[PATCH, v3 1/8] audispd-zos-remote plugin - Configuration and policy files

Klaus Heinrich Kiwi klausk at linux.vnet.ibm.com
Thu Dec 13 15:49:21 UTC 2007


This patch adds the configuration files and policy module sources needed
by the plugin.

The policy is not using newer interfaces so that it can be build for
RHEL5 GA.

There is a need for two separate configuration files: one for the audit
dispatcher and another for the plugin itself.
The plugin configuration includes server and authentication information,
thus it should not be readable by anyone but root. The default queue
size is to allow event bursts avoiding events drop.
The plugin comes disabled by default.

Signed-off-by: Klaus Heinrich Kiwi <klausk at br.ibm.com> 

diff -purN audit-1.6.2/audisp/plugins/zos-remote/audispd-zos-remote.conf audit-1.6.2_zos-remote/audisp/plugins/zos-remote/audispd-zos-remote.conf
--- audit-1.6.2/audisp/plugins/zos-remote/audispd-zos-remote.conf	1969-12-31 21:00:00.000000000 -0300
+++ audit-1.6.2_zos-remote/audisp/plugins/zos-remote/audispd-zos-remote.conf	2007-12-13 13:09:44.000000000 -0200
@@ -0,0 +1,14 @@
+# This is the configuration for the audispd-zos-remote 
+# audit dispatcher plugin - See audispd(8)
+#
+# Note that this specific plugin has a configuration file of
+# its own. The complete path for this file must be entered as
+# the argument for the plugin in the 'args' field below
+# See audispd-zos-remote(8) 
+
+active = no
+direction = out
+path = /sbin/audispd-zos-remote
+type = always 
+args = /etc/audisp/zos-remote.conf
+format = string
diff -purN audit-1.6.2/audisp/plugins/zos-remote/policy/audispd-zos-remote.fc audit-1.6.2_zos-remote/audisp/plugins/zos-remote/policy/audispd-zos-remote.fc
--- audit-1.6.2/audisp/plugins/zos-remote/policy/audispd-zos-remote.fc	1969-12-31 21:00:00.000000000 -0300
+++ audit-1.6.2_zos-remote/audisp/plugins/zos-remote/policy/audispd-zos-remote.fc	2007-12-04 11:43:24.000000000 -0200
@@ -0,0 +1,2 @@
+
+/sbin/audispd-zos-remote	--	gen_context(system_u:object_r:zos_remote_exec_t,s0)
diff -purN audit-1.6.2/audisp/plugins/zos-remote/policy/audispd-zos-remote.if audit-1.6.2_zos-remote/audisp/plugins/zos-remote/policy/audispd-zos-remote.if
--- audit-1.6.2/audisp/plugins/zos-remote/policy/audispd-zos-remote.if	1969-12-31 21:00:00.000000000 -0300
+++ audit-1.6.2_zos-remote/audisp/plugins/zos-remote/policy/audispd-zos-remote.if	2007-12-04 11:43:49.000000000 -0200
@@ -0,0 +1,58 @@
+## <summary>policy for z/OS Remote-services Audit dispatcher plugin</summary>
+
+########################################
+## <summary>
+##      Execute a domain transition to run audispd-zos-remote.
+## </summary>
+## <param name="domain">
+## <summary>
+##      Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`zos_remote_domtrans',`
+        gen_require(`
+                type zos_remote_t;
+                type zos_remote_exec_t;
+        ')
+
+        domain_auto_trans($1,zos_remote_exec_t,zos_remote_t);
+
+        allow $1 zos_remote_t:fd use;
+        allow zos_remote_t $1:fd use;
+        allow zos_remote_t $1:fifo_file rw_file_perms;
+        allow zos_remote_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+##	Allow specified type and role to transition and
+##	run in the zos_remote_t domain. Allow specified type
+##	to use zos_remote_t terminal.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed the zos_remote domain.
+##	</summary>
+## </param>
+## <param name="terminal">
+##	<summary>
+##	The type of the role's terminal.
+##	</summary>
+## </param>
+#
+interface(`zos_remote_run',`
+	gen_require(`
+		type zos_remote_t;
+	')
+
+	zos_remote_domtrans($1)
+	role $2 types zos_remote_t;
+	dontaudit zos_remote_t $3:chr_file rw_term_perms;
+')
+
diff -purN audit-1.6.2/audisp/plugins/zos-remote/policy/audispd-zos-remote.te audit-1.6.2_zos-remote/audisp/plugins/zos-remote/policy/audispd-zos-remote.te
--- audit-1.6.2/audisp/plugins/zos-remote/policy/audispd-zos-remote.te	1969-12-31 21:00:00.000000000 -0300
+++ audit-1.6.2_zos-remote/audisp/plugins/zos-remote/policy/audispd-zos-remote.te	2007-12-04 11:44:07.000000000 -0200
@@ -0,0 +1,54 @@
+policy_module(zos_remote,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type zos_remote_t;
+type zos_remote_exec_t;
+
+## use below if selinux-policy_devel > 3:
+## zos_remote_application_domain(zos_remote_t, zos_remote_exec_t)
+
+## use below for RHEL5 series:
+init_system_domain(zos_remote_t, zos_remote_exec_t)
+
+role system_r types zos_remote_t;
+
+
+########################################
+#
+# zos_remote local policy
+#
+
+## internal communication is often done using fifo and unix sockets.
+allow zos_remote_t self:fifo_file rw_file_perms;
+allow zos_remote_t self:unix_stream_socket create_stream_socket_perms;
+## allow signals to self
+allow zos_remote_t self:process signal;
+
+## audispd is in the auditd_t domain
+gen_require(`
+        type auditd_t;
+')
+
+## Allow auditd_t->zos_remote_t transition
+zos_remote_domtrans(auditd_t);
+
+## audispd execve pipe?
+allow zos_remote_t auditd_t:unix_stream_socket { read write getattr };
+
+## audispd must be able to send signals to audispd-zos-remote
+allow auditd_t zos_remote_t:process signal;
+
+## Allow network access, name resolv
+auth_use_nsswitch(zos_remote_t);
+corenet_tcp_connect_generic_port(zos_remote_t);
+
+## Allow use of misc files and libraries
+files_read_etc_files(zos_remote_t)
+libs_use_ld_so(zos_remote_t)
+libs_use_shared_libs(zos_remote_t)
+miscfiles_read_localization(zos_remote_t)
+logging_send_syslog_msg(zos_remote_t)
diff -purN audit-1.6.2/audisp/plugins/zos-remote/policy/build.sh audit-1.6.2_zos-remote/audisp/plugins/zos-remote/policy/build.sh
--- audit-1.6.2/audisp/plugins/zos-remote/policy/build.sh	1969-12-31 21:00:00.000000000 -0300
+++ audit-1.6.2_zos-remote/audisp/plugins/zos-remote/policy/build.sh	2007-10-10 10:26:18.000000000 -0300
@@ -0,0 +1,3 @@
+
+#!/bin/sh
+make -f /usr/share/selinux/devel/Makefile
diff -purN audit-1.6.2/audisp/plugins/zos-remote/policy/install.sh audit-1.6.2_zos-remote/audisp/plugins/zos-remote/policy/install.sh
--- audit-1.6.2/audisp/plugins/zos-remote/policy/install.sh	1969-12-31 21:00:00.000000000 -0300
+++ audit-1.6.2_zos-remote/audisp/plugins/zos-remote/policy/install.sh	2007-12-04 10:31:28.000000000 -0200
@@ -0,0 +1,4 @@
+/usr/sbin/semodule -i audispd-zos-remote.pp
+
+/sbin/restorecon -F -v /sbin/audispd-zos-remote
+
diff -purN audit-1.6.2/audisp/plugins/zos-remote/zos-remote.conf audit-1.6.2_zos-remote/audisp/plugins/zos-remote/zos-remote.conf
--- audit-1.6.2/audisp/plugins/zos-remote/zos-remote.conf	1969-12-31 21:00:00.000000000 -0300
+++ audit-1.6.2_zos-remote/audisp/plugins/zos-remote/zos-remote.conf	2007-12-04 11:45:21.000000000 -0200
@@ -0,0 +1,10 @@
+## This is the configuration file for the audispd-zos-remote
+## Audit dispatcher plugin.
+## See zos-remote.conf(5) for more information
+
+server = zos_server.localdomain
+port = 389
+user = RACF_ID
+password = racf_password
+timeout = 15
+q_depth = 64

-- 
Klaus Heinrich Kiwi <klausk at linux.vnet.ibm.com>
IBM STG, Linux Technology Center




More information about the Linux-audit mailing list