[Clip] DISA STIG SRR Scripts
Aaron Lippold
lippold at gmail.com
Wed Sep 9 14:04:19 CDT 2009
Hi,
I am sure there is a way that we could automate the check for the list
of psuedo filesystems using mount. Perhaps we can summit a patch to
FSO?
I will look into it but if someone knows the right bash ( or ksh in
the case of the SRRs ) that would be cool.
Aaron
On Wed, Sep 9, 2009 at 12:58 PM, Eric Gearhart <eric at nixwizard.net> wrote:
> On Wed, Sep 9, 2009 at 5:42 AM, Stephen Smalley <sds at tycho.nsa.gov> wrote:
>>
>> On Wed, 2009-09-09 at 08:16 -0400, Joe_Wulf wrote:
>> > Stephen,
>> >
>> > Going one step further.... for any particular instance of SELinux out
>> > there,
>> > would you say the permissions are already 'correct'? From an auditor's
>> > perspective---how can/should I, during a Host Based Assessment, know
>> > what is
>> > there, is in fact, correct?
>>
>> The initial file modes for the selinuxfs (/selinux) files are compiled
>> into the kernel and set correctly at boot each time. So you can either
>> read the selinuxfs code in the kernel to see the expected values or you
>> can sample them at boot on a known-good system.
>>
>> And even if the file modes were completely opened up, SELinux applies
>> its own permission checks when operating on those files.
>>
>> The files that are likely of greatest interest are:
>> /selinux/load - used to reload policy
>> /selinux/enforce - used to read or modify the enforcing status
>> /selinux/booleans/* - used to read or modify the policy booleans
>> /selinux/commit_pending_bools - used to commit changes to the booleans
>>
>> These files are also subjected to SELinux permission checks, so the only
>> case where the DAC file mode is relevant is if you are using targeted
>> policy and have unconfined_t processes. In that situation, those files
>> are prevented from being modified by non-root unconfined_t processes via
>> the DAC controls.
>>
>
> Thanks Stephen I wasn't aware that /selinux was a psuedo filesystem (along
> the same lines as /proc I'd assume) - I'd just noticed that the perms were
> more permissive than 640 on /selinux. That's easily explained to the
> auditors evaluating us for DIACAP compliance.
>
> --
> Eric
>
>
> _______________________________________________
> Clip mailing list
> Clip at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/clip
>
>
More information about the Clip
mailing list