-
Notifications
You must be signed in to change notification settings - Fork 21
How to write a profile for SEChecker
##1. Use of Profiles
SEChecker has a wide variety of modules which perform various tests on the policy and/or system. To make the management and running of these modules easier, several profiles are defined.
A profile is used to run a set of modules with options set in a way that the resulting report reflects a specific security goal.
To write your own profile, create a new XML file named profile_name.prof. The format of the file is detailed below.
##2. Format of the Profile
A profile is an XML file loaded by SEChecker to run a specific set of tests. The profile recognizes the following tags
The sechecker tag should be the first open tag in the file and the final
tag to be closed. The tag has a single attribute version, which should
be set to the current version of SEChecker you are using. To find your
version number, run: sechecker --version.
<sechecker version="1.0">
Be sure to remember to close this tag at the end of the file.
The profile tag tells the parser that SEChecker should interpret this file as a profile. This tag has no attributes.
<profile>
Close this tag just before the sechecker tag is closed at the end of
the file
The module tag tells SEChecker that a particular module should be run for this profile. The only attribute is name.
<module name="mod_name">
This tag is closed after all other tags related to that module
The output tag tells SEChecker to use this output format for the module in which it appears. This tag is optional and has one attribute, value.
<output value="short"/>
This tag should close itself. The valid values are:
none : do not print anything in the report; only run this module as dependency of another module. quiet : print only the stats and header in the report short : print the header, stats, and a list of items found by the module without any accompanying proof long : print the header, stats, and a list of items found by the module with proof of the result following each item verbose : print all possible output including the header, stats, a list of items and a list of items with proof
NOTE: any of the above values other than none are overridden by the command line output flags. Setting an output value in a profile overrides the default setting in the configuration file for this profile only.
The option tag allows a profile to specify additional options for a
module. The option tag has two mandatory attributes, name and value.
The values of these attributes is specific to the module for which the
option is specified. Options specified in a profile are used in addition
to those in the configuration file.
<option name="option_name" value="some_value"/>
This tag closes itself. As its name implies this tag is optional.
- Example Profile
The following is a brief example of a profile
<sechecker version="1.0">
<profile>
<module name="mod1">
</module>
<module name="mod2">
<output value="none"/>
<option name="attribute" value="my_attrib"/>
</module>
<module name="mod3">
<option name="foo" value="bar"/>
</module>
<module name="mod4">
<output value="short"/>
</module>
<module name="mod5">
<output value="quiet"/>
<option name="type" value="shadow_t"/>
</module>
</profile>
</sechecker>
The result of this profile would be:
- run mod1 with default configuration; print with default settings
- run mod2 with the additional attribute my_attrib, but don't print its results
- run mod3 with option foo set to bar (in addition to any other settings); print with default settings
- run mod4; print in short output
- run mod5 with additional type shadow_t; print using quiet output
If there are also modules mod6 and mod7, neither would be run unless one of the other modules (mod1-5) had a dependency on them.