The Center for Internet Security has certain recommendations your Linux machine should comply to. One of them is that there should be no unconfined daemons.
I have two identical machines (one for testing, one for production), both running CentOS 7.3, and when I'm looking for unconfined daemons using the command:
- Code: Select all
ps -eZ | egrep "initrc" | egrep -vw "tr|ps|egrep|bash|awk" | tr ':' ' ' | awk '{ print $NF }'
The test machine returns nothing, which is OK, The production machine returns quite a number of hits.
The hits found are all processes spawned from one particular program.
When I do a
- Code: Select all
ps -eZ | grep <pid_of_program>
- Code: Select all
system_u:system_r:unconfined_service_t:s0 1354 ? 00:13:43 <programname>
the same command on the production machine returns
- Code: Select all
system_u:system_r:initrc_t:s0 1371 ? 00:20:08 <programname>
If I look at the selinux context setting for this program, in production I get
- Code: Select all
-rwx------. root root system_u:object_r:bin_t:s0 <programname>
In test this is identical:
- Code: Select all
-rwx------. root root system_u:object_r:bin_t:s0 <programname>
I do not know where to look from here to determine why the context for the process in production is different from the one in test.
If anyone has any suggestions, I would be very grateful if you could share them with me.
Thanks,
Hans
