Hi Guys,
In terms of monitoring any SELinux config changes on a system (to detect or prevent unauthorised config changes), what's the best way to approach that? I can think of a few triggers that would make sense for creating alerts:
1) Changing from Enforcing to Permissive mode
a. Monitoring changes in the config file /etc/selinux/config
b. Monitoring changes in running config file /selinux/enforce or via the audit logs for type=MAC_STATUS msg=audit(1482328134.582:7281): enforcing=0 old_enforcing=1
c. Monitoring changes in the grub config file for boot parameters /etc/grub.conf for the string enforcing=0
d. Monitoring via /var/log/boot.log & dmesg for boot-level parameters if manually disabled at boot.
e. Monitoring uid=0 activities via /var/log/messages and /var/log/secure for users logged in as root or executing commands as root
2) SELinux Policy Change via audit logs and type=MAC_POLICY_LOAD msg=audit(1482328336.959:7292): policy loaded auid=0 ses=1187
3) Filesystem changes to SELinux-related files like file context definitions, creation of the /.autorelabel flag etc so monitoring of /etc/selinux/targeted for example for RHEL.
Thoughts? Are there other things we can do to monitor 'SELinux services' and flag any changes to the SELinux config?
It is arguable that given root access, the user could disable the logging anyway but there's no real way around that is there?
Thanks.
Best Regards,
Walid Fakim
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://oss.tresys.com/pipermail/refpolicy/attachments/20161221/2dfa4a41/attachment.html
Hi All,
Happy New Year!
Any takers for the below?
Thanks.
Best Regards,
Walid Fakim
From: [email protected] [mailto:refpolicy-bounces at oss.tresys.com] On Behalf Of Fakim, Walid via refpolicy
Sent: 21 December 2016 14:22
To: refpolicy at oss.tresys.com
Subject: [refpolicy] SELinux Monitoring
Hi Guys,
In terms of monitoring any SELinux config changes on a system (to detect or prevent unauthorised config changes), what's the best way to approach that? I can think of a few triggers that would make sense for creating alerts:
1) Changing from Enforcing to Permissive mode
a. Monitoring changes in the config file /etc/selinux/config
b. Monitoring changes in running config file /selinux/enforce or via the audit logs for type=MAC_STATUS msg=audit(1482328134.582:7281): enforcing=0 old_enforcing=1
c. Monitoring changes in the grub config file for boot parameters /etc/grub.conf for the string enforcing=0
d. Monitoring via /var/log/boot.log & dmesg for boot-level parameters if manually disabled at boot.
e. Monitoring uid=0 activities via /var/log/messages and /var/log/secure for users logged in as root or executing commands as root
2) SELinux Policy Change via audit logs and type=MAC_POLICY_LOAD msg=audit(1482328336.959:7292): policy loaded auid=0 ses=1187
3) Filesystem changes to SELinux-related files like file context definitions, creation of the /.autorelabel flag etc so monitoring of /etc/selinux/targeted for example for RHEL.
Thoughts? Are there other things we can do to monitor 'SELinux services' and flag any changes to the SELinux config?
It is arguable that given root access, the user could disable the logging anyway but there's no real way around that is there?
Thanks.
Best Regards,
Walid Fakim
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://oss.tresys.com/pipermail/refpolicy/attachments/20170109/3d172464/attachment.html
On 12/21/16 09:22, Fakim, Walid via refpolicy wrote:
> In terms of monitoring any SELinux config changes on a system (to
> detect or prevent unauthorised config changes), what?s the best way to
> approach that? I can think of a few triggers that would make sense for
> creating alerts:
Ideally, your SELinux policy should be preventing unauthorized changes,
but since you're including other things from before SELinux starts...
> 1) Changing from Enforcing to Permissive mode
>
> a. Monitoring changes in the config file /etc/selinux/config
>
> b. Monitoring changes in running config file /selinux/enforceor via
> the audit logs for type=MAC_STATUS msg=audit(1482328134.582:7281):
> enforcing=0 old_enforcing=1
>
> c. Monitoring changes in the grub config file for boot parameters
> /etc/grub.conffor the string enforcing=0
>
> d. Monitoring via /var/log/boot.log & dmesg for boot-level
> parameters if manually disabled at boot.
>
> e. Monitoring uid=0activities via /var/log/messagesand
> /var/log/securefor users logged in as rootor executing commands as root
You can use the audit subsystem to audit execs on commands of interest.
From the SELinux perspective, it's less interesting knowing when
something runs as root vs. when it's running as unconfined_t, sysadm_t,
load_policy_t, etc.
> 2) SELinux Policy Change via audit logs and type=MAC_POLICY_LOAD
> msg=audit(1482328336.959:7292): policy loaded auid=0 ses=1187
>
> 3) Filesystem changes to SELinux-related files like file context
> definitions, creation of the /.autorelabel flag etc so monitoring of
> /etc/selinux/targeted for example for RHEL.
> Thoughts? Are there other things we can do to monitor ?SELinux services?
> and flag any changes to the SELinux config?
* SELinux Boolean changes
* Kernel image
* Kernel modules
* Executables like load_policy, semanage, semodule, etc.
* Shared libraries (libc, libselinux, etc)
I would suggest using something like AIDE to measure your filesystem
integrity (or if you want to go full tilt, IMA). Anything that goes
into the proper functioning of SELinux needs to be kept at high a integrity.
--
Chris PeBenito