Cfengine Help: Manage suid files

Tue, 01 Mar 2011 08:47:41 -0800 

Forum: Cfengine Help
Subject: Manage suid files
Author: berntjernberg
Link to topic: https://cfengine.com/forum/read.php?3,20867,20867#msg-20867

Hi all,

I thought I share my work on this topic with you.

I have been using Solaris Security Toolkit (JASS) with home written drivers to 
apply
our security baseline but I'm converting it to Cfengine instead. I use a white 
list of files
I allow.  



##########################################
################ Common ##################
##########################################
bundle common g
{
    vars:
        solaris::
            "chmod" string => "/usr/bin/chmod";

            "suid_dir_list" slist => {
                                     "/usr",
                                     "/sbin",
                                     "/opt",
                                     "/var"
                                     };

            "suid_allow_list" slist => {
                                       "/usr/bin/at",
                                       "/usr/bin/atq",
                                       "/usr/bin/atrm",
                                       "/usr/bin/crontab",
                                       "/usr/bin/pfexec",
                                       "/usr/sbin/ping",
                                       "/usr/lib/pt_chmod",
                                       "/usr/bin/su"
                                       };
}

###########################################
################ Library ##################
###########################################
body file_select by_umf(user,mode,files)
{
    search_owners => { "$(user)" };
    search_mode => { "$(mode)" };
    path_name => { @(files) };
    file_types => { "reg" };
    file_result => "!path_name.mode.owner.file_types";
}

###########################################
################ Bundles ##################
###########################################
bundle agent manage_root_suid_files
{
    vars:
        "dir_list"     slist => { @(g.suid_dir_list) };
        "allow_files"  slist => { @(g.suid_allow_list) };

    files:
        "$(dir_list)"
        file_select => by_umf("root","u+s","@(allow_files)"),
        depth_search => recurse("inf"),
        action => policy("fix"),
        comment => "Allow only whitelisted setuid root files",
        transformer => "$(g.chmod) u-s $(this.promiser)";
}

########################################
################ Main ##################
########################################
"Security Management" usebundle => manage_root_suid_files;




Any thoughts about this?
How do you manage suid files?

_______________________________________________
Help-cfengine mailing list
Help-cfengine@cfengine.org
https://cfengine.org/mailman/listinfo/help-cfengine

Reply via email to