Friday, March 16, 2012

Using Skulker to Improve Security

Isn't Skulker used to save disk space?
That is indeed the case; but one feature that can be used is that of the "setperms" function - it can be used to change the permissions, owner and group of matched files (UNIX platforms only unfortunately).

Example 1
A few examples might clarify the use. Consider the following requirement:

Find all world-writeable files in the directory "/data" and remove that permission bit.

Doing this via a rule is easy:


<?xml version="1.0" standalone="yes"?>
<skulker_rules>
<defaults
interval="0D"
/>
<rule
n="10"
type="setperms perms=o-w"
match_pattern="/data/.../.*"
                match_by="has_perm('o','w')"
/>
</skulker_rules>


Notice the use of the "has_perm" function to ensure that only files which have world write permissions are matched. Actaully since the "setperms" function is selecting removing the permissions bit the match_by clause in this case is not needed, and so the above can be simplified a little:

<?xml version="1.0" standalone="yes"?>
<skulker_rules>
<defaults
interval="0D"
/>
<rule
n="10"
type="setperms perms=o-w"
match_pattern="/data/.../.*"
/>
</skulker_rules>

In this case all files in the "/data" directory structure are passed to the "setperms" routine - but only files that are world-writeable will be modified (and shown in the log output).

Example 2
Consider the following requirement:

Ensure all gzip compressed log files in the directories "/data/dir1" and "/data/dir2" are changed to only have owner permissions.

<?xml version="1.0" standalone="yes"?>
<skulker_rules>
<defaults
interval="0D"
/>
<rule
n="10"
type="setperms perms=o-wrx,g-rwx"
match_pattern="/data/dir[12]/.*\.gz$"
/>
</skulker_rules>

A couple of points to note about this rule...

  1. The match_pattern shows the use of directory-level pattern matching (both file and directories can contain regular expressions)
  2. The "perms" argument to "setperms" has two sets of changes; firstly "o-rwx" removes all permissions from others, and then "g-rwx" removes all permissions from group attributes.


Posted by at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)