On 2014-10-12 6:14, Douglas Brown wrote:
semanage is great for general administration but not for compliance;
it's not really designed to compare an expected configuration with
running configuration, and rectify any differences, rather, for the
most part applies cumulative changes.
I use a cron job that runs "semanage -o" to dump the current
configuration and compare it, using diff, with the expected
configuration which is just the output of "semanage -o -" manually
generated by an administrator at the last time the configuration was
changed.
The same cronjob also checks the output of sestatus and "semodule -l"
against expected values.
This approach is primitive, but it works. You could hash the output, if
you wanted, and compare the hash instead of using diff. I use diff in
order to have the cron job email the administrator the diff output,
showing how the actual configuration is different from the expected
configuration in the alert.
--
Mark Montague
mark(a)catseye.org