Project 7: Network Port Security Auditor

A security tool that audits which processes can bind to which ports according to SELinux policy, identifies non-standard port bindings, and generates reports on network attack surface reduction.

Quick Reference

Attribute Value
Primary Language Python
Alternative Languages Go, Rust, Bash
Difficulty Level 2: Intermediate
Time Estimate 1-2 weeks
Knowledge Area SELinux Network Controls / Port Types
Tooling semanage port, netstat/ss, seinfo
Prerequisites Basic networking knowledge, Project 1 completed

What You Will Build

A security tool that audits which processes can bind to which ports according to SELinux policy, identifies non-standard port bindings, and generates reports on network attack surface reduction.

Why It Matters

This project builds core skills that appear repeatedly in real-world systems and tooling.

Core Challenges

  • Understanding port types (http_port_t, ssh_port_t, etc.) → maps to network object classes
  • Querying which domains can bind to which ports → maps to allow rules for network
  • Detecting non-standard port usage → maps to security auditing
  • Generating attack surface reports → maps to security posture assessment

Key Concepts

  • SELinux Port Types: SELinux Notebook - Network Statements section
  • Network Object Classes: SELinux System Administration Ch. 7
  • Port Labeling: semanage port documentation
  • Network Policy Analysis: sesearch for network permissions

Real-World Outcome

$ ./selinux-port-auditor --full-scan

SELinux Network Port Security Audit
====================================

LISTENING SERVICES & PORT AUTHORIZATION:
┌─────────────────────────────────────────────────────────────────────────────┐
│ Process        │ Port  │ Domain        │ Port Type     │ Status            │
├─────────────────────────────────────────────────────────────────────────────┤
│ sshd           │ 22    │ sshd_t        │ ssh_port_t    │ ✓ Authorized      │
│ nginx          │ 80    │ httpd_t       │ http_port_t   │ ✓ Authorized      │
│ nginx          │ 443   │ httpd_t       │ http_port_t   │ ✓ Authorized      │
│ postgres       │ 5432  │ postgresql_t  │ postgresql_port│ ✓ Authorized     │
│ custom_app     │ 9999  │ init_t        │ unreserved_t  │ ⚠ Non-standard    │
│ mystery_proc   │ 4444  │ unconfined_t  │ unreserved_t  │ ⛔ ALERT: Review! │
└─────────────────────────────────────────────────────────────────────────────┘

POTENTIAL SECURITY ISSUES:
1. mystery_proc (PID 12345) running as unconfined_t on port 4444
   - Risk: Unconfined processes bypass SELinux controls
   - Action: Investigate process, consider creating confined domain

2. custom_app binding to non-standard port 9999
   - Risk: No specific SELinux port type defined
   - Action: Create port type or use `semanage port -a -t myapp_port_t -p tcp 9999`

RECOMMENDATIONS:
- 2 processes should be investigated
- Run `semanage port -l | grep 4444` to check port authorization

$ ./selinux-port-auditor --domain httpd_t --ports
Ports httpd_t can bind to:
  TCP: 80, 443, 8080, 8443, 8008 (http_port_t)
  TCP: 8009 (http_port_t)  # AJP connector

Implementation Guide

  1. Reproduce the simplest happy-path scenario.
  2. Build the smallest working version of the core feature.
  3. Add input validation and error handling.
  4. Add instrumentation/logging to confirm behavior.
  5. Refactor into clean modules with tests.

Milestones

  • Milestone 1: Minimal working program that runs end-to-end.
  • Milestone 2: Correct outputs for typical inputs.
  • Milestone 3: Robust handling of edge cases.
  • Milestone 4: Clean structure and documented usage.

Validation Checklist

  • Output matches the real-world outcome example
  • Handles invalid inputs safely
  • Provides clear errors and exit codes
  • Repeatable results across runs

References

  • Main guide: SELINUX_DEEP_DIVE_LEARNING_PROJECTS.md
  • “SELinux System Administration” by Sven Vermeulen