diff --git a/ossec.fc b/ossec.fc index f864027..6583a23 100644 --- a/ossec.fc +++ b/ossec.fc @@ -1,15 +1,29 @@ -# ossec executable will have: -# label: system_u:object_r:ossec_exec_t -# MLS sensitivity: s0 -# MCS categories: +/etc/init\.d/ossec-hids -- gen_context(system_u:object_r:ossec_initrc_exec_t,s0) -#/usr/bin/mlogc -- gen_context(system_u:object_r:mlogc_exec_t,s0) -#/var/log/mlogc(/.*)? gen_context(system_u:object_r:mlogc_log_t,s0) -#/var/log/mlogc/data(/.*)? gen_context(system_u:object_r:mlogc_log_t,s0) +/var/ossec/agentless(/.*)? gen_context(system_u:object_r:ossec_var_t,s0) + +/var/ossec/active-response/bin(/.*)? -- gen_context(system_u:object_r:ossec_ar_exec_t,s0) +/var/ossec/active-response(/.*)? gen_context(system_u:object_r:ossec_ar_bin_t,s0) + +/var/ossec/bin(/.*)? gen_context(system_u:object_r:bin_t,s0) +/var/ossec/bin/ossec-agentlessd -- gen_context(system_u:object_r:ossec_agentlessd_exec_t,s0) +/var/ossec/bin/ossec-analysisd -- gen_context(system_u:object_r:ossec_analysisd_exec_t,s0) +/var/ossec/bin/ossec-control -- gen_context(system_u:object_r:ossec_initrc_exec_t,s0) +/var/ossec/bin/ossec-csyslogd -- gen_context(system_u:object_r:ossec_csyslogd_exec_t,s0) +/var/ossec/bin/ossec-dbd -- gen_context(system_u:object_r:ossec_dbd_exec_t,s0) +/var/ossec/bin/ossec-execd -- gen_context(system_u:object_r:ossec_execd_exec_t,s0) +/var/ossec/bin/ossec-logcollector -- gen_context(system_u:object_r:ossec_logcollector_exec_t,s0) +/var/ossec/bin/ossec-maild -- gen_context(system_u:object_r:ossec_maild_exec_t,s0) +/var/ossec/bin/ossec-monitord -- gen_context(system_u:object_r:ossec_monitord_exec_t,s0) +/var/ossec/bin/ossec-remoted -- gen_context(system_u:object_r:ossec_remoted_exec_t,s0) +/var/ossec/bin/ossec-server.sh -- gen_context(system_u:object_r:ossec_initrc_exec_t,s0) +/var/ossec/bin/ossec-syscheckd -- gen_context(system_u:object_r:ossec_syscheckd_exec_t,s0) + +/var/ossec/etc(/.*)? gen_context(system_u:object_r:ossec_etc_t,s0) +/var/ossec/etc/shared/ar\.conf -- gen_context(system_u:object_r:ossec_analysisd_configfile_t,s0) +/var/ossec/etc/shared/merged\.mg -- gen_context(system_u:object_r:ossec_remoted_configfile_t,s0) /var/ossec/logs(/.*)? gen_context(system_u:object_r:ossec_log_t,s0) -/var/ossec/stats(/.*)? gen_context(system_u:object_r:ossec_stats_t,s0) -/var/ossec/agentless(/.*)? gen_context(system_u:object_r:ossec_var_t,s0) /var/ossec/queue(/.*)? gen_context(system_u:object_r:ossec_queue_t,s0) /var/ossec/queue/rids(/.*)? gen_context(system_u:object_r:ossec_remoted_file_t,s0) @@ -20,41 +34,19 @@ /var/ossec/queue/alerts/execq -s gen_context(system_u:object_r:ossec_execd_sock_t,s0) /var/ossec/queue/alerts/ar -s gen_context(system_u:object_r:ossec_remoted_sock_t,s0) /var/ossec/queue/ossec/queue -s gen_context(system_u:object_r:ossec_analysisd_sock_t,s0) -#/var/ossec/queue/fts/hostinfo -- gen_context(system_u:object_r:ossec_analysisd_file_t,s0) -#/var/ossec/queue/fts/fts-queue -- gen_context(system_u:object_r:ossec_analysisd_file_t,s0) -#/var/ossec/queue/fts/ig-queue -- gen_context(system_u:object_r:ossec_analysisd_file_t,s0) + +/var/ossec/rules(/.*)? gen_context(system_u:object_r:ossec_rule_t,s0) + +/var/ossec/stats(/.*)? gen_context(system_u:object_r:ossec_stats_t,s0) + +/var/ossec/tmp(/.*)? gen_context(system_u:object_r:ossec_tmp_t,s0) /var/ossec/var/run(/.*)? gen_context(system_u:object_r:ossec_var_run_t,s0) /var/ossec/var/execd\.sqlite -- gen_context(system_u:object_r:ossec_execd_file_t,s0) /var/ossec/var/execd\.sqlite-journal -- gen_context(system_u:object_r:ossec_execd_journal_t,s0) -#/var/ossec/var/execd\.sqlite(-.*)? -- gen_context(system_u:object_r:ossec_execd_file_t,s0) /var/ossec/var(/.*)? gen_context(system_u:object_r:ossec_var_t,s0) -/var/ossec/tmp(/.*)? gen_context(system_u:object_r:ossec_tmp_t,s0) -/var/ossec/etc(/.*)? gen_context(system_u:object_r:ossec_etc_t,s0) -/var/ossec/etc/shared/ar\.conf -- gen_context(system_u:object_r:ossec_analysisd_configfile_t,s0) -/var/ossec/etc/shared/merged\.mg -- gen_context(system_u:object_r:ossec_remoted_configfile_t,s0) -#/var/ossec/etc/shared(/.*)? gen_context(system_u:object_r:ossec_etc_share_t,s0) -/var/ossec/rules(/.*)? gen_context(system_u:object_r:ossec_rule_t,s0) -#/var/ossec/active-response/bin(/.*)? -- gen_context(system_u:object_r:ossec_script_exec_t,s0) -#/var/ossec/active-response(/.*)? gen_context(system_u:object_r:ossec_script_t,s0) -/var/ossec/active-response/bin(/.*)? -- gen_context(system_u:object_r:ossec_ar_exec_t,s0) -/var/ossec/active-response(/.*)? gen_context(system_u:object_r:ossec_ar_bin_t,s0) -/etc/init.d/ossec-hids -- gen_context(system_u:object_r:ossec_initrc_exec_t,s0) -/var/ossec/bin/ossec-control -- gen_context(system_u:object_r:ossec_initrc_exec_t,s0) -/var/ossec/bin/ossec-server.sh -- gen_context(system_u:object_r:ossec_initrc_exec_t,s0) -/var/ossec/bin/ossec-maild -- gen_context(system_u:object_r:ossec_maild_exec_t,s0) -/var/ossec/bin/ossec-execd -- gen_context(system_u:object_r:ossec_execd_exec_t,s0) -/var/ossec/bin/ossec-analysisd -- gen_context(system_u:object_r:ossec_analysisd_exec_t,s0) -/var/ossec/bin/ossec-logcollector -- gen_context(system_u:object_r:ossec_logcollector_exec_t,s0) -/var/ossec/bin/ossec-remoted -- gen_context(system_u:object_r:ossec_remoted_exec_t,s0) -/var/ossec/bin/ossec-syscheckd -- gen_context(system_u:object_r:ossec_syscheckd_exec_t,s0) -/var/ossec/bin/ossec-monitord -- gen_context(system_u:object_r:ossec_monitord_exec_t,s0) -/var/ossec/bin/ossec-dbd -- gen_context(system_u:object_r:ossec_dbd_exec_t,s0) -/var/ossec/bin/ossec-csyslogd -- gen_context(system_u:object_r:ossec_csyslogd_exec_t,s0) -/var/ossec/bin/ossec-agentlessd -- gen_context(system_u:object_r:ossec_agentlessd_exec_t,s0) -/var/ossec/bin(/.*)? gen_context(system_u:object_r:bin_t,s0) diff --git a/ossec.if b/ossec.if index 14fc3d0..ddd82f5 100644 --- a/ossec.if +++ b/ossec.if @@ -1,21 +1,3 @@ -## ossec policy -## -##

-## More descriptive text about ossec. The desc -## tag can also use p, ul, and ol -## html tags for formatting. -##

-##

-## This policy supports the following ossec features: -##

-##

-## -# - ######################################## ## ## Execute a domain transition to run ossec. @@ -39,7 +21,112 @@ interface(`ossec_domtrans',` role system_r types ossec_t; domtrans_pattern($1, ossec_exec_t, ossec_t) - #domtrans_pattern($1,ossec_exec_t,ossec_t) +') + +######################################## +## +## Read ossec log files. +## +## +## +## Domain allowed to read log files. +## +## +# +interface(`ossec_log_filetrans',` + gen_require(` + type var_t; + type ossec_var_t, ossec_log_t; + ') + + allow $1 var_t:dir search_dir_perms; + allow $1 ossec_log_t:dir { search_dir_perms create_dir_perms }; + filetrans_pattern($1, ossec_log_t, $2, $3, $4) +') + +######################################## +## +## Write ossec stat files. +## +## +## +## Allow appending to the existing stats file +## +## +# +interface(`ossec_manage_stats',` + gen_require(` + type var_t; + type ossec_stats_t; + ') + + allow $1 var_t:dir search_dir_perms; + append_files_pattern($1, ossec_stats_t, ossec_stats_t) +') + +######################################## +## +## Read ossec pid files. +## +## +## +## Domain allowed to read pid files. +## +## +# +interface(`ossec_pid_filetrans',` + gen_require(` + type var_t; + type ossec_var_t, ossec_var_run_t; + ') + + allow $1 var_t:dir search_dir_perms; + allow $1 ossec_var_t:dir search_dir_perms; + allow $1 ossec_var_run_t:lnk_file read_lnk_file_perms; + filetrans_pattern($1, ossec_var_run_t, $2, $3, $4) +') + +######################################## +## +## Allow trans to ossec queue. +## +## +## +## Domain allowed access +## +## +# +interface(`ossec_queue_filetrans',` + gen_require(` + type var_t; + type ossec_queue_t; + ') + + allow $1 var_t:dir search_dir_perms; + allow $1 ossec_queue_t:dir search_dir_perms; + filetrans_pattern($1, ossec_queue_t, $2, $3, $4) +') + +######################################## +## +## Read ossec config files. +## +## +## +## Domain allowed to read the config files. +## +## +# +interface(`ossec_read_config',` + gen_require(` + type var_t; + type ossec_etc_t; + ') + + allow $1 var_t:dir search_dir_perms; + #allow $1 ossec_etc_t:dir search_dir_perms; + read_lnk_files_pattern($1, ossec_etc_t, configfile) + files_read_config_files($1, ossec_etc_t) ') ######################################## @@ -84,17 +171,24 @@ interface(`ossec_read_logs',` # allow $1 ossec_log_t:file write; #') +######################################## +## +## Read ossec stat files. +## +## +## +## Allow reading of ossec repsonse stats +## +## +# +interface(`ossec_read_stats',` + gen_require(` + type var_t; + type ossec_stats_t; + ') -interface(`ossec_read_config',` - gen_require(` - type var_t; - type ossec_etc_t; - ') - - allow $1 var_t:dir search_dir_perms; - #allow $1 ossec_etc_t:dir search_dir_perms; - read_lnk_files_pattern($1, ossec_etc_t, configfile) - files_read_config_files($1, ossec_etc_t) + allow $1 var_t:dir search_dir_perms; + read_files_pattern($1, ossec_stats_t, ossec_stats_t) ') #interface(`ossec_read_shared_config',` @@ -105,158 +199,74 @@ interface(`ossec_read_config',` # ') # # allow $1 var_t:dir search_dir_perms; -# allow $1 ossec_etc_t:dir search_dir_perms; -# #allow $1 ossec_etc_share_t:dir search_dir_perms; -# allow $1 ossec_etc_share_t:file read_file_perms; -# #allow $1 ossec_analysisd_file_t:file read_file_perms; +# allow $1 ossec_etc_t:dir search_dir_perms; +# #allow $1 ossec_etc_share_t:dir search_dir_perms; +# allow $1 ossec_etc_share_t:file read_file_perms; +# #allow $1 ossec_analysisd_file_t:file read_file_perms; # #search_dirs_pattern($1, ossec_etc_t, ossec_etc_t) # #search_dirs_pattern($1, ossec_etc_share_t, ossec_etc_share_t) # #read_files_pattern($1, ossec_etc_share_t, ossec_etc_share_t) #') -#interface(`ossec_manage_shared_config',` -# gen_require(` -# type ossec_etc_t; -# type ossec_etc_share_t; -# ') -# -# search_dirs_pattern($1, ossec_etc_t, ossec_etc_t) -# search_dirs_pattern($1, ossec_etc_share_t, ossec_etc_share_t) -# manage_files_pattern($1, ossec_etc_share_t, ossec_etc_share_t) -#') - -interface(`ossec_pid_filetrans',` - gen_require(` - type var_t; - type ossec_var_t, ossec_var_run_t; - ') - - allow $1 var_t:dir search_dir_perms; - allow $1 ossec_var_t:dir search_dir_perms; - allow $1 ossec_var_run_t:lnk_file read_lnk_file_perms; - filetrans_pattern($1, ossec_var_run_t, $2, $3, $4) -') - -interface(`ossec_log_filetrans',` - gen_require(` - type var_t; - type ossec_var_t, ossec_log_t; - ') - - allow $1 var_t:dir search_dir_perms; - allow $1 ossec_log_t:dir search_dir_perms; - filetrans_pattern($1, ossec_log_t, $2, $3, $4) -') - -interface(`ossec_read_stats',` - gen_require(` - type var_t; - type ossec_stats_t; - ') - - allow $1 var_t:dir search_dir_perms; - read_files_pattern($1, ossec_stats_t, ossec_stats_t) -') - -interface(`ossec_manage_stats',` - gen_require(` - type var_t; - type ossec_stats_t; - ') - - allow $1 var_t:dir search_dir_perms; - append_files_pattern($1, ossec_stats_t, ossec_stats_t) -') - -interface(`ossec_read_queue',` - gen_require(` - type var_t; - type ossec_queue_t; - ') - - allow $1 var_t:dir search_dir_perms; - allow $1 ossec_queue_t:dir list_dir_perms; - allow $1 ossec_queue_t:file read_file_perms; - allow $1 ossec_remoted_file_t:dir list_dir_perms; - allow $1 ossec_remoted_file_t:file read_file_perms; - allow $1 ossec_analysisd_file_t:dir list_dir_perms; - allow $1 ossec_analysisd_file_t:file read_file_perms; - #read_files_pattern($1, ossec_queue_t, ossec_queue_t) -') - ######################################## ## -## Create objects in the spool directory -## with a private type with a type transition. +## Read ossec queue files. ## ## ## -## Domain allowed access. -## -## -## -## -## Type to which the created node will be transitioned. -## -## -## -## -## Object class(es) (single or set including {}) for which this -## the transition will occur. -## -## -## -## -## The name of the object being created. +## Allow reading queue files that are next to be scanned ## ## # -interface(`ossec_queue_filetrans',` - gen_require(` - type var_t; - type ossec_queue_t; - ') +interface(`ossec_read_queue',` + gen_require(` + type var_t; + type ossec_queue_t; + ') - allow $1 var_t:dir search_dir_perms; - allow $1 ossec_queue_t:dir search_dir_perms; - filetrans_pattern($1, ossec_queue_t, $2, $3, $4) + allow $1 var_t:dir search_dir_perms; + allow $1 ossec_queue_t:dir list_dir_perms; + allow $1 ossec_queue_t:file read_file_perms; + allow $1 ossec_remoted_file_t:dir list_dir_perms; + allow $1 ossec_remoted_file_t:file read_file_perms; + allow $1 ossec_analysisd_file_t:dir list_dir_perms; + allow $1 ossec_analysisd_file_t:file read_file_perms; + #read_files_pattern($1, ossec_queue_t, ossec_queue_t) ') ######################################## ## -## Create objects in the tmp directory -## with a private type with a type transition. +## Allow trans to ossec tmp. ## ## ## -## Domain allowed access. -## -## -## -## -## Type to which the created node will be transitioned. -## -## -## -## -## Object class(es) (single or set including {}) for which this -## the transition will occur. -## -## -## -## -## The name of the object being created. +## Domain allowed access ## ## # interface(`ossec_tmp_filetrans',` - gen_require(` - type var_t; - type ossec_tmp_t; - ') + gen_require(` + type var_t; + type ossec_tmp_t; + ') - allow $1 var_t:dir search_dir_perms; - allow $1 ossec_tmp_t:dir search_dir_perms; - filetrans_pattern($1, ossec_tmp_t, $2, $3, $4) + allow $1 var_t:dir search_dir_perms; + allow $1 ossec_tmp_t:dir search_dir_perms; + filetrans_pattern($1, ossec_tmp_t, $2, $3, $4) ') +#interface(`ossec_manage_shared_config',` +# gen_require(` +# type ossec_etc_t; +# type ossec_etc_share_t; +# ') +# +# search_dirs_pattern($1, ossec_etc_t, ossec_etc_t) +# search_dirs_pattern($1, ossec_etc_share_t, ossec_etc_share_t) +# manage_files_pattern($1, ossec_etc_share_t, ossec_etc_share_t) +#') + + + + + diff --git a/ossec.te b/ossec.te index 63f2170..5bf7bfa 100644 --- a/ossec.te +++ b/ossec.te @@ -1,12 +1,32 @@ - -policy_module(ossec,1.1.0) +policy_module(ossec,1.2.0) ######################################## # # Declarations # -### +## +##

+## Allow OSSEC Active Response to add and remove IP addresses to iptables +##

+## +gen_tunable(ossec_ar_can_edit_iptables, false) + +## +##

+## Allow OSSEC Active Response to execute system bin files +##

+## +gen_tunable(ossec_ar_can_exec_system_bin, false) + +## +##

+## Allow OSSEC remoted to connect to external agents via network +##

+## +gen_tunable(ossec_remoted_can_network_connect, false) + + # Active-Response Domain and File Types type ossec_ar_t; type ossec_ar_exec_t; @@ -19,9 +39,6 @@ files_type(ossec_ar_exec_t); type ossec_ar_bin_t; files_type(ossec_ar_bin_t); -unconfined_domain(ossec_ar_t) -### - # ossec-agentlessd daemon type ossec_agentlessd_t; type ossec_agentlessd_exec_t; @@ -96,6 +113,8 @@ init_daemon_domain(ossec_monitord_t, ossec_monitord_exec_t) type ossec_remoted_t; type ossec_remoted_exec_t; init_daemon_domain(ossec_remoted_t, ossec_remoted_exec_t) +type ossec_remoted_port_t; +corenet_port(ossec_remoted_port_t) type ossec_remoted_configfile_t; files_config_file(ossec_remoted_configfile_t); @@ -140,183 +159,325 @@ type ossec_var_run_t; files_pid_file(ossec_var_run_t) + + +######################################## +# +# ossec local policy +# + require { - type httpd_t; type hi_reserved_port_t; + type iptables_var_run_t; - class file { rename read lock create write getattr unlink open append entrypoint }; +# class file { rename read lock create write getattr unlink open append entrypoint }; + class file { read lock open unlock }; #class dir { write getattr read remove_name create add_name }; - class process { setsched transition rlimitinh siginh noatsecure }; - class capability { dac_override dac_read_search setuid setgid fsetid sys_chroot sys_nice }; +# class process { setsched transition rlimitinh siginh noatsecure }; +# class capability { dac_override dac_read_search setuid setgid fsetid sys_chroot sys_nice }; class tcp_socket { create name_bind name_connect }; class udp_socket { create bind name_bind node_bind }; } +######################################## +# +# ossec active response policy +# ######################################## # -# ossec local policy +# ossec analysisd policy # +allow ossec_analysisd_t self:capability { dac_override dac_read_search fsetid setuid setgid sys_chroot }; +allow ossec_analysisd_t self:unix_dgram_socket create_stream_socket_perms; allow ossec_analysisd_t ossec_log_t:file { create_file_perms append_file_perms read link unlink }; +ossec_log_filetrans(ossec_analysisd_t, ossec_log_t, file) + allow ossec_analysisd_t ossec_var_run_t:file manage_file_perms; -allow ossec_analysisd_t self:capability { dac_override dac_read_search fsetid setuid setgid sys_chroot }; -allow ossec_analysisd_t self:unix_dgram_socket create_stream_socket_perms; +ossec_pid_filetrans(ossec_analysisd_t, ossec_var_run_t, file) + +ossec_queue_filetrans(ossec_analysisd_t, ossec_analysisd_file_t, file) +ossec_queue_filetrans(ossec_analysisd_t, ossec_analysisd_sock_t, sock_file) + +manage_files_pattern(ossec_analysisd_t, ossec_analysisd_file_t, ossec_analysisd_file_t) +manage_files_pattern(ossec_analysisd_t, ossec_etc_t, ossec_analysisd_configfile_t) +manage_files_pattern(ossec_analysisd_t, ossec_stats_t, ossec_stats_t) + +manage_sock_files_pattern(ossec_analysisd_t, ossec_queue_t, ossec_analysisd_sock_t) + +dgram_send_pattern(ossec_analysisd_t, ossec_queue_t, ossec_execd_sock_t, ossec_execd_t) +dgram_send_pattern(ossec_analysisd_t, ossec_queue_t, ossec_remoted_sock_t, ossec_remoted_t) + +read_files_pattern(ossec_analysisd_t, ossec_rule_t, ossec_rule_t) + +search_dirs_pattern(ossec_analysisd_t, ossec_rule_t, ossec_rule_t) + +auth_read_passwd(ossec_analysisd_t) + +ossec_read_config(ossec_analysisd_t) + +sysnet_read_config(ossec_analysisd_t) + +miscfiles_read_generic_certs(ossec_analysisd_t) +######################################## +# +# ossec execd policy +# + +allow ossec_execd_t self:capability { dac_override dac_read_search setgid }; +allow ossec_execd_t self:unix_dgram_socket create_stream_socket_perms; +#allow ossec_execd_t ossec_ar_t:process { rlimitinh siginh noatsecure }; -allow ossec_execd_t ossec_ar_t:process { rlimitinh siginh noatsecure }; allow ossec_execd_t ossec_execd_file_t:file { create_file_perms rw_file_perms }; + allow ossec_execd_t ossec_execd_journal_t:file manage_file_perms; + allow ossec_execd_t ossec_log_t:file { create_file_perms append_file_perms read }; +ossec_log_filetrans(ossec_execd_t, ossec_log_t, file) + allow ossec_execd_t ossec_var_run_t:file manage_file_perms; -allow ossec_execd_t self:capability { dac_override dac_read_search setgid }; -allow ossec_execd_t self:unix_dgram_socket create_stream_socket_perms; +ossec_pid_filetrans(ossec_execd_t, ossec_var_run_t, file) +filetrans_pattern(ossec_execd_t, ossec_var_t, ossec_execd_journal_t, file, "execd.sqlite-journal"); + +ossec_queue_filetrans(ossec_execd_t, ossec_execd_sock_t, sock_file) + +manage_sock_files_pattern(ossec_execd_t, ossec_queue_t, ossec_execd_sock_t) + +search_dirs_pattern(ossec_execd_t, ossec_ar_bin_t, ossec_ar_bin_t) + +auth_read_passwd(ossec_execd_t) + +corecmd_exec_shell(ossec_execd_t) + +dev_read_urand(ossec_execd_t) + +ossec_read_config(ossec_execd_t) + +sysnet_read_config(ossec_execd_t) + +miscfiles_read_generic_certs(ossec_execd_t) +######################################## +# +# ossec logcollector policy +# -allow ossec_logcollector_t ossec_log_t:file { create_file_perms append_file_perms read }; -allow ossec_logcollector_t ossec_var_run_t:file manage_file_perms; allow ossec_logcollector_t self:capability { dac_override dac_read_search }; allow ossec_logcollector_t self:unix_dgram_socket create_socket_perms; -allow ossec_maild_t ossec_log_t:file { create_file_perms append_file_perms read }; -allow ossec_maild_t ossec_var_run_t:file manage_file_perms; +allow ossec_logcollector_t ossec_log_t:file { create_file_perms append_file_perms read }; +ossec_log_filetrans(ossec_logcollector_t, ossec_log_t, file) + +allow ossec_logcollector_t ossec_var_run_t:file manage_file_perms; +ossec_pid_filetrans(ossec_logcollector_t, ossec_var_run_t, file) + +dgram_send_pattern(ossec_logcollector_t, ossec_queue_t, ossec_analysisd_sock_t, ossec_analysisd_t) + +#logging_read_all_logs(ossec_logcollector_t) +apache_read_log(ossec_logcollector_t) +logging_read_audit_log(ossec_logcollector_t) +logging_read_generic_logs(ossec_logcollector_t) + +ossec_read_config(ossec_logcollector_t) + +sysnet_read_config(ossec_logcollector_t) + +miscfiles_read_generic_certs(ossec_logcollector_t) +######################################## +# +# ossec maild policy +# + allow ossec_maild_t self:capability { dac_override dac_read_search setuid setgid sys_chroot }; allow ossec_maild_t self:tcp_socket create_socket_perms; -allow ossec_monitord_t ossec_log_t:file { create_file_perms append_file_perms write read }; -allow ossec_monitord_t ossec_remoted_file_t:file getattr_file_perms; -allow ossec_monitord_t ossec_var_run_t:file manage_file_perms; +allow ossec_maild_t ossec_log_t:file { create_file_perms append_file_perms read }; +ossec_log_filetrans(ossec_maild_t, ossec_log_t, file) + +allow ossec_maild_t ossec_var_run_t:file manage_file_perms; +ossec_pid_filetrans(ossec_maild_t, ossec_var_run_t, file) + +auth_read_passwd(ossec_maild_t) + +corenet_tcp_connect_smtp_port(ossec_maild_t) + +ossec_read_config(ossec_maild_t) + +sysnet_read_config(ossec_maild_t) + +miscfiles_read_generic_certs(ossec_maild_t) +######################################## +# +# ossec monitord policy +# + allow ossec_monitord_t self:capability { dac_override dac_read_search setuid setgid sys_chroot }; allow ossec_monitord_t self:unix_dgram_socket create_socket_perms; +allow ossec_monitord_t ossec_log_t:file { create_file_perms append_file_perms write read unlink }; +ossec_log_filetrans(ossec_monitord_t, ossec_log_t, file) + +allow ossec_monitord_t ossec_remoted_file_t:file getattr_file_perms; + +allow ossec_monitord_t ossec_var_run_t:file manage_file_perms; +ossec_pid_filetrans(ossec_monitord_t, ossec_var_run_t, file) + +dgram_send_pattern(ossec_monitord_t, ossec_queue_t, ossec_analysisd_sock_t, ossec_analysisd_t) + +list_dirs_pattern(ossec_monitord_t, ossec_queue_t, ossec_remoted_file_t) + +auth_read_passwd(ossec_monitord_t) + +ossec_read_config(ossec_monitord_t) + +sysnet_read_config(ossec_monitord_t) + +miscfiles_read_generic_certs(ossec_monitord_t) + +######################################## +# +# ossec remoted policy +# +allow ossec_remoted_t self:capability { dac_override dac_read_search setuid setgid sys_chroot }; + allow ossec_remoted_t ossec_log_t:file { create_file_perms append_file_perms read }; +ossec_log_filetrans(ossec_remoted_t, ossec_log_t, file) + allow ossec_remoted_t ossec_var_run_t:file manage_file_perms; -allow ossec_remoted_t self:capability { dac_override dac_read_search setuid setgid sys_chroot }; -allow ossec_remoted_t self:udp_socket create_stream_socket_perms; -allow ossec_remoted_t self:unix_dgram_socket create_stream_socket_perms; +ossec_pid_filetrans(ossec_remoted_t, ossec_var_run_t, file) + +ossec_queue_filetrans(ossec_remoted_t, ossec_remoted_sock_t, sock_file) + +manage_files_pattern(ossec_remoted_t, ossec_etc_t, ossec_remoted_configfile_t) + +manage_sock_files_pattern(ossec_remoted_t, ossec_queue_t, ossec_remoted_sock_t) + +rw_files_pattern(ossec_remoted_t, ossec_remoted_file_t, ossec_remoted_file_t) + +auth_read_passwd(ossec_remoted_t) +ossec_read_config(ossec_remoted_t) + +sysnet_read_config(ossec_remoted_t) + +miscfiles_read_generic_certs(ossec_remoted_t) + +dgram_send_pattern(ossec_remoted_t, ossec_queue_t, ossec_analysisd_sock_t, ossec_analysisd_t) + +tunable_policy(`ossec_remoted_can_network_connect',` + allow ossec_remoted_t self:udp_socket create_stream_socket_perms; + allow ossec_remoted_t self:unix_dgram_socket create_stream_socket_perms; + allow ossec_remoted_t self:netlink_route_socket { r_netlink_socket_perms }; + corenet_udp_bind_all_unreserved_ports(ossec_remoted_t) + corenet_udp_bind_generic_node(ossec_remoted_t) +') +######################################## +# +# ossec syscheckd policy +# + +allow ossec_syscheckd_t self:capability { dac_override dac_read_search kill setuid setgid sys_chroot sys_nice }; +allow ossec_syscheckd_t self:process { setsched }; +allow ossec_syscheckd_t self:tcp_socket create_socket_perms; +allow ossec_syscheckd_t self:udp_socket create_socket_perms; +allow ossec_syscheckd_t self:unix_dgram_socket create_socket_perms; allow ossec_syscheckd_t hi_reserved_port_t:tcp_socket name_bind; allow ossec_syscheckd_t hi_reserved_port_t:udp_socket name_bind; + allow ossec_syscheckd_t ossec_log_t:file { create_file_perms append_file_perms read }; +ossec_log_filetrans(ossec_syscheckd_t, ossec_log_t, file) + allow ossec_syscheckd_t ossec_queue_t:dir { create_dir_perms rw_dir_perms }; allow ossec_syscheckd_t ossec_queue_t:file { create_file_perms rename_file_perms write_file_perms }; +ossec_queue_filetrans(ossec_syscheckd_t, ossec_queue_t, file) + allow ossec_syscheckd_t ossec_var_run_t:file manage_file_perms; -allow ossec_syscheckd_t self:capability { dac_override dac_read_search kill setuid setgid sys_chroot sys_nice }; -allow ossec_syscheckd_t self:process { setsched }; -allow ossec_syscheckd_t self:tcp_socket create_socket_perms; -allow ossec_syscheckd_t self:udp_socket create_socket_perms; -allow ossec_syscheckd_t self:unix_dgram_socket create_socket_perms; +ossec_pid_filetrans(ossec_syscheckd_t, ossec_var_run_t, file) +ossec_tmp_filetrans(ossec_syscheckd_t, ossec_tmp_t, lnk_file) -auth_read_passwd(ossec_analysisd_t) -auth_read_passwd(ossec_execd_t) -auth_read_passwd(ossec_maild_t) -auth_read_passwd(ossec_monitord_t) -auth_read_passwd(ossec_remoted_t) +dgram_send_pattern(ossec_syscheckd_t, ossec_queue_t, ossec_analysisd_sock_t, ossec_analysisd_t) + +manage_lnk_files_pattern(ossec_syscheckd_t, ossec_tmp_t, ossec_tmp_t) corecmd_exec_bin(ossec_syscheckd_t) -corecmd_exec_shell(ossec_execd_t) corecmd_exec_shell(ossec_syscheckd_t) corenet_tcp_bind_generic_node(ossec_syscheckd_t) -corenet_tcp_bind_generic_port(ossec_syscheckd_t) +corenet_tcp_bind_all_ports(ossec_syscheckd_t) # Needed for rootcheck to bind all ports corenet_tcp_bind_reserved_port(ossec_syscheckd_t) -corenet_tcp_connect_smtp_port(ossec_maild_t) - -corenet_udp_bind_all_unreserved_ports(ossec_remoted_t) -corenet_udp_bind_generic_node(ossec_remoted_t) corenet_udp_bind_generic_node(ossec_syscheckd_t) -corenet_udp_bind_generic_port(ossec_syscheckd_t) +corenet_udp_bind_all_ports(ossec_syscheckd_t) # Needed for rootcheck to bind all ports corenet_udp_bind_reserved_port(ossec_syscheckd_t) dev_getattr_all(ossec_syscheckd_t) -dev_read_urand(ossec_execd_t) -dgram_send_pattern(ossec_analysisd_t, ossec_queue_t, ossec_execd_sock_t, ossec_execd_t) -dgram_send_pattern(ossec_analysisd_t, ossec_queue_t, ossec_remoted_sock_t, ossec_remoted_t) -dgram_send_pattern(ossec_logcollector_t, ossec_queue_t, ossec_analysisd_sock_t, ossec_analysisd_t) -dgram_send_pattern(ossec_monitord_t, ossec_queue_t, ossec_analysisd_sock_t, ossec_analysisd_t) -dgram_send_pattern(ossec_remoted_t, ossec_queue_t, ossec_analysisd_sock_t, ossec_analysisd_t) -dgram_send_pattern(ossec_syscheckd_t, ossec_queue_t, ossec_analysisd_sock_t, ossec_analysisd_t) - -domain_read_all_domains_state(ossec_syscheckd_t) domain_dontaudit_getsession_all_domains(ossec_syscheckd_t) +domain_dontaudit_signull_all_domains(ossec_syscheckd_t) domain_getsession_all_domains(ossec_syscheckd_t) domain_getpgid_all_domains(ossec_syscheckd_t) -domain_dontaudit_signull_all_domains(ossec_syscheckd_t) +domain_read_all_domains_state(ossec_syscheckd_t) files_dontaudit_getattr_all_sockets(ossec_syscheckd_t) files_read_all_files(ossec_syscheckd_t) files_read_all_symlinks(ossec_syscheckd_t) -filetrans_pattern(ossec_execd_t, ossec_var_t, ossec_execd_journal_t, file, "execd.sqlite-journal"); +ossec_read_config(ossec_syscheckd_t) -list_dirs_pattern(ossec_monitord_t, ossec_queue_t, ossec_remoted_file_t) +sysnet_read_config(ossec_syscheckd_t) -logging_read_all_logs(ossec_logcollector_t) +userdom_search_user_tmp_dirs(ossec_syscheckd_t) -manage_files_pattern(ossec_analysisd_t, ossec_analysisd_file_t, ossec_analysisd_file_t) -manage_files_pattern(ossec_analysisd_t, ossec_etc_t, ossec_analysisd_configfile_t) -manage_files_pattern(ossec_analysisd_t, ossec_stats_t, ossec_stats_t) -manage_files_pattern(ossec_remoted_t, ossec_etc_t, ossec_remoted_configfile_t) -manage_lnk_files_pattern(ossec_syscheckd_t, ossec_tmp_t, ossec_tmp_t) -manage_sock_files_pattern(ossec_analysisd_t, ossec_queue_t, ossec_analysisd_sock_t) -manage_sock_files_pattern(ossec_execd_t, ossec_queue_t, ossec_execd_sock_t) -manage_sock_files_pattern(ossec_remoted_t, ossec_queue_t, ossec_remoted_sock_t) -ossec_log_filetrans(ossec_analysisd_t, ossec_log_t, file) -ossec_log_filetrans(ossec_execd_t, ossec_log_t, file) -ossec_log_filetrans(ossec_logcollector_t, ossec_log_t, file) -ossec_log_filetrans(ossec_maild_t, ossec_log_t, file) -ossec_log_filetrans(ossec_monitord_t, ossec_log_t, file) -ossec_log_filetrans(ossec_remoted_t, ossec_log_t, file) -ossec_log_filetrans(ossec_syscheckd_t, ossec_log_t, file) -ossec_pid_filetrans(ossec_analysisd_t, ossec_var_run_t, file) -ossec_pid_filetrans(ossec_execd_t, ossec_var_run_t, file) -ossec_pid_filetrans(ossec_logcollector_t, ossec_var_run_t, file) -ossec_pid_filetrans(ossec_maild_t, ossec_var_run_t, file) -ossec_pid_filetrans(ossec_monitord_t, ossec_var_run_t, file) -ossec_pid_filetrans(ossec_remoted_t, ossec_var_run_t, file) -ossec_pid_filetrans(ossec_syscheckd_t, ossec_var_run_t, file) +################# -ossec_queue_filetrans(ossec_analysisd_t, ossec_analysisd_file_t, file) -ossec_queue_filetrans(ossec_analysisd_t, ossec_analysisd_sock_t, sock_file) -ossec_queue_filetrans(ossec_execd_t, ossec_execd_sock_t, sock_file) -ossec_queue_filetrans(ossec_remoted_t, ossec_remoted_sock_t, sock_file) -ossec_queue_filetrans(ossec_syscheckd_t, ossec_queue_t, file) -ossec_read_config(ossec_analysisd_t) -ossec_read_config(ossec_execd_t) -ossec_read_config(ossec_logcollector_t) -ossec_read_config(ossec_maild_t) -ossec_read_config(ossec_monitord_t) -ossec_read_config(ossec_remoted_t) -ossec_read_config(ossec_syscheckd_t) -ossec_read_logs(httpd_t) -ossec_read_queue(httpd_t) -ossec_read_stats(httpd_t) +# Questionable: +#seutil_read_bin_policy(ossec_syscheckd_t) -ossec_tmp_filetrans(ossec_syscheckd_t, ossec_tmp_t, lnk_file) +# Double check: -read_files_pattern(ossec_analysisd_t, ossec_rule_t, ossec_rule_t) +allow ossec_maild_t self:netlink_route_socket { r_netlink_socket_perms }; -rw_files_pattern(ossec_remoted_t, ossec_remoted_file_t, ossec_remoted_file_t) +###### Working: +allow ossec_ar_t self:capability { net_admin net_raw }; +allow ossec_ar_t self:rawip_socket { create getopt setopt }; +allow ossec_ar_t ossec_execd_t:unix_dgram_socket { read write }; -search_dirs_pattern(ossec_analysisd_t, ossec_rule_t, ossec_rule_t) -search_dirs_pattern(ossec_execd_t, ossec_ar_bin_t, ossec_ar_bin_t) +allow ossec_ar_t ossec_log_t:file { create_file_perms append_file_perms read }; +search_dirs_pattern(ossec_ar_t, ossec_log_t, ossec_log_t) +search_dirs_pattern(ossec_ar_t, ossec_ar_bin_t, ossec_ar_bin_t) +ossec_log_filetrans(ossec_ar_t, ossec_log_t, file) -seutil_read_bin_policy(ossec_syscheckd_t) +allow ossec_ar_t ossec_var_run_t:dir { manage_dir_perms }; +allow ossec_ar_t ossec_var_run_t:file { manage_file_perms }; +ossec_pid_filetrans(ossec_ar_t, ossec_var_run_t, file) -sysnet_read_config(ossec_analysisd_t) -sysnet_read_config(ossec_execd_t) -sysnet_read_config(ossec_logcollector_t) -sysnet_read_config(ossec_maild_t) -sysnet_read_config(ossec_monitord_t) -sysnet_read_config(ossec_remoted_t) -sysnet_read_config(ossec_syscheckd_t) +kernel_getattr_proc(ossec_ar_t) +kernel_read_all_proc(ossec_ar_t) -userdom_search_user_tmp_dirs(ossec_syscheckd_t) +auth_read_passwd(ossec_ar_t) + + +kernel_read_network_state(ossec_syscheckd_t) +# New month dir creation +allow ossec_analysisd_t ossec_stats_t:dir { create_dir_perms write }; +ossec_log_filetrans(ossec_analysisd_t, ossec_log_t, dir) +filetrans_pattern(ossec_analysisd_t, ossec_stats_t, ossec_stats_t, dir); + + +tunable_policy(`ossec_ar_can_edit_iptables',` + # Allow ar to add and remove ip from chain + iptables_exec(ossec_ar_t) + allow ossec_ar_t iptables_var_run_t:file { lock open read unlock }; +') +tunable_policy(`ossec_ar_can_exec_system_bin',` + # Exec allow to use basename and other bin utils + corecmd_exec_bin(ossec_ar_t) +')