Re: HOWTO Logging tcp binding on permissive mode

From: François Chenais <francois.chenais_at_nospam>
Date: Mon Jan 24 2011 - 13:19:47 GMT
To: Dominick Grift <domg472@gmail.com>

2011/1/24 Dominick Grift <domg472@gmail.com>

> On Mon, Jan 24, 2011 at 09:49:01AM +0100, François Chenais wrote:
> > Hello,
> >
> >
> > I would like to log process binding on tcp ports > 1023.
>
> something like this may work:
>
> mkdir mytest; cd mytest; echo "policy_module(mytest, 1.0.0) gen_require(\`
> attribute domain, userdomain, port_type; ') auditallow { userdomain domain }
> port_type:tcp_socket name_bind;" > mytest.te; make -f
> /usr/share/selinux/devel/Makefile mytest.pp; sudo semodule -i mytest.pp
>
> Then any attempts to bind tcp_sockets to port_type ports by domain as well
> as userdomain will be logged in /var/log/audit/audit.log.
>
> Coool ! Thanks a lot, I'm trying it now ...

> You may, or may not, be able to do similar things by using the audit suite
> instead (man auditctl)
>
>
Yes but I can't find how to restrict the audit on a specific port number :/

auditctl -d exit,always -S bind -k BIND

-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux

This message: [ Message body ]
Next message: François Chenais: "Re: HOWTO Logging tcp binding on permissive mode"
Previous message: Dominick Grift: "Re: HOWTO Logging tcp binding on permissive mode"
In reply to: Dominick Grift: "Re: HOWTO Logging tcp binding on permissive mode"
Next in thread: François Chenais: "Re: HOWTO Logging tcp binding on permissive mode"
Reply: François Chenais: "Re: HOWTO Logging tcp binding on permissive mode"
Reply: François Chenais: "Re: HOWTO Logging tcp binding on permissive mode"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ]