Custom SNMP scripts
Hi,
Is there recommended way of setting up custom SNMP (net-snmp) scripts used for monitoring the status of software or hardware RAID, Web site hits, etc.? I created a special directory for them - /usr/local/snmp/bin/, and then let sealert and audit2allow tell me what to do. My snmpScripts.te on a server with software RAID looks like this: module snmpScripts 1.0; require { type snmpd_t; type proc_mdstat_t; type usr_t; class file { ioctl execute read open getattr execute_no_trans }; } #============= snmpd_t ============== Is there a better or more secure way of doing this? Fred New Systems administrator Elion Ettevőtted AS Tallinn, Estonia -- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux |
Custom SNMP scripts
On Tue, 2011-12-20 at 10:57 +0200, Frederick William New wrote:
> Hi, > > Is there recommended way of setting up custom SNMP (net-snmp) scripts used for monitoring the status of software or hardware RAID, Web site hits, etc.? I created a special directory for them - /usr/local/snmp/bin/, and then let sealert and audit2allow tell me what to do. My snmpScripts.te on a server with software RAID looks like this: I would probably label /usr/local/snmp/bin/ and anything below type bin_t. This will atleast stop snmpd_t from executing generic usr files. Example; semanage fcontext -a -t bin_t "/usr/local/snmp/bin(/.*)?" restorecon -R -v /usr/local/snmp/bin Besides that i guess you would need to allow snmpd_t to read /proc/mdstat files but you can use audit2allow for that as you did below. > > module snmpScripts 1.0; > > require { > type snmpd_t; > type proc_mdstat_t; > type usr_t; > class file { ioctl execute read open getattr execute_no_trans }; > } > > #============= snmpd_t ============== > > Is there a better or more secure way of doing this? > > Fred New > Systems administrator > Elion Ettevőtted AS > Tallinn, Estonia > > -- > selinux mailing list > selinux@lists.fedoraproject.org > https://admin.fedoraproject.org/mailman/listinfo/selinux -- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux |
Custom SNMP scripts
On Tue 2011-12-20 at 11:59 AM, Dominick Grift wrote:
> > On Tue, 2011-12-20 at 10:57 +0200, Frederick William New wrote: > > Hi, > > > > Is there recommended way of setting up custom SNMP (net-snmp) scripts > > used for monitoring the status of software or hardware RAID, Web site > > hits, etc.? I created a special directory for them - > > /usr/local/snmp/bin/, and then let sealert and audit2allow tell me what to > > do. My snmpScripts.te on a server with software RAID looks like this: > > I would probably label /usr/local/snmp/bin/ and anything below type > bin_t. This will atleast stop snmpd_t from executing generic usr files. > > Example; > > semanage fcontext -a -t bin_t "/usr/local/snmp/bin(/.*)?" > restorecon -R -v /usr/local/snmp/bin > > Besides that i guess you would need to allow snmpd_t to > read /proc/mdstat files but you can use audit2allow for that as you did > below. > Thanks, I like it. My snmpScripts.te looks simpler now: module snmpScripts 1.0; require { type snmpd_t; type proc_mdstat_t; class file { read ioctl open getattr }; } #============= snmpd_t ============== allow snmpd_t proc_mdstat_t:file { read ioctl open getattr }; I notice that I failed to include all of my previous snmpScripts.te. Two allow lines at the bottom were missing - one for usr_t as you mentioned above and the one shown here for proc_mdstat_t. Fred -- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux |
| All times are GMT. The time now is 03:03 AM. |
VBulletin, Copyright ©2000 - 2013, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.