Collapse the various policy discussions into a
single section. Discussed with: dru
This commit is contained in:
parent
9a0e52f638
commit
5b57f090b4
Notes:
svn2git
2020-12-08 03:00:23 +00:00
svn path=/head/; revision=43200
1 changed files with 35 additions and 27 deletions
|
@ -763,7 +763,14 @@ test: biba/high</screen>
|
||||||
option is called <option>multilabel</option>.</para>
|
option is called <option>multilabel</option>.</para>
|
||||||
</sect1>
|
</sect1>
|
||||||
|
|
||||||
<sect1 xml:id="mac-seeotheruids">
|
<sect1 xml:id="mac-policies">
|
||||||
|
<title>Available MAC Policies</title>
|
||||||
|
|
||||||
|
<para>&os; includes a group of policies that will cover
|
||||||
|
most security requirements. Each policy is discussed
|
||||||
|
below.</para>
|
||||||
|
|
||||||
|
<sect2 xml:id="mac-seeotheruids">
|
||||||
<title>The MAC See Other UIDs Policy</title>
|
<title>The MAC See Other UIDs Policy</title>
|
||||||
|
|
||||||
<indexterm>
|
<indexterm>
|
||||||
|
@ -816,9 +823,9 @@ test: biba/high</screen>
|
||||||
may not be set.</para>
|
may not be set.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</itemizedlist>
|
</itemizedlist>
|
||||||
</sect1>
|
</sect2>
|
||||||
|
|
||||||
<sect1 xml:id="mac-bsdextended">
|
<sect2 xml:id="mac-bsdextended">
|
||||||
<title>The MAC BSD Extended Policy</title>
|
<title>The MAC BSD Extended Policy</title>
|
||||||
|
|
||||||
<indexterm>
|
<indexterm>
|
||||||
|
@ -855,7 +862,7 @@ test: biba/high</screen>
|
||||||
module as incorrect use could block access to certain parts of
|
module as incorrect use could block access to certain parts of
|
||||||
the file system.</para>
|
the file system.</para>
|
||||||
|
|
||||||
<sect2>
|
<sect3>
|
||||||
<title>Examples</title>
|
<title>Examples</title>
|
||||||
|
|
||||||
<para>After the &man.mac.bsdextended.4; module has been loaded,
|
<para>After the &man.mac.bsdextended.4; module has been loaded,
|
||||||
|
@ -895,10 +902,10 @@ test: biba/high</screen>
|
||||||
|
|
||||||
<para>For more information, refer to &man.mac.bsdextended.4; and
|
<para>For more information, refer to &man.mac.bsdextended.4; and
|
||||||
&man.ugidfw.8;</para>
|
&man.ugidfw.8;</para>
|
||||||
</sect2>
|
</sect3>
|
||||||
</sect1>
|
</sect2>
|
||||||
|
|
||||||
<sect1 xml:id="mac-ifoff">
|
<sect2 xml:id="mac-ifoff">
|
||||||
<title>The MAC Interface Silencing Policy</title>
|
<title>The MAC Interface Silencing Policy</title>
|
||||||
|
|
||||||
<indexterm>
|
<indexterm>
|
||||||
|
@ -947,9 +954,9 @@ test: biba/high</screen>
|
||||||
<package>security/aide</package> to
|
<package>security/aide</package> to
|
||||||
automatically block network traffic if it finds new or altered
|
automatically block network traffic if it finds new or altered
|
||||||
files in protected directories.</para>
|
files in protected directories.</para>
|
||||||
</sect1>
|
</sect2>
|
||||||
|
|
||||||
<sect1 xml:id="mac-portacl">
|
<sect2 xml:id="mac-portacl">
|
||||||
<title>The MAC Port Access Control List Policy</title>
|
<title>The MAC Port Access Control List Policy</title>
|
||||||
|
|
||||||
<indexterm>
|
<indexterm>
|
||||||
|
@ -1035,7 +1042,7 @@ net.inet.ip.portrange.reservedhigh=0</userinput></screen>
|
||||||
<para>See the examples below or refer to &man.mac.portacl.4; for
|
<para>See the examples below or refer to &man.mac.portacl.4; for
|
||||||
further information.</para>
|
further information.</para>
|
||||||
|
|
||||||
<sect2>
|
<sect3>
|
||||||
<title>Examples</title>
|
<title>Examples</title>
|
||||||
|
|
||||||
<para>Since the <systemitem class="username">root</systemitem> user should not be
|
<para>Since the <systemitem class="username">root</systemitem> user should not be
|
||||||
|
@ -1060,10 +1067,10 @@ net.inet.ip.portrange.reservedhigh=0</userinput></screen>
|
||||||
|
|
||||||
<screen>&prompt.root; <userinput>sysctl security.mac.portacl.rules=uid:1001:tcp:110,uid:1001:tcp:995</userinput></screen>
|
<screen>&prompt.root; <userinput>sysctl security.mac.portacl.rules=uid:1001:tcp:110,uid:1001:tcp:995</userinput></screen>
|
||||||
|
|
||||||
</sect2>
|
</sect3>
|
||||||
</sect1>
|
</sect2>
|
||||||
|
|
||||||
<sect1 xml:id="mac-partition">
|
<sect2 xml:id="mac-partition">
|
||||||
<title>The MAC Partition Policy</title>
|
<title>The MAC Partition Policy</title>
|
||||||
|
|
||||||
<indexterm>
|
<indexterm>
|
||||||
|
@ -1113,7 +1120,7 @@ net.inet.ip.portrange.reservedhigh=0</userinput></screen>
|
||||||
spawned by users in the <literal>insecure</literal> class will
|
spawned by users in the <literal>insecure</literal> class will
|
||||||
stay in the <literal>partition/13</literal> label.</para>
|
stay in the <literal>partition/13</literal> label.</para>
|
||||||
|
|
||||||
<sect2>
|
<sect3>
|
||||||
<title>Examples</title>
|
<title>Examples</title>
|
||||||
|
|
||||||
<para>The following command will display the partition label
|
<para>The following command will display the partition label
|
||||||
|
@ -1143,10 +1150,10 @@ net.inet.ip.portrange.reservedhigh=0</userinput></screen>
|
||||||
options, including their limitations, are further explained
|
options, including their limitations, are further explained
|
||||||
in the module manual pages.</para>
|
in the module manual pages.</para>
|
||||||
</note>
|
</note>
|
||||||
</sect2>
|
</sect3>
|
||||||
</sect1>
|
</sect2>
|
||||||
|
|
||||||
<sect1 xml:id="mac-mls">
|
<sect2 xml:id="mac-mls">
|
||||||
<title>The MAC Multi-Level Security Module</title>
|
<title>The MAC Multi-Level Security Module</title>
|
||||||
|
|
||||||
<indexterm>
|
<indexterm>
|
||||||
|
@ -1277,7 +1284,7 @@ net.inet.ip.portrange.reservedhigh=0</userinput></screen>
|
||||||
to <command>setfmac</command>. This method will be explained
|
to <command>setfmac</command>. This method will be explained
|
||||||
after all policies are covered.</para>
|
after all policies are covered.</para>
|
||||||
|
|
||||||
<sect2>
|
<sect3>
|
||||||
<title>Planning Mandatory Sensitivity</title>
|
<title>Planning Mandatory Sensitivity</title>
|
||||||
|
|
||||||
<para>When using the MLS policy module, an administrator plans
|
<para>When using the MLS policy module, an administrator plans
|
||||||
|
@ -1302,10 +1309,10 @@ net.inet.ip.portrange.reservedhigh=0</userinput></screen>
|
||||||
include an e-commerce web server, a file server holding
|
include an e-commerce web server, a file server holding
|
||||||
critical company information, and financial institution
|
critical company information, and financial institution
|
||||||
environments.</para>
|
environments.</para>
|
||||||
</sect2>
|
</sect3>
|
||||||
</sect1>
|
</sect2>
|
||||||
|
|
||||||
<sect1 xml:id="mac-biba">
|
<sect2 xml:id="mac-biba">
|
||||||
<title>The MAC Biba Module</title>
|
<title>The MAC Biba Module</title>
|
||||||
|
|
||||||
<indexterm>
|
<indexterm>
|
||||||
|
@ -1419,7 +1426,7 @@ net.inet.ip.portrange.reservedhigh=0</userinput></screen>
|
||||||
&prompt.root; <userinput>getfmac test</userinput>
|
&prompt.root; <userinput>getfmac test</userinput>
|
||||||
test: biba/low</screen>
|
test: biba/low</screen>
|
||||||
|
|
||||||
<sect2>
|
<sect3>
|
||||||
<title>Planning Mandatory Integrity</title>
|
<title>Planning Mandatory Integrity</title>
|
||||||
|
|
||||||
<para>Integrity, which is different from sensitivity, guarantees
|
<para>Integrity, which is different from sensitivity, guarantees
|
||||||
|
@ -1457,10 +1464,10 @@ test: biba/low</screen>
|
||||||
development and test machine, and a source code repository. A
|
development and test machine, and a source code repository. A
|
||||||
less useful implementation would be a personal workstation, a
|
less useful implementation would be a personal workstation, a
|
||||||
machine used as a router, or a network firewall.</para>
|
machine used as a router, or a network firewall.</para>
|
||||||
</sect2>
|
</sect3>
|
||||||
</sect1>
|
</sect2>
|
||||||
|
|
||||||
<sect1 xml:id="mac-lomac">
|
<sect2 xml:id="mac-lomac">
|
||||||
<title>The MAC LOMAC Module</title>
|
<title>The MAC LOMAC Module</title>
|
||||||
|
|
||||||
<indexterm>
|
<indexterm>
|
||||||
|
@ -1495,7 +1502,7 @@ test: biba/low</screen>
|
||||||
policy may provide for greater compatibility and require less
|
policy may provide for greater compatibility and require less
|
||||||
initial configuration than Biba.</para>
|
initial configuration than Biba.</para>
|
||||||
|
|
||||||
<sect2>
|
<sect3>
|
||||||
<title>Examples</title>
|
<title>Examples</title>
|
||||||
|
|
||||||
<para>Like the Biba and <acronym>MLS</acronym> policies,
|
<para>Like the Biba and <acronym>MLS</acronym> policies,
|
||||||
|
@ -1508,7 +1515,8 @@ test: biba/low</screen>
|
||||||
<para>The auxiliary grade <literal>low</literal> is a feature
|
<para>The auxiliary grade <literal>low</literal> is a feature
|
||||||
provided only by the <acronym>MAC</acronym> LOMAC
|
provided only by the <acronym>MAC</acronym> LOMAC
|
||||||
policy.</para>
|
policy.</para>
|
||||||
</sect2>
|
</sect3>
|
||||||
|
</sect2>
|
||||||
</sect1>
|
</sect1>
|
||||||
|
|
||||||
<sect1 xml:id="mac-implementing">
|
<sect1 xml:id="mac-implementing">
|
||||||
|
|
Loading…
Reference in a new issue