Download and Install - Download the integrated source code (PCSS and ELSA) by downloading "pcss_elsa.tar" file or patch "pcss-elsa.patch" - Compile and Install it(use make and make instal) Note: Our solution will work only when selinux is enabled (even permissive mode will do), as we need selinux for giving security context of processes. If selinux is not available then still ELSA will work, but there wont be any automatic classification of processes. You can check the status of selinux by 'sestatus' command. =========================================================================================================== Using Automatic classifier After installing ELSA by "make install", a configuration file will be created in file "/etc/elsa_classification_rules.conf". You need to modify this file to add rules as per your requirements. Once rules are created, then "jobd" daemon can be started, which will start classifying the processes automatically. =========================================================================================================== Guidelines to configure "elsa_classification_rules.conf" file This is simple text file, normally located at "/etc/elsa_classification_rules.conf". The format is Here, is the security context of a process that needs to be classified. You can get security_context of any running process by using "ps -Z" command. is list of job-ids, seperated by character "," (comma) This rule says that Process with given "security_context" should go in JOBS specified in "list_of_jobs_it_belongs". Currently, rule parsing is not very flexible, so you need to give new rule in new line, do not keep in leading or trailing spaces. keep just one blank-space between and . comments are allowed by giving "#" character in the begining of line. Giving "#" at any other place won't work. Currently, we are not supporting sensitivity part of security_context, it will be ignored in any kind of comparision. We are working on making file parsing more flexible, but it may take some time. The list of job-id is having numbers seperated by comma. There is upper limit on how many jobid's you can specify with one security context by default, its 50, you can modify it by changing the value of MAX_GROUPS_PER_RULE in file job_daemon/jobd.h, and then recomiling it. There is some basic wild-character support provided, that can be used for added flexibility. Character '*' can be put at any place in security context It can replace user_name, role or domain. '*' signify that, that part of security_context will be ignored. For example, if you want any process with "httpd_t" domain, started by any user should go to jobd 3, then u can write it as follow *:*:httpd_t 3 If you want to group all processes from same user then you can use following rule user_u:*:* 4 You can have default rule as follows, which will group all remaining processes *:*:* 5 Note: the order of rules is important, Matching starts from top to bottom so, give specific rules in the begining, and generic rules in the end. We recemend that the job-id's given should be in sequence, please avoid random job-id's as jobd will create jobs for all ids in the range. =========================================================================================================== How it works internally ? At system startup time, "/etc/elsa_classification_rules.conf" file will be read for rules that will be used for classification (function: job_daemon/classifier.c:file_parse()). After this maximum number of default groups will be found out by function find_default_group_number () (function: job_daemon/classifier.c:find_default_group_number()). Now once ELSA initialization is done, then we create empty jobs that are specified in configuration file by function (function: job_daemon/jobd.c:create_jobs_for_automatic_loading(no_of_jobs)). This step is required because processes can come in any order, and if a process which is supposed to go to job-id 5 comes before all other groups then we need to have job-id 5 ready. Currently ELSA creates jobs in sequential order, thats why we create all jobs in the begining and keep them ready for future use. We are doing this by adding pid 1 repeatedly by using "do_add_req (1,0)" and then removing it, everytime we add pid 1, it creates new group, and then we delete pid 1 at end from all groups. In recv_sk_nl, we have added support for "PROC_EVENT_EXEC" which calls function "security_context_classifier" The support for "PROC_EVENT_EXEC" is needed because security context are normally changed in EXEC system call. To handle this change in security context, this "PROC_EVENT_EXEC" message handling was needed. Even in case of "PROC_EVENT_FORK", we have modified "fork_handler" to call "security_context_classifier" function first. If process can be classified on basis of security context, then that has given preference over default classification which follows if "security_context_classifier" is not able to classify the process. This provides fail-safe machanism that even if selinux is not working, default ELSA behaviour will be there. "security_context_classifier" (Function: job_daemon/jobd.c:security_context_classifier) This function takes pid of process to be classified, and find out the list of jobs to which it should belong by using function "get_process_classification" function. Then it uses "do_add_req" function to add specified process in corresponding group. ===========================================================================================================