From 5c8f4cdd6d54b55fd55b7be6e266d970a0a289d4 Mon Sep 17 00:00:00 2001 From: Robert Watson Date: Thu, 5 Dec 2002 00:37:47 +0000 Subject: [PATCH] Drop in a real-quick section on the MAC Framework and pluggable policy modules in FreeBSD 5.0. Give brief descriptions of the policies that we have available. Since the man pages are still getting dropped in, temporarily put in XXX's for the missing man page cross references-- we'll fix that tonight. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associats Laboratories --- .../books/handbook/security/chapter.sgml | 235 ++++++++++++++++++ 1 file changed, 235 insertions(+) diff --git a/en_US.ISO8859-1/books/handbook/security/chapter.sgml b/en_US.ISO8859-1/books/handbook/security/chapter.sgml index 961060220e..27139b2686 100644 --- a/en_US.ISO8859-1/books/handbook/security/chapter.sgml +++ b/en_US.ISO8859-1/books/handbook/security/chapter.sgml @@ -74,6 +74,11 @@ How to configure and use extended file system access control lists (ACLs) with UFS. + + + How to configure and load access control extension + modules using the TrustedBSD MAC Framework. + Before reading this chapter, you should: @@ -3531,6 +3536,236 @@ user@unfirewalled.myserver.com's password: ******* + + + + + + Robert + Watson + Sponsored by DARPA and Network Associates Laboratories. + Contributed by + + + + + MAC + + Mandatory Access Control (MAC) + + FreeBSD 5.0 includes a new kernel security framework, the + TrustedBSD MAC Framework. The MAC Framework permits compile-time, + boot-time, and run-time extension of the kernel access control + policy, and can be used to load support for Mandatory Access + Control (MAC), and custom security modules + such as hardening modules. The MAC Framework is currently + considered to be an experimental feature, and should not yet + be used in production environments without careful consideration. + It is anticipated that the MAC Framework will be appropriate for + more widespread production use by FreeBSD 5.2. + + When configured into a kernel, the MAC Framework permits + security modules to augment the existing kernel access control + model, restricting access to system services and objects. For + example, the mac_bsdextended module augments file system access + control, permitting administrators to provide a firewall-like + ruleset constraining access to file system objects based on user + ids and group membership. Some modules require little or no + configuration, such as mac_seeotheruids, whereas others perform + ubiquitous object labeling, such as mac_biba and mac_mls, and + require extensive configuration. + + To enable the MAC Framework in your system kernel, you must + add the following entry to your kernel configuration: + + options MAC + + Security policy modules shipped with the base system may + be loaded using &man.kldload.8; or in the boot &man.loader.8; + They may also be compiled directly into the kernel using the + following options, if the use of modules is not desired. + + Different MAC policies may be configured in different ways; + frequently, MAC policy modules export configuration parameters + using the &man.sysctl.8; MIB using the + security.mac.* namespace. Policies relying on file system + or other labels may require a configuration step that involes + assigning initial labels to system objects or creating a + policy configuration file. For information on how to configure + and use each policy module, see its man page. + + A variety of tools are available to configure the MAC Framework + and labels maintained by various policies. Extensions have been + made to the login and credential management mechanisms + (&man.setusercontext.3;) to support initial user labeling using + &man.login.conf.5;. In addition, modifications have been made + to &man.su.1;, &man.ps.1;, &man.ls.1;, and &man.ifconfig.8; to + inspect and set labels on processes, files, and interfaces. In + addition, several new tools have been added to manage labels + on objects, including &man.getfmac.8;, &man.setfmac.8;, and + &man.setfsmac.8; to manage labels on files, and &man.getpmac.8; and + &man.setpmac.8;. + + What follows is a list of policy modules shipped with FreeBSD + 5.0. + + Biba Integrity Policy (mac_biba) + + Biba Integrity Policy + + Vendor: TrustedBSD Project + Module name: mac_biba.ko + Kernel option: MAC_BIBA + The Biba Integrity Policy (XXXMANPAGE) provides + for hierarchal and non-hierarchal labeling of all system + objects with integrity data, and the strict enforcement of + an information flow policy to prevent corruption of high + integrity subjects and data by low-integrity subjects. + Integrity is enforced by preventing high integrity + subjects (generally processes) from reading load integrity + objects (often files), and preventing low integrity + subjects from writing to high integrity objects. + This security policy is frequently used in commercial + trusted systems to provide strong protection for the + Trusted Code Base (TCB). Because it + provides ubiquitous labeling, the Biba integrity policy + must be compiled into the kernel or loaded at boot. + + + Interface Silencing Policy (mac_ifoff) + + Interface Silencing Policy + + Vendor: TrustedBSD Project + Module name: mac_ifoff.ko + Kernel option: MAC_IFOFF + The interface silencing policy (XXXMANPAGE) + prohibits the use of network interfaces during the boot + until explicitly enabled, preventing spurious stack output + stack response to incoming packets. This is appropriate + for use in environments where the monitoring of packets + is required, but no traffic may be generated. + + + Low-Watermark Mandatory Access Control (LOMAC) + (mac_lomac) + + Low-Watermark Mandatory Access Control + + + LOMAC + + Vendor: Network Associates Laboratories + Module name: mac_lomac.ko + Kernel option: MAC_LOMAC + Similar to the Biba Integrity Policy, the LOMAC + policy (XXXMANPAGE) relies on the ubiquitous + labeling of all system objects with integrity labels. + Unlike Biba, LOMAC permits high integrity subjects to + read from low integrity objects, but then downgrades the + label on the subject to prevent future writes to high + integrity objects. This policy may provide for greater + compatibility, as well as require less initial + configuration than Biba. However, as with Biba, it + ubiquitously labels objects and must therefore be + compiled into the kernel or loaded at boot. + + + Multi-Level Security Policy (MLS) (mac_mls) + + Multi-Level Security Policy + + + MLS + + Vendor: TrustedBSD Project + Module name: mac_mls.ko + Kernel option: MAC_MLS + Multi-Level Security (MLS) + (XXXMANPAGE) provides for hierarchal and + non-hierarchal labeling of all system objects with + sensitivity data, and the strict enforcement of an + information flow policy to prevent the leakage of + confidential data to untrusted parties. The logical + conjugate of the Biba Integrity Policy, + MLS is frequently shipped in + commercial trusted operating systems to protect data + secrecy in multi-user environments. Hierarchal labels + provide support for the notion of clearances and + classifications in traditional parlance; non-hierarchal + labels provide support for "need-to-know". As with + Biba, ubiquitous labeling of objects occurs, and it + must therefore be compiled into the kernel or loaded + at boot. As with Biba, extensive initial configuration + may be required. + + + MAC Stub Policy (mac_none) + + MAC Stub Policy + + Vendor: TrustedBSD Project + Module name: mac_none.ko + Kernel option: MAC_NONE + The None policy (XXXMANPAGE) provides a stub + sample policy for developers, implementing all entry + points, but not changing the system access control + policy. Running this on a production system would + not be highly beneficial. + + + Process Partition Policy (mac_partition) + + Process Partition Policy + + Vendor: TrustedBSD Project + Module name: mac_partition.ko + Kernel option: MAC_PARTITION + The Partition policy (XXXMANPAGE) provides for a + simple process visibility limitation, assigning labels to + processes identifying what numeric system partition they + are present in. If none, all other processes are visible + using standard monitoring tools; if a partition identifier + is present, then only other processes in the same + partition are visible. This policy may be compiled into + the kernel, loaded at boot, or loaded at run-time. + + + See Other Uids Policy (mac_seeotheruids) + + See Other Uids Policy + + Vendor: TrustedBSD Project + Module name: mac_seeotheruids.ko + Kernel option: MAC_BIBA + The See Other Uids policy (XXXMANPAGE) implements + a similar process visibility model to mac_partition, + except that it relies on process credentials to control + visibility of processes, rather than partition labels. This + policy may be configured to exempt certain users and groups, + including permitting system operators to view all processes + without special privilege. This policy may be compiled into + the kernel, loaded at boot, or loaded at run-time. + + + MAC Framework Test Policy + + MAC Framework Test Policy + + Vendor: TrustedBSD Project + Module name: mac_test.ko + Kernel option: MAC_TEST + The Test policy (XXXMANPAGE) provides a regression test + environment for the MAC Framework, and will cause a + fail-stop in the event that internal MAC Framework assertions + about proper data labeling fail. This module can be used to + detect failures to properly label system objects in the kernel + implementation. This policy may be compiled into the kernel, + loaded at boot, or loaded at run-time. + + + +