From b6b23abadec1d5055c83df4ece7996dc1afa6a71 Mon Sep 17 00:00:00 2001 From: Sven Vermeulen Date: Wed, 15 Jun 2011 18:59:27 +0200 Subject: [PATCH] Allow zabbix agent to query system state and other monitorable aspects The zabbix agent is responsible for collecting the system state and other monitorable aspects. This include - information from /proc - read attributes of various files (tamper detection) - connect to the ssh service (check if it is reachable) - get file system information - read login information - ... It should be noted that the agent can do a lot more, depending on the target system (what is being monitored) and the running services. The allowed privileges here will in the future expand more as more templates are checked. Update: follow styleguide Signed-off-by: Sven Vermeulen --- policy/modules/services/zabbix.te | 38 +++++++++++++++++++++++++++++++ 1 file changed, 38 insertions(+) diff --git a/policy/modules/services/zabbix.te b/policy/modules/services/zabbix.te index 465d86bf4..80f485bfb 100644 --- a/policy/modules/services/zabbix.te +++ b/policy/modules/services/zabbix.te @@ -119,8 +119,46 @@ fs_tmpfs_filetrans(zabbix_agent_t, zabbix_tmpfs_t, file) ## Kernel layer module calls +# kernel module +kernel_read_all_sysctls(zabbix_agent_t) +kernel_read_system_state(zabbix_agent_t) + +# corecommands module +corecmd_read_all_executables(zabbix_agent_t) + +# corenetwork module +corenet_tcp_bind_generic_node(zabbix_agent_t) +corenet_tcp_bind_zabbix_agent_port(zabbix_agent_t) +corenet_tcp_connect_ssh_port(zabbix_agent_t) +corenet_tcp_connect_zabbix_port(zabbix_agent_t) + +# devices module +dev_getattr_all_blk_files(zabbix_agent_t) +dev_getattr_all_chr_files(zabbix_agent_t) + +# domain module +domain_search_all_domains_state(zabbix_agent_t) + +# files module +files_getattr_all_dirs(zabbix_agent_t) +files_getattr_all_files(zabbix_agent_t) +files_read_all_symlinks(zabbix_agent_t) +files_read_etc_files(zabbix_agent_t) + +# filesystem module +fs_getattr_all_fs(zabbix_agent_t) + ## System layer module calls +# init module +init_read_utmp(zabbix_agent_t) + +# logging module +logging_search_logs(zabbix_agent_t) + +# miscfiles module +miscfiles_read_localization(zabbix_agent_t) + # sysnetwork module sysnet_dns_name_resolve(zabbix_agent_t)