Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

selinux_settings: New table that presents effective SELinux settings #6118

Merged
merged 2 commits into from
Jan 27, 2020
Merged

selinux_settings: New table that presents effective SELinux settings #6118

merged 2 commits into from
Jan 27, 2020

Conversation

alessandrogario
Copy link
Member

@alessandrogario alessandrogario commented Dec 11, 2019
edited

Example output

osquery> SELECT * FROM selinux_settings WHERE key = "enforce";
+-------+---------+-------+
| scope | key     | value |
+-------+---------+-------+
|       | enforce | 1     |
+-------+---------+-------+

osquery> SELECT value AS 'process_permissions' FROM selinux_settings WHERE key = "process/perms";
+---------------------+
| process_permissions |
+---------------------+
| dyntransition       |
| execheap            |
| execmem             |
| execstack           |
| fork                |
| getattr             |
| getcap              |
| getpgid             |
| getrlimit           |
| getsched            |
| getsession          |
| noatsecure          |
| ptrace              |
| rlimitinh           |
| setcap              |
| setcurrent          |
| setexec             |
| setfscreate         |
| setkeycreate        |
| setpgid             |
| setrlimit           |
| setsched            |
| setsockcreate       |
| share               |
| sigchld             |
| siginh              |
| sigkill             |
| signal              |
| signull             |
| sigstop             |
| transition          |
+---------------------+

osquery> SELECT * FROM selinux_settings WHERE scope = "booleans";
+----------+---------------------------------------------+-------+
| scope    | key                                         | value |
+----------+---------------------------------------------+-------+
| booleans | abrt_anon_write                             | off   |
| booleans | abrt_handle_event                           | off   |
| booleans | abrt_upload_watch_anon_write                | on    |
| booleans | antivirus_can_scan_system                   | off   |
| booleans | antivirus_use_jit                           | off   |
| booleans | auditadm_exec_content                       | on    |
| booleans | authlogin_nsswitch_use_ldap                 | off   |
| booleans | authlogin_radius                            | off   |
| booleans | authlogin_yubikey                           | off   |
| booleans | awstats_purge_apache_log_files              | off   |
| booleans | boinc_execmem                               | on    |
| booleans | cdrecord_read_content                       | off   |
| booleans | cluster_can_network_connect                 | off   |
| booleans | cluster_manage_all_files                    | off   |
| booleans | cluster_use_execmem                         | off   |
| booleans | cobbler_anon_write                          | off   |
| booleans | cobbler_can_network_connect                 | off   |
| booleans | cobbler_use_cifs                            | off   |
| booleans | cobbler_use_nfs                             | off   |
| booleans | collectd_tcp_network_connect                | off   |
| booleans | colord_use_nfs                              | off   |
| booleans | condor_tcp_network_connect                  | off   |
| booleans | conman_can_network                          | off   |
| booleans | conman_use_nfs                              | off   |
| booleans | cron_can_relabel                            | off   |
| booleans | cron_system_cronjob_use_shares              | off   |
| booleans | cron_userdomain_transition                  | on    |
| booleans | cups_execmem                                | off   |
| booleans | cvs_read_shadow                             | off   |
| booleans | daemons_dump_core                           | off   |
| booleans | daemons_enable_cluster_mode                 | off   |
| booleans | daemons_use_tcp_wrapper                     | off   |
| booleans | daemons_use_tty                             | off   |
| booleans | dbadm_exec_content                          | on    |
| booleans | dbadm_manage_user_files                     | off   |
| booleans | dbadm_read_user_files                       | off   |
| booleans | deny_execmem                                | off   |
| booleans | deny_ptrace                                 | off   |
| booleans | dhcpc_exec_iptables                         | off   |
| booleans | dhcpd_use_ldap                              | off   |
| booleans | domain_can_mmap_files                       | off   |
| booleans | domain_can_write_kmsg                       | off   |
| booleans | domain_fd_use                               | on    |
| booleans | domain_kernel_load_modules                  | off   |
| booleans | entropyd_use_audio                          | on    |
| booleans | exim_can_connect_db                         | off   |
| booleans | exim_manage_user_files                      | off   |
| booleans | exim_read_user_files                        | off   |
| booleans | fcron_crond                                 | off   |
| booleans | fenced_can_network_connect                  | off   |
| booleans | fenced_can_ssh                              | off   |
| booleans | fips_mode                                   | on    |
| booleans | ftpd_anon_write                             | off   |
| booleans | ftpd_connect_all_unreserved                 | off   |
| booleans | ftpd_connect_db                             | off   |
| booleans | ftpd_full_access                            | off   |
| booleans | ftpd_use_cifs                               | off   |
| booleans | ftpd_use_fusefs                             | off   |
| booleans | ftpd_use_nfs                                | off   |
| booleans | ftpd_use_passive_mode                       | off   |
| booleans | git_cgi_enable_homedirs                     | off   |
| booleans | git_cgi_use_cifs                            | off   |
| booleans | git_cgi_use_nfs                             | off   |
| booleans | git_session_bind_all_unreserved_ports       | off   |
| booleans | git_session_users                           | off   |
| booleans | git_system_enable_homedirs                  | off   |
| booleans | git_system_use_cifs                         | off   |
| booleans | git_system_use_nfs                          | off   |
| booleans | gitosis_can_sendmail                        | off   |
| booleans | glance_api_can_network                      | off   |
| booleans | glance_use_execmem                          | off   |
| booleans | glance_use_fusefs                           | off   |
| booleans | global_ssp                                  | off   |
| booleans | gluster_anon_write                          | off   |
| booleans | gluster_export_all_ro                       | off   |
| booleans | gluster_export_all_rw                       | on    |
| booleans | gluster_use_execmem                         | off   |
| booleans | gpg_web_anon_write                          | off   |
| booleans | gssd_read_tmp                               | on    |
| booleans | guest_exec_content                          | on    |
| booleans | haproxy_connect_any                         | off   |
| booleans | httpd_anon_write                            | off   |
| booleans | httpd_builtin_scripting                     | on    |
| booleans | httpd_can_check_spam                        | off   |
| booleans | httpd_can_connect_ftp                       | off   |
| booleans | httpd_can_connect_ldap                      | off   |
| booleans | httpd_can_connect_mythtv                    | off   |
| booleans | httpd_can_connect_zabbix                    | off   |
| booleans | httpd_can_network_connect                   | off   |
| booleans | httpd_can_network_connect_cobbler           | off   |
| booleans | httpd_can_network_connect_db                | off   |
| booleans | httpd_can_network_memcache                  | off   |
| booleans | httpd_can_network_relay                     | off   |
| booleans | httpd_can_sendmail                          | off   |
| booleans | httpd_dbus_avahi                            | off   |
| booleans | httpd_dbus_sssd                             | off   |
| booleans | httpd_dontaudit_search_dirs                 | off   |
| booleans | httpd_enable_cgi                            | on    |
| booleans | httpd_enable_ftp_server                     | off   |
| booleans | httpd_enable_homedirs                       | off   |
| booleans | httpd_execmem                               | off   |
| booleans | httpd_graceful_shutdown                     | off   |
| booleans | httpd_manage_ipa                            | off   |
| booleans | httpd_mod_auth_ntlm_winbind                 | off   |
| booleans | httpd_mod_auth_pam                          | off   |
| booleans | httpd_read_user_content                     | off   |
| booleans | httpd_run_ipa                               | off   |
| booleans | httpd_run_preupgrade                        | off   |
| booleans | httpd_run_stickshift                        | off   |
| booleans | httpd_serve_cobbler_files                   | off   |
| booleans | httpd_setrlimit                             | off   |
| booleans | httpd_ssi_exec                              | off   |
| booleans | httpd_sys_script_anon_write                 | off   |
| booleans | httpd_tmp_exec                              | off   |
| booleans | httpd_tty_comm                              | off   |
| booleans | httpd_unified                               | off   |
| booleans | httpd_use_cifs                              | off   |
| booleans | httpd_use_fusefs                            | off   |
| booleans | httpd_use_gpg                               | off   |
| booleans | httpd_use_nfs                               | off   |
| booleans | httpd_use_openstack                         | off   |
| booleans | httpd_use_sasl                              | off   |
| booleans | httpd_verify_dns                            | off   |
| booleans | icecast_use_any_tcp_ports                   | off   |
| booleans | irc_use_any_tcp_ports                       | off   |
| booleans | irssi_use_full_network                      | off   |
| booleans | kdumpgui_run_bootloader                     | off   |
| booleans | keepalived_connect_any                      | off   |
| booleans | kerberos_enabled                            | on    |
| booleans | ksmtuned_use_cifs                           | off   |
| booleans | ksmtuned_use_nfs                            | off   |
| booleans | logadm_exec_content                         | on    |
| booleans | logging_syslogd_can_sendmail                | off   |
| booleans | logging_syslogd_run_nagios_plugins          | off   |
| booleans | logging_syslogd_use_tty                     | on    |
| booleans | login_console_enabled                       | on    |
| booleans | logrotate_read_inside_containers            | off   |
| booleans | logrotate_use_nfs                           | off   |
| booleans | logwatch_can_network_connect_mail           | off   |
| booleans | lsmd_plugin_connect_any                     | off   |
| booleans | mailman_use_fusefs                          | off   |
| booleans | mcelog_client                               | off   |
| booleans | mcelog_exec_scripts                         | on    |
| booleans | mcelog_foreground                           | off   |
| booleans | mcelog_server                               | off   |
| booleans | minidlna_read_generic_user_content          | off   |
| booleans | mmap_low_allowed                            | off   |
| booleans | mock_enable_homedirs                        | off   |
| booleans | mount_anyfile                               | on    |
| booleans | mozilla_plugin_bind_unreserved_ports        | off   |
| booleans | mozilla_plugin_can_network_connect          | on    |
| booleans | mozilla_plugin_use_bluejeans                | off   |
| booleans | mozilla_plugin_use_gps                      | off   |
| booleans | mozilla_plugin_use_spice                    | off   |
| booleans | mozilla_read_content                        | off   |
| booleans | mpd_enable_homedirs                         | off   |
| booleans | mpd_use_cifs                                | off   |
| booleans | mpd_use_nfs                                 | off   |
| booleans | mplayer_execstack                           | off   |
| booleans | mysql_connect_any                           | off   |
| booleans | mysql_connect_http                          | off   |
| booleans | nagios_run_pnp4nagios                       | off   |
| booleans | nagios_run_sudo                             | off   |
| booleans | nagios_use_nfs                              | off   |
| booleans | named_tcp_bind_http_port                    | off   |
| booleans | named_write_master_zones                    | on    |
| booleans | neutron_can_network                         | off   |
| booleans | nfs_export_all_ro                           | on    |
| booleans | nfs_export_all_rw                           | on    |
| booleans | nfsd_anon_write                             | off   |
| booleans | nis_enabled                                 | off   |
| booleans | nscd_use_shm                                | on    |
| booleans | openshift_use_nfs                           | off   |
| booleans | openvpn_can_network_connect                 | on    |
| booleans | openvpn_enable_homedirs                     | on    |
| booleans | openvpn_run_unconfined                      | off   |
| booleans | pcp_bind_all_unreserved_ports               | off   |
| booleans | pcp_read_generic_logs                       | off   |
| booleans | pdns_can_network_connect_db                 | off   |
| booleans | piranha_lvs_can_network_connect             | off   |
| booleans | polipo_connect_all_unreserved               | off   |
| booleans | polipo_session_bind_all_unreserved_ports    | off   |
| booleans | polipo_session_users                        | off   |
| booleans | polipo_use_cifs                             | off   |
| booleans | polipo_use_nfs                              | off   |
| booleans | polyinstantiation_enabled                   | off   |
| booleans | postfix_local_write_mail_spool              | on    |
| booleans | postgresql_can_rsync                        | off   |
| booleans | postgresql_selinux_transmit_client_label    | off   |
| booleans | postgresql_selinux_unconfined_dbadm         | on    |
| booleans | postgresql_selinux_users_ddl                | on    |
| booleans | pppd_can_insmod                             | off   |
| booleans | pppd_for_user                               | off   |
| booleans | privoxy_connect_any                         | on    |
| booleans | prosody_bind_http_port                      | off   |
| booleans | puppetagent_manage_all_files                | off   |
| booleans | puppetmaster_use_db                         | off   |
| booleans | racoon_read_shadow                          | off   |
| booleans | radius_use_jit                              | off   |
| booleans | redis_enable_notify                         | off   |
| booleans | rpcd_use_fusefs                             | off   |
| booleans | rsync_anon_write                            | off   |
| booleans | rsync_client                                | off   |
| booleans | rsync_export_all_ro                         | off   |
| booleans | rsync_full_access                           | off   |
| booleans | samba_create_home_dirs                      | off   |
| booleans | samba_domain_controller                     | off   |
| booleans | samba_enable_home_dirs                      | off   |
| booleans | samba_export_all_ro                         | off   |
| booleans | samba_export_all_rw                         | off   |
| booleans | samba_load_libgfapi                         | off   |
| booleans | samba_portmapper                            | off   |
| booleans | samba_run_unconfined                        | off   |
| booleans | samba_share_fusefs                          | off   |
| booleans | samba_share_nfs                             | off   |
| booleans | sanlock_enable_home_dirs                    | off   |
| booleans | sanlock_use_fusefs                          | off   |
| booleans | sanlock_use_nfs                             | off   |
| booleans | sanlock_use_samba                           | off   |
| booleans | saslauthd_read_shadow                       | off   |
| booleans | secadm_exec_content                         | on    |
| booleans | secure_mode                                 | off   |
| booleans | secure_mode_insmod                          | off   |
| booleans | secure_mode_policyload                      | off   |
| booleans | selinuxuser_direct_dri_enabled              | on    |
| booleans | selinuxuser_execheap                        | off   |
| booleans | selinuxuser_execmod                         | on    |
| booleans | selinuxuser_execstack                       | on    |
| booleans | selinuxuser_mysql_connect_enabled           | off   |
| booleans | selinuxuser_ping                            | on    |
| booleans | selinuxuser_postgresql_connect_enabled      | off   |
| booleans | selinuxuser_rw_noexattrfile                 | on    |
| booleans | selinuxuser_share_music                     | off   |
| booleans | selinuxuser_tcp_server                      | off   |
| booleans | selinuxuser_udp_server                      | off   |
| booleans | selinuxuser_use_ssh_chroot                  | off   |
| booleans | sge_domain_can_network_connect              | off   |
| booleans | sge_use_nfs                                 | off   |
| booleans | smartmon_3ware                              | off   |
| booleans | smbd_anon_write                             | off   |
| booleans | spamassassin_can_network                    | off   |
| booleans | spamd_enable_home_dirs                      | on    |
| booleans | spamd_update_can_network                    | off   |
| booleans | squid_connect_any                           | on    |
| booleans | squid_use_tproxy                            | off   |
| booleans | ssh_chroot_rw_homedirs                      | off   |
| booleans | ssh_keysign                                 | off   |
| booleans | ssh_sysadm_login                            | off   |
| booleans | ssh_use_tcpd                                | off   |
| booleans | sslh_can_bind_any_port                      | off   |
| booleans | sslh_can_connect_any_port                   | off   |
| booleans | staff_exec_content                          | on    |
| booleans | staff_use_svirt                             | off   |
| booleans | swift_can_network                           | off   |
| booleans | sysadm_exec_content                         | on    |
| booleans | telepathy_connect_all_ports                 | off   |
| booleans | telepathy_tcp_connect_generic_network_ports | on    |
| booleans | tftp_anon_write                             | off   |
| booleans | tftp_home_dir                               | off   |
| booleans | tmpreaper_use_cifs                          | off   |
| booleans | tmpreaper_use_nfs                           | off   |
| booleans | tmpreaper_use_samba                         | off   |
| booleans | tomcat_can_network_connect_db               | off   |
| booleans | tomcat_read_rpm_db                          | off   |
| booleans | tomcat_use_execmem                          | off   |
| booleans | tor_bind_all_unreserved_ports               | off   |
| booleans | tor_can_network_relay                       | off   |
| booleans | tor_can_onion_services                      | off   |
| booleans | unconfined_chrome_sandbox_transition        | on    |
| booleans | unconfined_login                            | on    |
| booleans | unconfined_mozilla_plugin_transition        | on    |
| booleans | unprivuser_use_svirt                        | off   |
| booleans | use_ecryptfs_home_dirs                      | off   |
| booleans | use_fusefs_home_dirs                        | off   |
| booleans | use_lpd_server                              | off   |
| booleans | use_nfs_home_dirs                           | off   |
| booleans | use_samba_home_dirs                         | off   |
| booleans | use_virtualbox                              | off   |
| booleans | user_exec_content                           | on    |
| booleans | varnishd_connect_any                        | off   |
| booleans | virt_read_qemu_ga_data                      | off   |
| booleans | virt_rw_qemu_ga_data                        | off   |
| booleans | virt_sandbox_share_apache_content           | off   |
| booleans | virt_sandbox_use_all_caps                   | on    |
| booleans | virt_sandbox_use_audit                      | on    |
| booleans | virt_sandbox_use_fusefs                     | off   |
| booleans | virt_sandbox_use_mknod                      | off   |
| booleans | virt_sandbox_use_netlink                    | off   |
| booleans | virt_sandbox_use_sys_admin                  | off   |
| booleans | virt_transition_userdomain                  | off   |
| booleans | virt_use_comm                               | off   |
| booleans | virt_use_execmem                            | off   |
| booleans | virt_use_fusefs                             | off   |
| booleans | virt_use_glusterd                           | off   |
| booleans | virt_use_nfs                                | off   |
| booleans | virt_use_pcscd                              | off   |
| booleans | virt_use_rawip                              | off   |
| booleans | virt_use_samba                              | off   |
| booleans | virt_use_sanlock                            | off   |
| booleans | virt_use_usb                                | on    |
| booleans | virt_use_xserver                            | off   |
| booleans | webadm_manage_user_files                    | off   |
| booleans | webadm_read_user_files                      | off   |
| booleans | wine_mmap_zero_ignore                       | off   |
| booleans | xdm_bind_vnc_tcp_port                       | off   |
| booleans | xdm_exec_bootloader                         | off   |
| booleans | xdm_sysadm_login                            | off   |
| booleans | xdm_write_home                              | off   |
| booleans | xen_use_nfs                                 | off   |
| booleans | xend_run_blktap                             | on    |
| booleans | xend_run_qemu                               | on    |
| booleans | xguest_connect_network                      | on    |
| booleans | xguest_exec_content                         | on    |
| booleans | xguest_mount_media                          | on    |
| booleans | xguest_use_bluetooth                        | on    |
| booleans | xserver_clients_write_xshm                  | off   |
| booleans | xserver_execmem                             | off   |
| booleans | xserver_object_manager                      | off   |
| booleans | zabbix_can_network                          | off   |
| booleans | zabbix_run_sudo                             | off   |
| booleans | zarafa_setrlimit                            | off   |
| booleans | zebra_write_config                          | off   |
| booleans | zoneminder_anon_write                       | off   |
| booleans | zoneminder_run_sudo                         | off   |
+----------+---------------------------------------------+-------+

@alessandrogario alessandrogario marked this pull request as ready for review December 11, 2019 19:18
@alessandrogario alessandrogario force-pushed the alessandro/feature/implement-selinux_settings-table branch from a7b1276 to 347f8ee Compare December 11, 2019 20:49
@alessandrogario alessandrogario added the do not merge Do not merge PR as it's pending on some discussion or external factor. Reviewer should have context. label Dec 12, 2019
@alessandrogario alessandrogario force-pushed the alessandro/feature/implement-selinux_settings-table branch 4 times, most recently from b35803a to 92635ee Compare December 16, 2019 22:16
@alessandrogario alessandrogario removed the do not merge Do not merge PR as it's pending on some discussion or external factor. Reviewer should have context. label Dec 16, 2019
@alessandrogario alessandrogario force-pushed the alessandro/feature/implement-selinux_settings-table branch 3 times, most recently from ea1ee70 to 90b6d32 Compare December 18, 2019 22:28
@alessandrogario alessandrogario force-pushed the alessandro/feature/implement-selinux_settings-table branch 5 times, most recently from e98fd90 to cf0e49d Compare January 13, 2020 15:55
@alessandrogario alessandrogario added the cla signed Automated label: Pull Request author has signed the osquery CLA label Jan 13, 2020
theopolis
theopolis requested changes Jan 14, 2020
View reviewed changes
Copy link
Member

@theopolis theopolis left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Overall this looks good, the only change requested is to add more context to the column descriptions.

specs/linux/selinux_settings.table Outdated
table_name("selinux_settings")
description("Track active SELinux settings.")
schema([
Column("scope", TEXT, "Scope", index=True),
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please add more context to the three column descriptions.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the review! This is mostly a key/value property bag, so I'm not sure what kind of descriptions I could use instead of the current ones. Have you got any suggestion?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Try to describe what the term "scope" means to me, assume I know nothing about SELinux. If there are only 3 types of scopes perhaps you can list them in the description.

theopolis
theopolis reviewed Jan 16, 2020
View reviewed changes
specs/linux/selinux_settings.table Outdated
table_name("selinux_settings")
description("Track active SELinux settings.")
schema([
Column("scope", TEXT, "Scope", index=True),
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Try to describe what the term "scope" means to me, assume I know nothing about SELinux. If there are only 3 types of scopes perhaps you can list them in the description.

specs/linux/selinux_settings.table Outdated
description("Track active SELinux settings.")
schema([
Column("scope", TEXT, "Scope", index=True),
Column("key", TEXT, "Key", index=True),
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Key is the name of an SELinux setting, where do these come from, are they well-known or will they be different per system, per kernel version, etc. Try to describe what to expect.

specs/linux/selinux_settings.table Outdated
schema([
Column("scope", TEXT, "Scope", index=True),
Column("key", TEXT, "Key", index=True),
Column("value", TEXT, "Value"),
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Elaborating on what to expect for the value is helpful, for example "boolean values are either on or off"

@alessandrogario
selinux_settings: New table that presents effective SELinux settings
74f7843
@alessandrogario
selinux_settings: Use the SELinux root path from the mounted fs
a111090 
The code that was originally directly implemented inside the
`mounts` table has been moved outside so that it can be reused
by the selinux_settings table.

This also updates the code to use getmntent_r instead of getmntent.
@alessandrogario alessandrogario force-pushed the alessandro/feature/implement-selinux_settings-table branch from cf0e49d to a111090 Compare January 21, 2020 20:51
@alessandrogario alessandrogario merged commit 8d9059f into osquery:master Jan 27, 2020
@alessandrogario alessandrogario deleted the alessandro/feature/implement-selinux_settings-table branch January 27, 2020 14:03
@Smjert Smjert mentioned this pull request Dec 30, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@theopolis theopolis theopolis approved these changes

Assignees
No one assigned
Labels
cla signed Automated label: Pull Request author has signed the osquery CLA Linux
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@alessandrogario @theopolis