-
Notifications
You must be signed in to change notification settings - Fork 471
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add getcap "capabilities" for posix files. #971
Comments
Please add getcap "capabilities" command for posix files. |
Hello, thanks for filing this. Can you provide more context in what you're looking for. Perhapse some example test filesband what you're looking to test. Also, where does the |
We have a requirement to run the Nessus Scanner on Linux as an non-privileged user. I have a named Ansible task to apply the setcap capabilities. - name: Applying Setcap attributes
community.general.capabilities:
path "{{ item }}"
capability: "{{ setcap_value }}"
state: present
loop:
- /opt/nessus/sbin/nessusd
- /opt/nessus/sbin/nessus-service
changed_when: false To create the validation test I'd like to run the following: goss add file /opt/nessus/sbin/nessusd
goss add file /opt/nessus/sbin/nessus-service The resulting config.yaml should look something like this: file:
/opt/nessus/sbin/nessusd:
exists: true
mode: "0750"
owner: foo
group: bar
filetype: file
contains:
capabilities:
- "cap_net_admin,cap_net_raw,cap_sys_resource+eip"
/opt/nessus/sbin/nessus-service:
exists: true
mode: "0750"
owner: foo
group: bar
filetype: file
contains:
capabilities:
- "cap_net_admin,cap_net_raw,cap_sys_resource+eip" Here are the suggested changes recommended by ChatGPT:
In Unix-based systems, capabilities are managed using tools like libcap. You might need to add a dependency for handling capabilities in Go, such as using golang.org/x/sys/unix to retrieve and add them. import (
"golang.org/x/sys/unix"
)
func getFileCapabilities(filePath string) (map[string]bool, error) {
caps := make(map[string]bool)
// Use unix getxattr or similar to retrieve capabilities
// For example, `getcap` could be run as a system call
err := unix.Getxattr(filePath, "security.capability", caps)
if err != nil {
return nil, err
}
return caps, nil
}
func addFileWithCapabilities(filePath string) error {
// Original file addition logic
err := addFile(filePath)
if err != nil {
return err
}
// Fetch file capabilities
caps, err := getFileCapabilities(filePath)
if err != nil {
return err
}
// Add capabilities to the configuration or output
fmt.Printf("capabilities: %v\n", caps)
return nil
}
func TestGetFileCapabilities(t *testing.T) {
caps, err := getFileCapabilities("/path/to/file")
if err != nil {
t.Errorf("Error retrieving capabilities: %v", err)
}
if len(caps) == 0 {
t.Errorf("Expected capabilities, got none")
}
}
go build Run your modified version of goss and test that the new getcaps functionality works: ./goss add file /path/to/file Hope this helps. |
Describe the feature:
Describe the solution you'd like
Describe alternatives you've considered
The text was updated successfully, but these errors were encountered: