:udp_socket { create bind node_bind }; allow ossec_t node_t:udp_socket { node_bind }; allow ossec_t ossec_port_t:udp_socket { create_socket_perms create name_bind }; #allow ossec_t self:udp_socket { create_socket_perms name_bind }; #allow ossec_t self:udp_socket name_bind; allow ossec_t self:unix_dgram_socket { create bind getopt connect sendto }; #============= httpd_t ============== allow httpd_t ossec_log_t:dir { read }; allow httpd_t ossec_log_t:file { open read getattr }; allow httpd_t ossec_queue_t:dir { read }; allow httpd_t ossec_queue_t:file { open read getattr }; allow httpd_t ossec_stats_t:dir { read }; allow httpd_t ossec_stats_t:file { open read getattr };