doksu / selinux_policy_for_splunk Goto Github PK
View Code? Open in Web Editor NEWSELinux Policy for Splunk
License: MIT License
SELinux Policy for Splunk
License: MIT License
method used in policy deprecated in rhel 7.4
First: you are awesome and I love you. I am running the policy on splunk hosts on rhel6 with only minor casualties. I feel if not safe, less naked.
Second: Perhaps your instructions are deliberately obtuse to discourage the ignorant. If not, kindly consider these clarifications:
rhel6 has no "setools-devel" package that I could locate in the base or epel repos
----le snip---
Loaded plugins: aliases, changelog, downloadonly, security, verify
selinux-policy-3.7.19-260.el6_6.5.noarch : SELinux policy configuration
Repo : rhel-repo
Matched from:
Filename : /usr/share/selinux/devel/Makefile
selinux-policy-3.7.19-260.el6_6.5.noarch : SELinux policy configuration
Repo : installed
Matched from:
Other : Provides-match: /usr/share/selinux/devel/Makefile
----el snip----
I would suggest the clarifications below which take into account the item above>
Build RPM to automate installation of policy.
Need to add interfaces as per best practice.
This is probably related to #12
On RHEL 8 with the latest Splunkforwarder RPM package all files under /opt/splunkforwarder
are owned by a splunk:splunk
(the user and group are created by the RPM).
When running splunk as root with this policy we kept getting dac_read_search denials on various files within the /opt/splunkforwarder
directory structure, including configuration files. It did not appear to prevent splunk from working.
type=AVC msg=audit(22/03/22 14:29:37.905:8673) : avc: denied { dac_read_search } for pid=39267 comm=splunkd capability=dac_read_search scontext=system_u:system_r:splunk_t:s0 tcontext=system_u:system_r:splunk_t:s0 tclass=capability permissive=0
I read an ancient blog post from Mr Walsh and realised that the issue could be file permissions, not SELinux labels/policy. So I chowned all of /opt/splunkforwarder
to be owned by root
restarted splunk and the denials weren't reported.
Is this something which can be resolved in the policy or must the additional step to chown all files to root be done? If so please add it to your instructions.
Thanks again!
I resolved a PEBKAC in #11 and now have this policy working for Splunkforwarders in RHEL 8!
It seems to be functioning fully despite having dac_read_search
denials like these:
type=PROCTITLE msg=audit(17/03/22 16:36:49.862:4019) : proctitle=splunkd --under-systemd -p 8089 _internal_launch_under_systemd
type=PATH msg=audit(17/03/22 16:36:49.862:4019) : item=0 name=/var/log/sssd/sssd_implicit_files.log inode=16863845 dev=08:04 mode=file,600 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:sssd_var_log_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(17/03/22 16:36:49.862:4019) : cwd=/
type=SYSCALL msg=audit(17/03/22 16:36:49.862:4019) : arch=x86_64 syscall=lstat success=yes exit=0 a0=0x7f436f24c840 a1=0x7f43691fa150 a2=0x7f43691fa150 a3=0x2e44d8 items=1 ppid=1 pid=8843 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=splunkd exe=/opt/splunkforwarder/bin/splunkd subj=system_u:system_r:splunk_t:s0 key=(null)
type=AVC msg=audit(17/03/22 16:36:49.862:4019) : avc: denied { dac_read_search } for pid=8843 comm=splunkd capability=dac_read_search scontext=system_u:system_r:splunk_t:s0 tcontext=system_u:system_r:splunk_t:s0 tclass=capability permissive=0
and
type=PROCTITLE msg=audit(17/03/22 16:52:44.647:4941) : proctitle=splunkd --under-systemd -p 8089 _internal_launch_under_systemd
type=PATH msg=audit(17/03/22 16:52:44.647:4941) : item=0 name=/var/log/sssd/sssd.log inode=16863838 dev=08:04 mode=file,600 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:sssd_var_log_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(17/03/22 16:52:44.647:4941) : cwd=/
type=SYSCALL msg=audit(17/03/22 16:52:44.647:4941) : arch=x86_64 syscall=lstat success=yes exit=0 a0=0x7fdba9c98100 a1=0x7fdba37fa150 a2=0x7fdba37fa150 a3=0x41f27a items=1 ppid=1 pid=20469 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=splunkd exe=/opt/splunkforwarder/bin/splunkd subj=system_u:system_r:splunk_t:s0 key=(null)
type=AVC msg=audit(17/03/22 16:52:44.647:4941) : avc: denied { dac_read_search } for pid=20469 comm=splunkd capability=dac_read_search scontext=system_u:system_r:splunk_t:s0 tcontext=system_u:system_r:splunk_t:s0 tclass=capability permissive=0
I can confirm that events from the sssd log files are being logged. Is this something I should ignore?
Thanks again!
README has now been updated: https://github.com/doksu/selinux_policy_for_splunk/
Hey @doksu thanks again for your FOSS contributions for those of us using Splunk!
We're keen to explore this policy as a way of avoiding the complication of setting ACLs and default directory ACLs on all of /var/log
but then having to exclude specific things and deal with random applications which write specific permissions wiping out the ACLs.
Unfortunately I'm struggling to build this for RHEL 8. I'm a novice having not looked in to custom policies since doing SELinux training over 6 years ago! Could you help please?
splunk.te
to reference distro_rhel8
instead of distro_rhel7
.But when I try to install the module I get the following error:
# semodule -i splunk.pp
Failed to resolve typeattributeset statement at /var/lib/selinux/targeted/tmp/modules/400/splunk/cil:66
semodule: Failed!
I've looked through the unzipped cil file and line 64 to 67 contain:
(typeattributeset polymember (splunk_tmp_t splunkadm_sudo_tmp_t ))
(typeattributeset cil_gen_require consoletype_exec_t)
(typeattributeset cil_gen_require bin_t)
Have you used this on RHEL 8? (RHEL 9 isn't far away now!)
Have you used Splunk with the systemd unit files rather than SysV init as this policy covers?
Thanks very much!
I've already developed the splunkadm_r role and it works well; just needs to be merged into this policy.
Hi,
I'm getting the message below when I run audit2allow.
#============= splunk_t ==============
#!!!! The file '/run/dbus/system_bus_socket' is mislabeled on your system.
#!!!! Fix with $ restorecon -R -v /run/dbus/system_bus_socket
allow splunk_t system_dbusd_t:unix_stream_socket connectto;
Thank you for sharing your work, it helped me a lot!
On RHEL 6 I get 'Building a policy module, but no module specification found' error. Can this be made to work with RHEL 6?
splunk.if:13: Error: duplicate definition of splunk_domtrans(). Original definition on 13.
splunk.if:32: Error: duplicate definition of splunk_initrc_domtrans(). Original definition on 32.
splunk.if:50: Error: duplicate definition of splunk_search_dir(). Original definition on 50.
splunk.if:73: Error: duplicate definition of splunk_read_files(). Original definition on 73.
splunk.if:101: Error: duplicate definition of splunk_manage_files(). Original definition on 101.
splunk.if:126: Error: duplicate definition of splunk_manage_dirs(). Original definition on 126.
splunk.if:155: Error: duplicate definition of splunk_admin(). Original definition on 155.
Compiling targeted splunk module
/usr/bin/checkmodule: loading policy configuration from tmp/splunk.tmp
/usr/bin/checkmodule: policy configuration loaded
/usr/bin/checkmodule: writing binary representation (version 10) to tmp/splunk.mod
Creating targeted splunk.pp policy package
rm tmp/splunk.mod.fc tmp/splunk.mod
checkmodule: loading policy configuration from splunk.te
splunk.te:1:ERROR 'Building a policy module, but no module specification found.
' at token 'policy_module' on line 1:
checkmodule: error(s) encountered while parsing configuration
Failed to compile splunk.te
Thanks,
-Mark
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.