Dear all,
If I am now confining SAMHAIN integrity checker with all features
switched on. The daemon, is spawning a "ps" , and Checking for
hidden/fake/missing processes. The module works by searching the
complete range of possible PIDs for processes, and comparing the list
of processes thus found against the output of ps.
Of course if i do not make a domain transition to bin_t everything
failing but is it bin_t too wide ? What would be the best way to go
around this, since ps is bin_t just like all the other binaries ?
Sorry I am still relatively new so this may be trivial but I guess
bin_t is allowed to do a lot of things.
Many thanks
Konrad
On Tue, 2008-12-02 at 23:53 +0100, Konrad Azzopardi wrote:
> If I am now confining SAMHAIN integrity checker with all features
> switched on. The daemon, is spawning a "ps" , and Checking for
> hidden/fake/missing processes. The module works by searching the
> complete range of possible PIDs for processes, and comparing the list
> of processes thus found against the output of ps.
> Of course if i do not make a domain transition to bin_t everything
> failing but is it bin_t too wide ? What would be the best way to go
> around this, since ps is bin_t just like all the other binaries ?
> Sorry I am still relatively new so this may be trivial but I guess
> bin_t is allowed to do a lot of things.
bin_t isn't a domain (process) type, it is a file type. You can't
transition a process to a file type. It sounds like these two rules
would would be sufficient:
corecmd_exec_bin()
domain_read_all_domains_state()
you might also need:
domain_getattr_all_domains()
--
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150