I'll second the cron option. If you're like me and have only recently
gotten sign-off for a tool like Puppet or Ansible, scripts and crons will
still work while you transition to the CM tool. For example, I'll run this
in cron.hourly to maintain a consistent state of the booleans available.
It may not be perfect, but it's a nice go-between until we can finish
implementing Puppet.
#!/bin/bash
## Use lists in /etc/selinux to set SELinux booleans to desired state
PREFIX=/etc/selinux
LOGFILE=/var/log/sebooleans
touch ${LOGFILE}
for state in on off; do
cat ${PREFIX}/booleans$state | while read variable; do
## getsebool is a lot faster than semanage for this task
if [[ "$( getsebool $variable | gawk '{print $3}' )" !=
"$state" ]]; then
## If we're running the script manually, output info to the screen
if [[ -z "$PS1" ]]; then
echo "Setting $variable to $state..."
fi
echo "Setting $variable to $state at $( date +%c )..." >> ${LOGFILE}
setsebool -P $variable $state
fi
done
done
I like the idea of a hash comparison. After the required action is taken,
hash the relevant file and store it somewhere for reference later. Have
Puppet execute your script, first hashing the relevant file and comparing
it to your known value from last time. So, for your original question, the
files modules/active/users.local and modules/active/seusers.final could
provide you with the information that you'd want.
If that's no good, maybe you grep through these files to confirm the
existence of your customizations, and for every one that is missing, append
it to a temporary file, executing only the required commands with one
semanage.
On Sun, Oct 12, 2014 at 9:49 AM, Mark Montague <mark(a)catseye.org> wrote:
On 2014-10-12 6:14, Douglas Brown wrote:
semanage is great for general administration but not for compliance; it's
not really designed to compare an expected configuration with running
configuration, and rectify any differences, rather, for the most part
applies cumulative changes.
I use a cron job that runs "semanage -o" to dump the current configuration
and compare it, using diff, with the expected configuration which is just
the output of "semanage -o -" manually generated by an administrator at the
last time the configuration was changed.
The same cronjob also checks the output of sestatus and "semodule -l"
against expected values.
This approach is primitive, but it works. You could hash the output, if
you wanted, and compare the hash instead of using diff. I use diff in
order to have the cron job email the administrator the diff output, showing
how the actual configuration is different from the expected configuration
in the alert.
--
Mark Montague
mark(a)catseye.org
--
selinux mailing list
selinux(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
--
Jeremy Young <jrm16020(a)gmail.com>, M.S., RHCSA