Sunday 5 February 2012

SELinux policy to run check_yum with sudo

A small update on the previous post. If you want to run check_yum with sudo you'll need to use the following policy file:


#-- Start nagios_plugin_checkum.te
module nagios_plugin_checkyum 1.0.4;

require {
        type usr_t;
        type boot_t;
        type admin_home_t;
        type rpm_var_lib_t;
        type tmp_t;
        type rpm_var_cache_t;
        type nrpe_t;
        type sudo_exec_t;
        type http_port_t;
        type rpm_exec_t;
        class capability { sys_nice audit_write };
        class tcp_socket name_connect;
        class file { rename execute setattr read lock create ioctl execute_no_trans write getattr unlink open };
        class netlink_audit_socket { write nlmsg_relay create read };
        class lnk_file read;
        class dir { search read write getattr remove_name open add_name };
}

#============= nrpe_t ==============
allow nrpe_t admin_home_t:dir search;
allow nrpe_t boot_t:dir { read getattr open };
allow nrpe_t http_port_t:tcp_socket name_connect;
allow nrpe_t rpm_exec_t:file { execute getattr read open ioctl execute_no_trans };
allow nrpe_t rpm_var_cache_t:dir { search getattr };
allow nrpe_t rpm_var_cache_t:dir { write read open add_name remove_name };
allow nrpe_t rpm_var_cache_t:file { rename create unlink setattr };
allow nrpe_t rpm_var_cache_t:file { write read getattr open lock };
allow nrpe_t rpm_var_lib_t:dir add_name;
allow nrpe_t rpm_var_lib_t:dir write;
allow nrpe_t rpm_var_lib_t:dir { getattr search };
allow nrpe_t rpm_var_lib_t:file create;
allow nrpe_t rpm_var_lib_t:file write;
allow nrpe_t rpm_var_lib_t:file { read lock getattr open };
allow nrpe_t self:capability { sys_nice audit_write };
allow nrpe_t self:netlink_audit_socket { write nlmsg_relay create read };
allow nrpe_t sudo_exec_t:file { read execute open execute_no_trans };
allow nrpe_t tmp_t:dir { read write add_name remove_name };
allow nrpe_t tmp_t:file { rename setattr read lock create write getattr unlink open };
allow nrpe_t usr_t:file { read getattr open };
allow nrpe_t usr_t:lnk_file read;
#-- End nagios_plugin_checkum.te

And you'll need to add something like the following to your /etc/sudoers file
nagios  ALL=(ALL) NOPASSWD: /usr/lib64/nagios/plugins/check_yum
 
And you need to comment out the following line in the sudores file, otherwise nrpe won't be able to parse the return
#Defaults    requiretty



References
  1. http://blog.gnucom.cc/2009/configuring-nagios-to-run-privileged-or-root-commands-with-nrpe/
Posted by at 1 comment:
Labels: , ,

SELinux policy to run check_yum

The EPEL repo has lots of good (and SELinux friendy) plugins to run on remote hosts with NRPE. One that is missing is check_yum, which checks that the OS has the latest security patches.
To make that plugin work on CentOS 6, download the script from Nagios Exchange and apply a small change that is described in this comment.

When we try to run this script though nrpe in a SELinux enabled service, it will explode in a million colour pieces, as it tries to access some restricted resources. Here's the output when we try to run it.

[root@host plugins]# ./check_nrpe -H nrpehost.com -c check_yum
UNKNOWN: /usr/bin/yum cannot be found

To make it work, we need to create a selinux policy that will allow nrpe run yum.

Copy the following in a file called ~/nagios-plugin-checkyum.te

#-- Start ~/nagios-plugin-checkyum.te --
module nagios_plugin_checkyum 1.0.3;
 
require {
        type tmp_t;
        type usr_t;
        type boot_t;
        type http_port_t;
        type nrpe_t;
        type rpm_exec_t;
        type rpm_var_lib_t;
        class tcp_socket name_connect;
        class lnk_file read;
        class dir { search read write getattr remove_name open add_name };
        class file { rename execute setattr read lock create ioctl execute_no_trans write getattr unlink open };
}

#============= nrpe_t ==============
allow nrpe_t boot_t:dir { read getattr open };
allow nrpe_t http_port_t:tcp_socket name_connect;
allow nrpe_t rpm_exec_t:file { execute getattr read open ioctl execute_no_trans };
allow nrpe_t rpm_var_lib_t:dir add_name;
allow nrpe_t rpm_var_lib_t:dir { getattr search };
allow nrpe_t rpm_var_lib_t:file create;
allow nrpe_t rpm_var_lib_t:file { read lock getattr open };
allow nrpe_t tmp_t:dir { read write add_name remove_name };
allow nrpe_t tmp_t:file { rename setattr read lock create write getattr unlink open };
allow nrpe_t usr_t:file { read getattr open };
allow nrpe_t usr_t:lnk_file read;

#-- End of ~/nagios-plugin-checkyum.te --

Some of the attributes make sense, for example, to allow nrpe to access an http port and run rpm. Since I'm not a SELinux expert I'm not sure it all the other permissions are ok, but at least, we're assigning this permissions only to the type nrpe_t, which shouldn't open a big hole in SELinux.

Now we need to build the policy as selinux requires binary package. To do so, run the following command on the same directory where you stored the previous file.

make -f /usr/share/selinux/devel/Makefile

This will create a few files, but the one we're interested in is nagios-plugin-checkyum.pp, which is the selinux module. To install it run

semodule -i nagios_plugin_checkyum.pp

After doing this, when we run the check, we get a response.

[root@host plugins]# ./check_nrpe -H nrpehost.com -c check_yum
YUM OK: 0 Security Updates Available. 5 Non-Security Updates Available

It is tricky to get the right policy for this plugin, as some of the selinux warnings when running in permissive mode marked with noaudit, so we need to disable no audit with semodule -DB, capture all the warnings, and then enable noaudit again with semodule -B.

Please share your experience whether this has worked for you.
Posted by at 4 comments:
Labels: , ,

Saturday 4 February 2012

Yum update - Metadata file does not match checksum

Today I was testing some nagios plugins to report missing security updates on Centos 6, and I started to get an error on one of the boxes when I tried to run "yum check-update". It looks like yum somehow got the wrong checksum from epel (maybe they were just updating the packages?).

This is the error I saw from yum,

Limiting package lists to security relevant ones
epel/updateinfo                                               | 308 kB     00:01
http://mirror.bytemark.co.uk/fedora/epel/6/x86_64/repodata/updateinfo.xml.gz: [Errno -1] Metadata file does not match checksum
Trying other mirror.
epel/updateinfo                                               | 308 kB     00:01
http://ftp.ntua.gr/pub/linux/fedora-epel/6/x86_64/repodata/updateinfo.xml.gz: [Errno -1] Metadata file does not match checksum
[...]

Trying to run the command resulted in the same error, so I had to clear all the metadata with the following command:

yum clean metadata dbcache expire-cache

After running that command yum was happy again.
Posted by at No comments:
Labels: ,

Wednesday 1 February 2012

Changing putty default configuration

Today I found out a simple way to change the default values in putty that doesn't involve fiddling with the registry.

To change the defaults:
  1. Open putty and change any parameter you want as the new default.
  2. Go back to Session on the Category list.
  3. Enter Default Settings in Saved Sessions.
  4. Click save.


Enjoy!
Posted by at 1 comment:
Labels:
Subscribe to: Posts (Atom)