[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: process details: user +selcontext and user: pw and shell

From: Martin Pala
Subject: Re: process details: user +selcontext and user: pw and shell
Date: Mon, 11 Jun 2012 23:13:03 +0200


the process' uid/gid is general test - we have implementation of it already 
(not finished yet on all platforms), i think it makes sense to add it.

The selinux test is however specific to linux only - it is better to use the 
"check program" test with custom script to test the privileges. The other 
platforms (Solaris, FreeBSD, etc.) have their own privilege separation 
frameworks, the selinux configuration won't be portable.

Similarly with the login test - it will be better to use the "check program" 
(custom script) or "check file" (logfiles content test), as intercepting the 
authentication process to track the invalid passwords is out of monit scope.


On Jun 11, 2012, at 4:22 PM, cgzones wrote:

> Hi list,
> hi developers,
> i would like to have a option to observer the rights of processes.
> So can you add a check for the user/uid of a process and the selinux
> context (if selinux is enabled) of it; something like:
> check process apache with pidfile /var/run/
>       if failed uid www-data then ACTION            (like the file check)
>       if failed selcontext system_u:system_r:httpd_t then ACTION
> In addition some services (like apache or mysql) creates and uses users
> for running it's daemons.
> But these users are task is only running these processes, so they should
> not have a valid password or a valid shell.
> Can you add a new check section for system users like:
> check user USERNAME with uid STRING/UID
>        if failed invalidpw then ACTION       (check for ""|"!"|"?"|"*"...)
>        if failed invalidshell then ACTION    (check for
> "/bin/false"|"/bin/nologin"...)
> Best regards,
>          Christian Göttsche
> --
> To unsubscribe:

reply via email to

[Prev in Thread] Current Thread [Next in Thread]