From 2b0fe9759501818b10e0654e7f83383bb4b8e8a4 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Fri, 2 Oct 2020 12:43:56 -0400 Subject: profstats - add count for whitelisted home dir, dbus-user none --- README.md | 38 ++++++++++++++++++++------------------ src/profstats/main.c | 22 ++++++++++++++++++++++ 2 files changed, 42 insertions(+), 18 deletions(-) diff --git a/README.md b/README.md index 19024eea6..7213225fb 100644 --- a/README.md +++ b/README.md @@ -166,25 +166,27 @@ $ ./profstats *.profile Warning: multiple caps in transmission-daemon.profile Stats: - profiles 1025 - include local profile 1025 (include profile-name.local) - include globals 1025 (include globals.local) - blacklist ~/.ssh 1001 (include disable-common.inc) - seccomp 971 - capabilities 1024 - noexec 895 (include disable-exec.inc) - memory-deny-write-execute 217 - apparmor 546 - private-bin 537 - private-dev 893 - private-etc 426 - private-tmp 780 - whitelist var 691 (include whitelist-var-common.inc) - whitelist run/user 329 (include whitelist-runuser-common.inc + profiles 1029 + include local profile 1029 (include profile-name.local) + include globals 1029 (include globals.local) + blacklist ~/.ssh 1005 (include disable-common.inc) + seccomp 975 + capabilities 1028 + noexec 899 (include disable-exec.inc) + memory-deny-write-execute 220 + apparmor 549 + private-bin 542 + private-dev 897 + private-etc 431 + private-tmp 784 + whitelist home directory 469 + whitelist var 695 (include whitelist-var-common.inc) + whitelist run/user 334 (include whitelist-runuser-common.inc or blacklist ${RUNUSER}) - whitelist usr/share 349 (include whitelist-usr-share-common.inc - net none 329 - dbus-system none 624 + whitelist usr/share 354 (include whitelist-usr-share-common.inc + net none 332 + dbus-user none 523 + dbus-system none 627 ````` ### New profiles: diff --git a/src/profstats/main.c b/src/profstats/main.c index 194cb210a..4c1221464 100644 --- a/src/profstats/main.c +++ b/src/profstats/main.c @@ -29,6 +29,7 @@ static int cnt_apparmor = 0; static int cnt_seccomp = 0; static int cnt_caps = 0; static int cnt_dbus_system_none = 0; +static int cnt_dbus_user_none = 0; static int cnt_dotlocal = 0; static int cnt_globalsdotlocal = 0; static int cnt_netnone = 0; @@ -42,6 +43,7 @@ static int cnt_whitelistrunuser = 0; // include whitelist-runuser-common.inc static int cnt_whitelistusrshare = 0; // include whitelist-usr-share-common.inc static int cnt_ssh = 0; static int cnt_mdwx = 0; +static int cnt_whitelisthome = 0; static int level = 0; static int arg_debug = 0; @@ -59,6 +61,8 @@ static int arg_whitelistusrshare = 0; static int arg_ssh = 0; static int arg_mdwx = 0; static int arg_dbus_system_none = 0; +static int arg_dbus_user_none = 0; +static int arg_whitelisthome = 0; static char *profile = NULL; @@ -71,6 +75,7 @@ static void usage(void) { printf(" --apparmor - print profiles without apparmor\n"); printf(" --caps - print profiles without caps\n"); printf(" --dbus-system-none - profiles without \"dbus-system none\"\n"); + printf(" --dbus-user-none - profiles without \"dbus-user none\"\n"); printf(" --ssh - print profiles without \"include disable-common.inc\"\n"); printf(" --noexec - print profiles without \"include disable-exec.inc\"\n"); printf(" --private-bin - print profiles without private-bin\n"); @@ -79,6 +84,7 @@ static void usage(void) { printf(" --private-tmp - print profiles without private-tmp\n"); printf(" --seccomp - print profiles without seccomp\n"); printf(" --memory-deny-write-execute - profile without \"memory-deny-write-execute\"\n"); + printf(" --whitelist-home - print profiles whitelisting home directory\n"); printf(" --whitelist-var - print profiles without \"include whitelist-var-common.inc\"\n"); printf(" --whitelist-runuser - print profiles without \"include whitelist-runuser-common.inc\" or \"blacklist ${RUNUSER}\"\n"); printf(" --whitelist-usrshare - print profiles without \"include whitelist-usr-share-common.inc\"\n"); @@ -124,6 +130,8 @@ void process_file(const char *fname) { else if (strncmp(ptr, "include whitelist-runuser-common.inc", 36) == 0 || strncmp(ptr, "blacklist ${RUNUSER}", 20) == 0) cnt_whitelistrunuser++; + else if (strncmp(ptr, "include whitelist-common.inc", 28) == 0) + cnt_whitelisthome++; else if (strncmp(ptr, "include whitelist-usr-share-common.inc", 38) == 0) cnt_whitelistusrshare++; else if (strncmp(ptr, "include disable-common.inc", 26) == 0) @@ -144,6 +152,8 @@ void process_file(const char *fname) { cnt_privateetc++; else if (strncmp(ptr, "dbus-system none", 16) == 0) cnt_dbus_system_none++; + else if (strncmp(ptr, "dbus-user none", 14) == 0) + cnt_dbus_user_none++; else if (strncmp(ptr, "include ", 8) == 0) { // not processing .local files if (strstr(ptr, ".local")) { @@ -200,6 +210,8 @@ int main(int argc, char **argv) { arg_privatetmp = 1; else if (strcmp(argv[i], "--private-etc") == 0) arg_privateetc = 1; + else if (strcmp(argv[i], "--whitelist-home") == 0) + arg_whitelisthome = 1; else if (strcmp(argv[i], "--whitelist-var") == 0) arg_whitelistvar = 1; else if (strcmp(argv[i], "--whitelist-runuser") == 0) @@ -210,6 +222,8 @@ int main(int argc, char **argv) { arg_ssh = 1; else if (strcmp(argv[i], "--dbus-system-none") == 0) arg_dbus_system_none = 1; + else if (strcmp(argv[i], "--dbus-user-none") == 0) + arg_dbus_user_none = 1; else if (*argv[i] == '-') { fprintf(stderr, "Error: invalid option %s\n", argv[i]); return 1; @@ -238,10 +252,12 @@ int main(int argc, char **argv) { int privateetc = cnt_privateetc; int dotlocal = cnt_dotlocal; int globalsdotlocal = cnt_globalsdotlocal; + int whitelisthome = cnt_whitelisthome; int whitelistvar = cnt_whitelistvar; int whitelistrunuser = cnt_whitelistrunuser; int whitelistusrshare = cnt_whitelistusrshare; int dbussystemnone = cnt_dbus_system_none; + int dbususernone = cnt_dbus_user_none; int ssh = cnt_ssh; int mdwx = cnt_mdwx; @@ -265,6 +281,8 @@ int main(int argc, char **argv) { if (arg_dbus_system_none && dbussystemnone == cnt_dbus_system_none) printf("No dbus-system none found in %s\n", argv[i]); + if (arg_dbus_user_none && dbususernone == cnt_dbus_user_none) + printf("No dbus-user none found in %s\n", argv[i]); if (arg_apparmor && apparmor == cnt_apparmor) printf("No apparmor found in %s\n", argv[i]); if (arg_caps && caps == cnt_caps) @@ -281,6 +299,8 @@ int main(int argc, char **argv) { printf("No private-tmp found in %s\n", argv[i]); if (arg_privateetc && privateetc == cnt_privateetc) printf("No private-etc found in %s\n", argv[i]); + if (arg_whitelisthome && whitelisthome == cnt_whitelisthome) + printf("Home directory not whitelisted in %s\n", argv[i]); if (arg_whitelistvar && whitelistvar == cnt_whitelistvar) printf("No include whitelist-var-common.inc found in %s\n", argv[i]); if (arg_whitelistrunuser && whitelistrunuser == cnt_whitelistrunuser) @@ -310,11 +330,13 @@ int main(int argc, char **argv) { printf(" private-dev\t\t\t%d\n", cnt_privatedev); printf(" private-etc\t\t\t%d\n", cnt_privateetc); printf(" private-tmp\t\t\t%d\n", cnt_privatetmp); + printf(" whitelist home directory\t%d\n", cnt_whitelisthome); printf(" whitelist var\t\t%d (include whitelist-var-common.inc)\n", cnt_whitelistvar); printf(" whitelist run/user\t\t%d (include whitelist-runuser-common.inc\n", cnt_whitelistrunuser); printf("\t\t\t\t\tor blacklist ${RUNUSER})\n"); printf(" whitelist usr/share\t\t%d (include whitelist-usr-share-common.inc\n", cnt_whitelistusrshare); printf(" net none\t\t\t%d\n", cnt_netnone); + printf(" dbus-user none \t\t%d\n", cnt_dbus_user_none); printf(" dbus-system none \t\t%d\n", cnt_dbus_system_none); printf("\n"); return 0; -- cgit v1.2.3-70-g09d2