AWS Inspector reports:
1.6.1.6 Ensure no unconfined daemons exist
Severity
High
Description
Description Daemons that are not defined in SELinux policy will inherit the security context of their parent process. Rationale Since daemons are launched and descend from the init process, they will inherit the security context label initrc_t . This could cause the unintended consequence of giving the process more permission than it requires.
Recommendation Investigate any unconfined daemons found during the audit action. They may need to have an existing security context assigned to them or a policy built for them.
Search for unconfined daemon:
[root@ip-10-0-1-136 bin]# ps -eZ | egrep "initrc" | egrep -vw "tr|ps|egrep|bash|awk" | tr ':' ' ' | awk '{ print $NF }'
ruby
ruby
I didn't find any document from AWS to confine codedeploy-agent. I was trying to follow a instruction from AWS to confine AWS Inspector agent instead. https://docs.aws.amazon.com/inspector/latest/userguide/inspector_installing-uninstalling-agents.html. ls -Z does show codedeploy-agent scripts in /etc/rc.d/init.d and /etc/init.d are with bin_t domain, however AWS Insprector scan still reports ruby (codedeploy-agent) a unconfined daemon process.
[root@ip-10-0-1-136 bin]# systemctl status codedeploy-agent.service
● codedeploy-agent.service - AWS CodeDeploy Host Agent Loaded: loaded (/usr/lib/systemd/system/codedeploy-agent.service; enabled; vendor preset: disabled) Active: active (running) since Mon 2021-05-17 15:49:43 UTC; 7s ago Process: 29048 ExecStop=/opt/codedeploy-agent/bin/codedeploy-agent stop (code=exited, status=0/SUCCESS) Process: 29516 ExecStart=/bin/bash -a -c [ -f /etc/profile ] && source /etc/profile; /opt/codedeploy-agent/bin/codedeploy-agent start (code=exited, status=0/SUCCESS) Main PID: 29528 (ruby) CGroup: /system.slice/codedeploy-agent.service ├─29528 codedeploy-agent: master 29528 └─29532 codedeploy-agent: InstanceAgent::Plugins::CodeDeployPlugin::CommandPoller of master 29528
May 17 15:49:43 ip-10-0-1-136.eu-west-1.compute.internal systemd[1]: Starting AWS CodeDeploy Host Agent... May 17 15:49:43 ip-10-0-1-136.eu-west-1.compute.internal systemd[1]: Started AWS CodeDeploy Host Agent.
[root@ip-10-0-1-136 bin]# ls -Z /opt/
drwxr-xr-x. root root system_u:object_r:usr_t:s0 aws
drwxr-xr-x. root root system_u:object_r:usr_t:s0 codedeploy-agent
[root@ip-10-0-1-136 bin]# ls -Z /opt/codedeploy-agent/bin/ -rwxr--r--. root root system_u:object_r:bin_t:s0 codedeploy-agent
-rwxr--r--. root root system_u:object_r:bin_t:s0 codedeploy-local
-rwxr--r--. root root system_u:object_r:bin_t:s0 install
-rwxr--r--. root root system_u:object_r:bin_t:s0 update
[root@ip-10-0-1-136 bin]# ls /etc/rc.d/init.d/ -Z
-rwxr-xr-x. root root system_u:object_r:bin_t:s0 awsagent -rwxr--r--. root root system_u:object_r:bin_t:s0 codedeploy-agent
[root@ip-10-0-1-136 bin]# ls /etc/init.d/ -Z -rwxr-xr-x. root root system_u:object_r:bin_t:s0 awsagent -rwxr--r--. root root system_u:object_r:bin_t:s0 codedeploy-agent
Changed to bin_t seemed not working - since ps -Z still shows the process ran with initrc_t
[root@ip-10-0-1-136 bin]# ps -eZ | egrep "initrc" | egrep -vw "tr|ps|egrep|bash|awk" | tr ':' ' '
system_u system_r initrc_t s0 29528 ? 00 00 00 ruby
system_u system_r initrc_t s0 29532 ? 00 00 00 ruby
