PAX
flags can be set to restrict the actions of binaries and provide an overall system protection. The problem is that PAX
flags have to be reapplied once software is upgraded which makes setting them and tracking the binaries difficult. For that, a solution is to create a program that will run via cron
and set the flags on the binaries based on a known set of working permissions (a template).
The configuration file can be found in the pax linux database and is formatted in JSON. It is additionally provided here for convenience:
Filename | Filesize | Last modified |
---|---|---|
paxflags.conf | 1.2 KiB | 2014/12/19 22:41 |
It has to be placed in the /etc/
directory. After that, the script below can be placed in /etc/cron.daily/
and made executable so that the PAX flags are reapplied.
The code uses File::Slurp
to read-in the configuration file from /etc/paxflags.conf
and then uses JSON::XS
to walk through the file. Both perl modules have to be installed for this script to work. Compared to strict JSON, the JSON::XS
module allows hash-based comments (#
) in the configuration file, so that lines can be commented out.
#!/usr/bin/perl ########################################################################### ## Copyright (C) Wizardry and Steamworks 2013 - License: GNU GPLv3 ## ## Please see: http://www.gnu.org/licenses/gpl.html for legal details, ## ## rights of fair usage, the disclaimer and warranty conditions. ## ########################################################################### use JSON::XS; use File::Slurp; my $coder = JSON::XS->new->ascii->pretty->allow_nonref->relaxed; my $json = read_file('/etc/paxflags.conf'); my $cfg = $coder->decode($json); foreach $pax (keys $cfg) { foreach my $daemon (keys $cfg->{$pax}) { my $status=`service $daemon status 2>&1`; next if $status =~ /.+?unrecognized.+?/i; next if defined $ARGV[0] and $ARGV[0] ne $daemon; foreach my $file (@{$cfg->{$pax}->{$daemon}}) { my $flags = `paxctl -vqQ $file 2>/dev/null`; $flags =~ /([PEMRXSpemrxs\-]{12})/i; foreach(split(//, $pax)) { next if $_ eq "-"; if($flags !~ /$_/) { `service $daemon stop`; `paxctl -q -c$pax $file`; last; } } } `service $daemon start`; } }