os/doc
3
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

Replace the current two examples with a more simple one. The old ones were

Browse source 
not only slightly out of date but a bit advanced.  This one seems more simple,
and I'll add a couple more in the upcoming days.
This commit is contained in:
Tom Rhodes 2006-04-21 09:59:00 +00:00
parent 5e095db7d2
commit 1f91bb85a9
Notes: svn2git 2020-12-08 03:00:23 +00:00 
svn path=/head/; revision=27601
1 changed files with 127 additions and 324 deletions
Download patch file Download diff file Expand all files Collapse all files

451
en_US.ISO8859-1/books/handbook/mac/chapter.sgml
View file

@ -1675,10 +1675,10 @@ test: biba/low</screen>
</sect1>
<sect1 id="mac-implementing">
<title>Implementing a Secure Environment with MAC</title>
<title>Nagios in a MAC Jail</title>
<indexterm>
<primary>MAC Example Implementation</primary>
<primary>Nagios in a MAC Jail</primary>
</indexterm>
<para>The following demonstration will implement a secure
@ -1692,7 +1692,11 @@ test: biba/low</screen>
<para>Before beginning this process, the
<literal>multilabel</literal> option must be set on each file
system as stated at the beginning of this chapter. Not doing
so will result in errors.</para>
so will result in errors. While at it, ensure that the
<filename role="port">net-mngt/nagios-plugins</filename>,
<filename role="port">net-mngt/nagios</filename>, and
<filename role="port">www/apache13</filename> ports are all
installed, configured, and working correctly.</para>
<sect2>
<title>Create an insecure User Class</title>
@ -1722,12 +1726,12 @@ test: biba/low</screen>
:passwordtime=91d:\
:umask=022:\
:ignoretime@:\
:label=partition/13,mls/5:</programlisting>
:label=biba/10:</programlisting>
<para>And adding the following line to the default user
class:</para>
<programlisting>:label=mls/equal,biba/equal,partition/15:</programlisting>
<programlisting>:label=biba/high:</programlisting>
<para>Once this is completed, the following command must be
issued to rebuild the database:</para>
@ -1736,20 +1740,24 @@ test: biba/low</screen>
</sect2>
<sect2>
<title>Boot with the Correct Modules</title>
<title>Boot Configuration</title>
<para>Add the following lines to
<para>Do not reboot yet, just add the following lines to
<filename>/boot/loader.conf</filename> so the required
modules will load during system initialization:</para>
<programlisting>mac_biba_load="YES"
mac_mls_load="YES"
mac_seeotheruids_load="YES"
mac_partition_load="YES"</programlisting>
mac_biba_load="YES"
mac_seeotheruids_load="YES"</programlisting>
</sect2>
<sect2>
<title>Set All Users to Insecure</title>
<title>Configure Users</title>
<para>Set the <username>root</username> user to the default
class using:</para>
<screen>&prompt.root; <userinput>pw usermod root -L default</userinput></screen>
<para>All user accounts that are not <username>root</username>
or system users will now require a login class. The login
@ -1759,70 +1767,100 @@ mac_partition_load="YES"</programlisting>
trick:</para>
<screen>&prompt.root; <userinput>for x in `awk -F: '($3 &gt;= 1001) &amp;&amp; ($3 != 65534) { print $1 }' \</userinput>
<userinput>/etc/passwd`; do pw usermod $x -L insecure; done;</userinput></screen>
<userinput>/etc/passwd`; do pw usermod $x -L default; done;</userinput></screen>
<para>The <command>cap_mkdb</command> command will need to be
run on <filename>/etc/master.passwd</filename> after this
change.</para>
<para>Drop the <username>nagios</username> and
<username>www</username> users into the insecure class:</para>
<screen>&prompt.root; <userinput>pw usermod nagios -L default</userinput></screen>
<screen>&prompt.root; <userinput>pw usermod www -L default</userinput></screen>
</sect2>
<sect2>
<title>Complete the Configuration</title>
<title>Create the Contexts File</title>
<para>A contexts file should now be created; the following
example was taken from Robert Watson's example policy and
should be placed in
<para>A contexts file should now be created; the following example
file should be placed in
<filename>/etc/policy.contexts</filename>.</para>
<programlisting># This is the default BIBA/MLS policy for this system.
<programlisting># This is the default BIBA policy for this system.
.* biba/high,mls/high
/sbin/dhclient biba/high(low),mls/high(low)
/dev(/.*)? biba/equal,mls/equal
# This is not an exhaustive list of all "privileged" devices.
/dev/mdctl biba/high,mls/high
/dev/pci biba/high,mls/high
/dev/k?mem biba/high,mls/high
/dev/io biba/high,mls/high
/dev/agp.* biba/high,mls/high
(/var)?/tmp(/.*)? biba/equal,mls/equal
/tmp/\.X11-unix biba/high(equal),mls/high(equal)
/tmp/\.X11-unix/.* biba/equal,mls/equal
/proc(/.*)? biba/equal,mls/equal
/mnt.* biba/low,mls/low
(/usr)?/home biba/high(low),mls/high(low)
(/usr)?/home/.* biba/low,mls/low
/var/mail(/.*)? biba/low,mls/low
/var/spool/mqueue(/.*)? biba/low,mls/low
(/mnt)?/cdrom(/.*)? biba/high,mls/high
(/usr)?/home/(ftp|samba)(/.*)? biba/high,mls/high
/var/log/sendmail\.st biba/low,mls/low
/var/run/utmp biba/equal,mls/equal
/var/log/(lastlog|wtmp) biba/equal,mls/equal</programlisting>
# System:
/var/run biba/equal
/var/run/* biba/equal
/dev biba/equal
/dev/* biba/equal
/var biba/equal
/var/spool biba/equal
/var/spool/* biba/equal
/var/log biba/equal
/var/log/* biba/equal
/tmp biba/equal
/tmp/* biba/equal
/var/tmp biba/equal
/var/tmp/* biba/equal
/var/spool/mqueue biba/equal
/var/spool/clientmqueue biba/equal
# For Nagios:
/usr/local/etc/nagios
/usr/local/etc/nagios/* biba/10
/var/spool/nagios biba/10
/var/spool/nagios/* biba/10
# For apache
/usr/local/etc/apache biba/10
/usr/local/etc/apache/* biba/10</programlisting>
<para>This policy will enforce security by setting restrictions
on both the downward and upward flow of information with
regards to the directories and utilities listed on the
left.</para>
on the flow of information. In this specific configuration,
users, <username>root</username> and others, should never be
allowed to access <application>Nagios</application>.
Configuration files and processes that are a part of
<application>Nagios</application> will be completely self
contained or jailed.</para>
<para>This can now be read into our system by issuing the
<para>This file may now be read into our system by issuing the
following command:</para>
<screen>&prompt.root; <userinput>setfsmac -ef /etc/policy.contexts /</userinput>
&prompt.root; <userinput>setfsmac -ef /etc/policy.contexts /usr</userinput></screen>
&prompt.root; <userinput>setfsmac -ef /etc/policy.contexts /</userinput></screen>
<note>
<para>The above file system layout may be different depending
on environment.</para>
on environment; however, it must be run on every single file
system.</para>
</note>
<para>The <filename>/etc/mac.conf</filename> file requires
the following modifications in the main section:</para>
<programlisting>default_labels file ?biba,?mls
default_labels ifnet ?biba,?mls
default_labels process ?biba,?mls,?partition
default_labels socket ?biba,?mls</programlisting>
<programlisting>default_labels file ?biba
default_labels ifnet ?biba
default_labels process ?biba
default_labels socket ?biba</programlisting>
</sect2>
<sect2>
<title>Enable Networking</title>
<para>Add the following line to
<filename>/boot/loader.conf</filename>:</para>
<programlisting>security.mac.biba.trust_all_interfaces=1</programlisting>
<para>And the following to the network card configuration stored
in <filename>rc.conf</filename>. If the primary Internet
configuration is done via <acronym>DHCP</acronym>, this may
need to be configured manually after every system boot:</para>
<programlisting>maclabel biba/equal</programlisting>
</sect2>
<sect2>
@ -1832,286 +1870,51 @@ default_labels socket ?biba,?mls</programlisting>
<primary>MAC Configuration Testing</primary>
</indexterm>
<para>Add a user with the <command>adduser</command> command
and place that user in the <literal>insecure</literal>
class for these tests.</para>
<para>Ensure that the web server and
<application>Nagios</application> will not be started
on system initialization, and reboot. Ensure the
<username>root</username> user cannot access any of the files
in the <application>Nagios</application> configuration
directory. If <username>root</username> can issue an &man.ls.1;
command on <filename>/var/spool/nagios</filename>, then something
is wrong. Otherwise a <quote>permission denied</quote> error
should be returned.</para>
<para>The examples below will show a mix of
<username>root</username> and regular user tests; use the
prompt to distinguish between the two.</para>
<para>If all seems well, <application>Nagios</application>,
<application>Apache</application>, and
<application>Sendmail</application> can now be started in a way
fitting of the security policy. The following commands will
make this happen:</para>
<sect3>
<title>Basic Labeling Tests</title>
<screen>&prompt.root; <userinput>cd /etc/mail &amp;&amp; make stop &amp;&amp; \
setpmac biba/equal make start &amp;&amp; setpmac biba/10 apachectl start &amp;&amp; \
setpmac biba/10 /usr/local/etc/rc.d/nagios.sh forcestart</userinput></screen>
<screen>&prompt.user; <userinput>getpmac</userinput>
biba/15(15-15),mls/15(15-15),partition/15
&prompt.root; <userinput>setpmac partition/15,mls/equal top</userinput></screen>
<para>Double check to ensure that everything is working
properly. If not, check the log files or error messages. Use
the &man.sysctl.8; utility to disable the &man.mac.biba.4;
security policy module enforcement and try starting everything
again, like normal.</para>
<note>
<para>The top process will be killed before we start
another top process.</para>
</note>
</sect3>
<note>
<para>The <username>root</username> user can change the security
enforcement and edit the configuration files without fear.
The following command will permit the degradation of the
security policy to a lower grade for a newly spawned
shell:</para>
<sect3>
<title>MAC Seeotheruids Tests</title>
<screen>&prompt.root; <userinput>setpmac biba/10 csh</userinput></screen>
<screen>&prompt.user; <userinput>ps Zax</userinput>
biba/15(15-15),mls/15(15-15),partition/15 1096 #C: S 0:00.03 -su (bash)
biba/15(15-15),mls/15(15-15),partition/15 1101 #C: R+ 0:00.01 ps Zax</screen>
<para>We should not be permitted to see any processes
owned by other users.</para>
</sect3>
<sect3>
<title>MAC Partition Test</title>
<para>Disable the <acronym>MAC</acronym>
<literal>seeotheruids</literal> policy for the rest of these
tests:</para>
<screen>&prompt.root; <userinput>sysctl security.mac.seeotheruids.enabled=0</userinput>
&prompt.user; <userinput>ps Zax</userinput>
LABEL PID TT STAT TIME COMMAND
biba/equal(low-high),mls/equal(low-high),partition/15 1122 #C: S+ 0:00.02 top
biba/15(15-15),mls/15(15-15),partition/15 1096 #C: S 0:00.05 -su (bash)
biba/15(15-15),mls/15(15-15),partition/15 1123 #C: R+ 0:00.01 ps Zax</screen>
<para>All users should be permitted to see every process in
their partition.</para>
</sect3>
<sect3>
<title>Testing Biba and MLS Labels</title>
<screen>&prompt.root; <userinput>setpmac partition/15,mls/equal,biba/high\(high-high\) top</userinput>
&prompt.user; <userinput>ps Zax</userinput>
LABEL PID TT STAT TIME COMMAND
biba/high(high-high),mls/equal(low-high),partition/15 1251 #C: S+ 0:00.02 top
biba/15(15-15),mls/15(15-15),partition/15 1096 #C: S 0:00.06 -su (bash)
biba/15(15-15),mls/15(15-15),partition/15 1157 #C: R+ 0:00.00 ps Zax</screen>
<para>The Biba policy allows us to read higher-labeled
objects.</para>
<screen>&prompt.root; <userinput>setpmac partition/15,mls/equal,biba/low top</userinput>
&prompt.user; <userinput>ps Zax</userinput>
LABEL PID TT STAT TIME COMMAND
biba/15(15-15),mls/15(15-15),partition/15 1096 #C: S 0:00.07 -su (bash)
biba/15(15-15),mls/15(15-15),partition/15 1226 #C: R+ 0:00.01 ps Zax</screen>
<para>The Biba policy does not allow lower-labeled objects
to be read; however, <acronym>MLS</acronym> does.</para>
<screen>&prompt.user; <userinput>ifconfig bge0 | grep maclabel</userinput>
maclabel biba/low(low-low),mls/low(low-low)
&prompt.user; <userinput>ping -c 1 192.0.34.166</userinput>
PING 192.0.34.166 (192.0.34.166): 56 data bytes
ping: sendto: Permission denied</screen>
<para>Users are unable to ping
<hostid role="domainname">example.com</hostid>, or any domain
for that matter.</para>
<para>To prevent this error from occurring, run the following
command:</para>
<screen>&prompt.root; <userinput>sysctl security.mac.biba.trust_all_interfaces=1</userinput></screen>
<para>This sets the default interface label to insecure mode,
so the default Biba policy label will not be enforced.</para>
<screen>&prompt.root; <userinput>ifconfig bge0 maclabel biba/equal\(low-high\),mls/equal\(low-high\)</userinput>
&prompt.user; <userinput>ping -c 1 192.0.34.166</userinput>
PING 192.0.34.166 (192.0.34.166): 56 data bytes
64 bytes from 192.0.34.166: icmp_seq=0 ttl=50 time=204.455 ms
--- 192.0.34.166 ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max/stddev = 204.455/204.455/204.455/0.000 ms</screen>
<para>By setting a more correct label, we can issue
<command>ping</command> requests.</para>
<para>Now to create a few files for some read and write
testing procedures:</para>
<screen>&prompt.root; <userinput>touch test1 test2 test3 test4 test5</userinput>
&prompt.root; <userinput>getfmac test1</userinput>
test1: biba/equal,mls/equal
&prompt.root; <userinput>setfmac biba/low test1 test2; setfmac biba/high test4 test5; \
setfmac mls/low test1 test3; setfmac mls/high test2 test4</userinput>
&prompt.root; <userinput>setfmac mls/equal,biba/equal test3 &amp;&amp; getfmac test?</userinput>
test1: biba/low,mls/low
test2: biba/low,mls/high
test3: biba/equal,mls/equal
test4: biba/high,mls/high
test5: biba/high,mls/equal
&prompt.root; <userinput>chown testuser:testuser test?</userinput></screen>
<para>All of these files should now be owned by our
<username>testuser</username> user. And now for some read
tests:</para>
<screen>&prompt.user; <userinput>ls</userinput>
test1 test2 test3 test4 test5
&prompt.user; <userinput>ls test?</userinput>
ls: test1: Permission denied
ls: test2: Permission denied
ls: test4: Permission denied
test3 test5</screen>
<para>We should not be permitted to observe pairs; e.g.:
<literal>(biba/low,mls/low)</literal>,
<literal>(biba/low,mls/high)</literal> and
<literal>(biba/high,mls/high)</literal>. And of course,
read access should be denied. Now for some write
tests:</para>
<screen>&prompt.user; <userinput>for i in `echo test*`; do echo 1 &gt; $i; done</userinput>
-su: test1: Permission denied
-su: test4: Permission denied
-su: test5: Permission denied</screen>
<para>Like with the read tests, write access should not be
permitted to write pairs; e.g.:
<literal>(biba/low,mls/high)</literal> and
<literal>(biba/equal,mls/equal)</literal>.</para>
<screen>&prompt.user; <userinput>cat test?</userinput>
cat: test1: Permission denied
cat: test2: Permission denied
1
cat: test4: Permission denied</screen>
<para>And now as <username>root</username>:</para>
<screen>&prompt.root; <userinput>cat test2</userinput>
1</screen>
</sect3>
<para>To block this from happening, force the user into a range
via &man.login.conf.5;. If &man.setpmac.8; attempts to run
a command outside of the compartment's range, an error will
be returned and the command will not be executed. In this
case, setting root to
<literal>biba/high(high-high)</literal>.</para>
</note>
</sect2>
</sect1>
<sect1 id="MAC-examplehttpd">
<title>Another Example: Using MAC to Constrain a Web Server</title>
<para>A separate location for the web data which users
must be capable of accessing will be appointed. This
will permit <literal>biba/high</literal> processes access
rights to the web data.</para>
<para>Begin by creating a directory to store the web
data in:</para>
<screen>&prompt.root; <userinput>mkdir /usr/home/cvs</userinput></screen>
<para>Now initialize it with <command>cvs</command>:</para>
<screen>&prompt.root; <userinput>cvs -d /usr/home/cvs init</userinput></screen>
<para>The first goal is to enable the <literal>biba</literal>
policy, thus the <literal>mac_biba_enable="YES"</literal>
should be placed in
<filename>/boot/loader.conf</filename>. This assumes
that support for <acronym>MAC</acronym> has been enabled
in the kernel.</para>
<para>From this point on everything in the system should
be set at <literal>biba/high</literal> by default.</para>
<para>The following modification must be made to the
<filename>login.conf</filename> file, under the default
user class:</para>
<programlisting>:ignoretime@:\
:umask=022:\
:label=biba/high:</programlisting>
<para>Every user should now be placed in the default class;
a command such as:</para>
<screen>&prompt.root; <userinput>for x in `awk -F: '($3 &gt;= 1001) &amp;&amp; ($3 != 65534) { print $1 }' \</userinput>
<userinput>/etc/passwd`; do pw usermod $x -L default; done;</userinput></screen>
<para>will accomplish this task in a few moments.</para>
<para>Now create another class, web, a copy of default,
with the label setting of <literal>biba/10</literal>.</para>
<para>Create a user who will be used to work with the
main web data stored in a <application>cvs</application>
repository. This user must be placed in our new login
class, <username>web</username>.</para>
<para>Since the default is <literal>biba/high</literal>
everywhere, the repository will be the same. The web data must
also be the same for users to have read/write access to it;
however, since our web server will be serving data that
<literal>biba/high</literal> users must access, we will need to
downgrade the data as a whole.</para>
<para>The perfect tools for this are &man.sh.1; and
&man.cron.8; and are already provided in &os;. The following
script should do everything we want:</para>
<programlisting>PATH=/bin:/usr/bin:/usr/local/bin; export PATH;
CVSROOT=/home/repo; export CVSROOT;
cd /home/web;
cvs -qR checkout -P htdocs;
exit;</programlisting>
<note>
<para>In many cases the <command>cvs</command>
Id tags must be placed into the web
site data files.</para>
</note>
<para>This script may now be placed into
<username>web</username>'s home directory and the following
&man.crontab.1; entry added:</para>
<programlisting># Check out the web data as biba/low every twelve hours:
0 */12 * * * web /home/web/checkout.sh</programlisting>
<para>This will check out the <acronym>HTML</acronym> sources
every twelve hours on the machine.</para>
<para>The default startup method for the web server must also be
modified to start the process as <literal>biba/low</literal>.
This can be done by making the following modification to the
<filename>/usr/local/etc/rc.d/apache.sh</filename>
script:</para>
<programlisting>command="setpmac biba/low /usr/local/sbin/httpd"</programlisting>
<para>The <application>Apache</application> configuration must be
altered to work with the <literal>biba/10</literal> policy. In
this case the software must be configured to append to the
log files in a directory set at <literal>biba/10</literal>
or else <errorname>access denied</errorname> errors will be
returned.</para>
<note>
<para>Following this example requires that the
<literal>docroot</literal> directive be set to
<filename>/home/web/htdocs</filename>; otherwise,
<application>Apache</application> will fail when trying
to locate the directory to serve documents from.</para>
</note>
<para>Other configuration variables must be altered as well,
including the <acronym>PID</acronym> file,
<literal>Scoreboardfile</literal>,
<literal>DocumentRoot</literal>, log file locations, or any
other variable which requires write access.
When using <literal>biba</literal>, all write access will be
denied to the server in areas <emphasis>not</emphasis> set at
<literal>biba/low</literal>.</para>
<!--
PROBLEM: CAN THIS WORK? OR SHOULD IT BE start_precmd? More testing need here.
-->
</sect1>
<!--
XXX