missing selinux settings or policies to run amazon-ssm-agent in its own confined space

aws / amazon-ssm-agent

An agent to enable remote management of your EC2 instances, on-premises servers, or virtual machines (VMs).

https://aws.amazon.com/systems-manager/

Apache License 2.0

1.04k stars 322 forks source link

missing selinux settings or policies to run amazon-ssm-agent in its own confined space #403

Closed ghunsl closed 1 year ago

ghunsl commented 2 years ago

amazon-ssm-agent is running in unconfined_service_t domain which is a violation according to the latest CIS document. (i.e. CIS v3.1.1 for RHEL7 - section 1.6.1.6 Ensure no unconfined services exist) A selinux policies or settings required for amazon-ssm-agent to make it run in its own confined space.

# ps -eZ | grep unconfined_service_t
system_u:system_r:unconfined_service_t:s0 2181 ? 00:00:00 amazon-ssm-agen
system_u:system_r:unconfined_service_t:s0 2222 ? 00:00:00 ssm-agent-worke

jonhadfield commented 2 years ago

Likewise, for CIS v3.1.2 Level 1 Server for CentOS 7.

ps -eZ | grep unconfined_service_t
system_u:system_r:unconfined_service_t:s0 1279 ? 00:00:00 amazon-ssm-agen
system_u:system_r:unconfined_service_t:s0 1359 ? 00:00:00 ssm-agent-worke

Installed version amazon-ssm-agent.x86_64 3.1.1004.0-1

ayushman4 commented 1 year ago

https://github.com/ayushman4/amazon_ssm_agent_selinux

sluggard76 commented 1 year ago

Official SELinux https://github.com/aws/amazon-ssm-agent-selinux. Note: this is for Amazon Linux at this point.

sluggard76 commented 1 year ago

We have created a feature request To support other Linux flavor include RHEL 7 . Please note that we have a backlog of feature requests. We'll prioritize and work on those requests as they come in.