View file File name : learn_config Content :#This configuration file aids the learning process by tweaking #the learning algorithm for specific paths. # #It accepts lines in the form of <command> <pathname> #Where <command> can be inherit-learn, no-learn, inherit-no-learn, #high-reduce-path, dont-reduce-path, protected-path, high-protected-path, #read-protected-path, and always-reduce-path # #inherit-learn, no-learn, and inherit-no-learn operate only with #full learning # #high-reduce-path, dont-reduce-path, always-reduce-path, protected-path, #and high-protected-path operate on both full and and regular learning #(subject and role learning) # #inherit-learn changes the learning process for the specified path #by throwing all learned accesses for every binary executed by the #processes contained in the pathname into the subject specified #by the pathname. This is useful for cron in the case of full #system learning, so that scripts that eventually end up executing #mv or rm with privilege don't cause the root policy to grant #that privilege to mv or rm in all cases. # #no-learn allows processes within the path to perform any operation #that normal system usage would allow without restriction. If #a process is generating a huge number of learning logs, it may be #best to use this command on that process and configure its policy #manually. # #inherit-no-learn combines the above two cases, such that processes #within the specified path will be able to perform any normal system #operation without restriction as will any binaries executed by #these processes. # #high-reduce-path modifies the heuristics of the learning process #to weight in favor of reducing accesses for this path # #dont-reduce-path modifies the heuristics of the learning process #so that it will never reduce accesses for this path # #always-reduce-path modifies the heuristics of the learning process #so that the path specified will always have all files and directories #within it reduced to the path specified. # #protected-path specifies a path on your system that is considered an #important resource. Any process that modifies one of these paths #is given its own subject in the learning process, facilitating #a secure policy. # #read-protected-path specifies a path on your system that contains #sensitive information. Any process that reads one of these paths is #given its own subject in the learning process, facilitating a secure #policy. # #high-protected-path specifies a path that should be hidden from #all processes but those that access it directly. It is recommended #to use highly sensitive files for this command. # #regular expressions are not supported for pathnames in this config file # # # uncomment this next line if you don't wish to generate a policy that # restricts roles to specific IP ranges: # dont-learn-allowed-ips # # to write out your generated policy such that roles are split into separate # files by the name of the role (within user/group directories), uncomment # the next line: # split-roles always-reduce-path /dev/pts always-reduce-path /var/spool/qmailscan/tmp always-reduce-path /var/spool/exim4 always-reduce-path /var/run/screen always-reduce-path /usr/share/locale always-reduce-path /usr/share/zoneinfo always-reduce-path /usr/share/terminfo always-reduce-path /usr/portage always-reduce-path /tmp always-reduce-path /var/tmp high-reduce-path /dev/.udev high-reduce-path /dev/mapper high-reduce-path /dev/snd high-reduce-path /proc high-reduce-path /lib high-reduce-path /lib32 high-reduce-path /libx32 high-reduce-path /lib64 high-reduce-path /lib/tls high-reduce-path /lib32/tls high-reduce-path /libx32/tls high-reduce-path /lib64/tls high-reduce-path /lib/security high-reduce-path /lib/modules high-reduce-path /lib32/modules high-reduce-path /lib64/modules high-reduce-path /usr/lib high-reduce-path /usr/lib32 high-reduce-path /usr/libx32 high-reduce-path /usr/lib64 high-reduce-path /usr/lib/tls high-reduce-path /usr/lib32/tls high-reduce-path /usr/libx32/tls high-reduce-path /usr/lib64/tls high-reduce-path /usr/lib64/openoffice high-reduce-path /var/lib high-reduce-path /usr/bin high-reduce-path /usr/sbin high-reduce-path /sbin high-reduce-path /bin high-reduce-path /usr/local/share high-reduce-path /usr/local/bin high-reduce-path /usr/local/sbin high-reduce-path /usr/local/etc high-reduce-path /usr/local/lib high-reduce-path /usr/share high-reduce-path /usr/X11R6/lib high-reduce-path /var/lib/openldap-data high-reduce-path /var/lib/krb5kdc dont-reduce-path / dont-reduce-path /home dont-reduce-path /dev dont-reduce-path /usr dont-reduce-path /var dont-reduce-path /opt protected-path /etc protected-path /lib protected-path /boot protected-path /run protected-path /usr protected-path /opt protected-path /var protected-path /dev/log protected-path /root protected-path /sys read-protected-path /etc/ssh read-protected-path /proc/kallsyms read-protected-path /proc/kcore read-protected-path /proc/slabinfo read-protected-path /proc/modules read-protected-path /lib/modules read-protected-path /lib64/modules read-protected-path /boot read-protected-path /etc/shadow read-protected-path /etc/shadow- read-protected-path /etc/gshadow read-protected-path /etc/gshadow- read-protected-path /sys high-protected-path /etc/ssh high-protected-path /proc/kcore high-protected-path /proc/sys high-protected-path /proc/bus high-protected-path /proc/slabinfo high-protected-path /proc/modules high-protected-path /proc/kallsyms high-protected-path /etc/passwd high-protected-path /etc/shadow high-protected-path /var/backups high-protected-path /etc/shadow- high-protected-path /etc/gshadow high-protected-path /etc/gshadow- high-protected-path /var/log high-protected-path /dev/mem high-protected-path /dev/kmem high-protected-path /dev/port high-protected-path /dev/log high-protected-path /sys high-protected-path /etc/ppp high-protected-path /etc/samba/smbpasswd # to protect kernel images high-protected-path /boot high-protected-path /lib/modules high-protected-path /lib64/modules high-protected-path /usr/src inherit-learn /etc/cron.d inherit-learn /etc/cron.hourly inherit-learn /etc/cron.daily inherit-learn /etc/cron.weekly inherit-learn /etc/cron.monthly #It is important that software updates be performed manually by someone in #an admin role, not performed automatically via cron jobs #With just the /etc/cron.daily rule above, a policy will be generated that #allows the automatic package updater script to update services and #restart them. With its inherit rules, this would also cause the services #to be restarted with the ability to update packages, etc. #This rule below makes sure for the case of apt-based auto-updates that #no learning is performed for this behavior, to force the admin to deal with #this in some way inherit-no-learn /etc/cron.daily/apt # the below lines are for catching the occasional use of init.d scripts at runtime # comment them out if you are starting learning before services are started by init # (a highly non-recommended choice) inherit-learn /etc/init.d inherit-learn /etc/rc.d/init.d