|
On 2014-10-12 6:14, Douglas Brown
wrote:
semanage is great for general administration but not for compliance; it's not really designed to compare an expected configuration with running configuration, and rectify any differences, rather, for the most part applies cumulative changes. I use a cron job that runs "semanage -o" to dump the current configuration and compare it, using diff, with the expected configuration which is just the output of "semanage -o -" manually generated by an administrator at the last time the configuration was changed. The same cronjob also checks the output of sestatus and "semodule -l" against expected values. This approach is primitive, but it works. You could hash the output, if you wanted, and compare the hash instead of using diff. I use diff in order to have the cron job email the administrator the diff output, showing how the actual configuration is different from the expected configuration in the alert. -- Mark Montague mark@xxxxxxxxxxx |
-- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
