0

For purposes of setting up AppArmor or SE Linux, I'm looking to audit what files a program could possibly need access to.

My understanding is that the end of AppArmor or SE Linux, is to constrain processes to a set of files they are allowed to read, create or modify to make sure a process isn't going outside of its set boundaries; which from a security standpoint would seem to indicate that a server has been compromised.

I found a tutorial which uses strace to determine which files are being used by a process.

It seems as though this could become a difficult thing to determine when you consider things like:

  • temp file names
  • Process Hierarchy
  • Database temp tables
  • Program plugins

Is there anything else I need to take into account when trying to determine which files a program accesses?

Also, are there any pre created repositories that might include settings for setting up the security of such things?

leeand00
  • 1,297
  • 1
  • 13
  • 21
  • 2
    Do you really need to? You can run SELinux in permissive mode and then normally convert the audit log to the policy. `strace` can indeed trace kernel syscalls but it's not really meant to be done this way. Apart from files there are also SELinux booleans, but mostly everything goes around the files, as Linux is orientated around them. There's network for example, you can mark packets inside linux and police them with Linux. – Aria Jul 13 '16 at 17:56
  • 1
    https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security-Enhanced_Linux/sect-Security-Enhanced_Linux-Fixing_Problems-Allowing_Access_audit2allow.html – Aria Jul 13 '16 at 17:56
  • 1
    You need to run SELinux is "permissive" mode to trace the application for some time while it's running. A week or month is good so it rotates the logs, clears the cache etc. – Aria Jul 13 '16 at 17:58

0 Answers0