os/doc
3
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

Finish editorial review of MAC chapter.

Browse source 
Switch examples to put the easiest one first.

Sponsored by:	iXsystems
This commit is contained in:
Dru Lavigne 2014-03-31 16:36:57 +00:00
parent 38bc8da495
commit a6f5a0961d
Notes: svn2git 2020-12-08 03:00:23 +00:00 
svn path=/head/; revision=44398
1 changed files with 267 additions and 277 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

544
en_US.ISO8859-1/books/handbook/mac/chapter.xml
View file

@ -45,8 +45,8 @@
<itemizedlist>
<listitem>
<para>Which <acronym>MAC</acronym> security policy modules
are included in &os; and their associated mechanisms.</para>
<para>The terminology associated with the
<acronym>MAC</acronym> framework.</para>
</listitem>
<listitem>
@ -56,13 +56,13 @@
</listitem>
<listitem>
<para>How to efficiently configure a system to use the
<para>The considerations to take into account before
configuring a system to use the
<acronym>MAC</acronym> framework.</para>
</listitem>
<listitem>
<para>How to configure the different security policy modules
included with the <acronym>MAC</acronym> framework.</para>
<para>Which <acronym>MAC</acronym> security policy modules
are included in &os; and how to configure them.</para>
</listitem>
<listitem>
@ -1355,240 +1355,12 @@ test: biba/low</screen>
</sect2>
</sect1>
<sect1 xml:id="mac-implementing">
<title>Nagios in a MAC Jail</title>
<indexterm>
<primary>Nagios in a MAC Jail</primary>
</indexterm>
<para>The following demonstration implements a secure
environment using various <acronym>MAC</acronym> modules
with properly configured policies. This is only a test as
implementing a policy and ignoring it could be disastrous in a
production environment.</para>
<para>Before beginning this process, <option>multilabel</option>
must be set on each file system as not doing so will result in
errors. This example assumes that
<package>net-mgmt/nagios-plugins</package>,
<package>net-mgmt/nagios</package>, and
<package>www/apache22</package> are all installed, configured,
and working correctly.</para>
<sect2>
<title>Create an Insecure User Class</title>
<para>Begin the procedure by adding the following user class
to <filename>/etc/login.conf</filename>:</para>
<programlisting>insecure:\
:copyright=/etc/COPYRIGHT:\
:welcome=/etc/motd:\
:setenv=MAIL=/var/mail/$,BLOCKSIZE=K:\
:path=~/bin:/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin
:manpath=/usr/share/man /usr/local/man:\
:nologin=/usr/sbin/nologin:\
:cputime=1h30m:\
:datasize=8M:\
:vmemoryuse=100M:\
:stacksize=2M:\
:memorylocked=4M:\
:memoryuse=8M:\
:filesize=8M:\
:coredumpsize=8M:\
:openfiles=24:\
:maxproc=32:\
:priority=0:\
:requirehome:\
:passwordtime=91d:\
:umask=022:\
:ignoretime@:\
:label=biba/10(10-10):</programlisting>
<para>Add the following line to the default user class:</para>
<programlisting>:label=biba/high:</programlisting>
<para>Next, issue the following command to rebuild the
database:</para>
<screen>&prompt.root; <userinput>cap_mkdb /etc/login.conf</userinput></screen>
</sect2>
<sect2>
<title>Boot Configuration</title>
<para>Add the following lines to
<filename>/boot/loader.conf</filename>:</para>
<programlisting>mac_biba_load="YES"
mac_seeotheruids_load="YES"</programlisting>
</sect2>
<sect2>
<title>Configure Users</title>
<para>Set the <systemitem class="username">root</systemitem>
user to the default class using:</para>
<screen>&prompt.root; <userinput>pw usermod root -L default</userinput></screen>
<para>All user accounts that are not <systemitem
class="username">root</systemitem> or system users will now
require a login class. The login class is required otherwise
users will be refused access to common commands such as
&man.vi.1;. The following <command>sh</command> script should
do the trick:</para>
<screen>&prompt.root; <userinput>for x in `awk -F: '($3 &gt;= 1001) &amp;&amp; ($3 != 65534) { print $1 }' \</userinput>
<userinput>/etc/passwd`; do pw usermod $x -L default; done;</userinput></screen>
<para>Drop the <systemitem class="username">nagios</systemitem>
and <systemitem class="username">www</systemitem> users into
the insecure class:</para>
<screen>&prompt.root; <userinput>pw usermod nagios -L insecure</userinput></screen>
<screen>&prompt.root; <userinput>pw usermod www -L insecure</userinput></screen>
</sect2>
<sect2>
<title>Create the Contexts File</title>
<para>A contexts file should now be created as
<filename>/etc/policy.contexts</filename>.</para>
<programlisting># This is the default BIBA policy for this system.
# System:
/var/run(/.*)? biba/equal
/dev/(/.*)? biba/equal
/var biba/equal
/var/spool(/.*)? biba/equal
/var/log(/.*)? biba/equal
/tmp(/.*)? biba/equal
/var/tmp(/.*)? biba/equal
/var/spool/mqueue biba/equal
/var/spool/clientmqueue biba/equal
# For Nagios:
/usr/local/etc/nagios(/.*)? biba/10
/var/spool/nagios(/.*)? biba/10
# For apache
/usr/local/etc/apache(/.*)? biba/10</programlisting>
<para>This policy enforces security by setting restrictions
on the flow of information. In this specific configuration,
users, including <systemitem
class="username">root</systemitem>, should never be
allowed to access <application>Nagios</application>.
Configuration files and processes that are a part of
<application>Nagios</application> will be completely self
contained or jailed.</para>
<para>This file will be read by the system by issuing the
following command:</para>
<screen>&prompt.root; <userinput>setfsmac -ef /etc/policy.contexts /</userinput>
&prompt.root; <userinput>setfsmac -ef /etc/policy.contexts /</userinput></screen>
<note>
<para>The above file system layout will differ depending
upon the environment and must be run on every file
system.</para>
</note>
<para><filename>/etc/mac.conf</filename> requires the following
modifications in the main section:</para>
<programlisting>default_labels file ?biba
default_labels ifnet ?biba
default_labels process ?biba
default_labels socket ?biba</programlisting>
</sect2>
<sect2>
<title>Enable Networking</title>
<para>Add the following line to
<filename>/boot/loader.conf</filename>:</para>
<programlisting>security.mac.biba.trust_all_interfaces=1</programlisting>
<para>And the following to the network card configuration stored
in <filename>rc.conf</filename>. If the primary Internet
configuration is done via <acronym>DHCP</acronym>, this may
need to be configured manually after every system boot:</para>
<programlisting>maclabel biba/equal</programlisting>
</sect2>
<sect2>
<title>Testing the Configuration</title>
<indexterm>
<primary>MAC Configuration Testing</primary>
</indexterm>
<para>Ensure that the web server and
<application>Nagios</application> will not be started on
system initialization and reboot. Ensure the <systemitem
class="username">root</systemitem> user cannot access any of
the files in the <application>Nagios</application>
configuration directory. If <systemitem
class="username">root</systemitem> can issue an &man.ls.1;
command on <filename>/var/spool/nagios</filename>, something
is wrong. Otherwise a <quote>permission denied</quote> error
should be returned.</para>
<para>If all seems well, <application>Nagios</application>,
<application>Apache</application>, and
<application>Sendmail</application> can now be started:</para>
<screen>&prompt.root; <userinput>cd /etc/mail &amp;&amp; make stop &amp;&amp; \
setpmac biba/equal make start &amp;&amp; setpmac biba/10\(10-10\) apachectl start &amp;&amp; \
setpmac biba/10\(10-10\) /usr/local/etc/rc.d/nagios.sh forcestart</userinput></screen>
<para>Double check to ensure that everything is working
properly. If not, check the log files for error messages.
Use &man.sysctl.8; to disable the &man.mac.biba.4; security
policy module enforcement and try starting everything again as
usual.</para>
<note>
<para>The <systemitem class="username">root</systemitem> user
can still change the security enforcement and edit its
configuration files. The following command will permit the
degradation of the security policy to a lower grade for a
newly spawned shell:</para>
<screen>&prompt.root; <userinput>setpmac biba/10 csh</userinput></screen>
<para>To block this from happening, force the user into a
range using &man.login.conf.5;. If &man.setpmac.8; attempts
to run a command outside of the compartment's range, an
error will be returned and the command will not be executed.
In this case, set root to
<literal>biba/high(high-high)</literal>.</para>
</note>
</sect2>
</sect1>
<sect1 xml:id="mac-userlocked">
<title>User Lock Down</title>
<para>This example considers a relatively small storage system
with fewer than fifty users. Users will have login
capabilities, and be permitted to store data and access
capabilities and are permitted to store data and access
resources.</para>
<para>For this scenario, the &man.mac.bsdextended.4; and
@ -1633,6 +1405,222 @@ setpmac biba/10\(10-10\) /usr/local/etc/rc.d/nagios.sh forcestart</userinput></s
</note>
</sect1>
<sect1 xml:id="mac-implementing">
<title>Nagios in a MAC Jail</title>
<indexterm>
<primary>Nagios in a MAC Jail</primary>
</indexterm>
<para>This section demonstrates the steps that are needed to
implement the <application>Nagios</application> network
monitoring system in a <acronym>MAC</acronym> environment.
This is meant as an example which still requires the administrator
to test that the implemented policy meets the security
requirements of the network before using in a
production environment.</para>
<para>This example requires <option>multilabel</option>
to be set on each file system. It also
assumes that
<package>net-mgmt/nagios-plugins</package>,
<package>net-mgmt/nagios</package>, and
<package>www/apache22</package> are all installed, configured,
and working correctly before attempting the integration into the
<acronym>MAC</acronym> framework.</para>
<sect2>
<title>Create an Insecure User Class</title>
<para>Begin the procedure by adding the following user class
to <filename>/etc/login.conf</filename>:</para>
<programlisting>insecure:\
:copyright=/etc/COPYRIGHT:\
:welcome=/etc/motd:\
:setenv=MAIL=/var/mail/$,BLOCKSIZE=K:\
:path=~/bin:/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin
:manpath=/usr/share/man /usr/local/man:\
:nologin=/usr/sbin/nologin:\
:cputime=1h30m:\
:datasize=8M:\
:vmemoryuse=100M:\
:stacksize=2M:\
:memorylocked=4M:\
:memoryuse=8M:\
:filesize=8M:\
:coredumpsize=8M:\
:openfiles=24:\
:maxproc=32:\
:priority=0:\
:requirehome:\
:passwordtime=91d:\
:umask=022:\
:ignoretime@:\
:label=biba/10(10-10):</programlisting>
<para>Then, add the following line to the default user class section:</para>
<programlisting>:label=biba/high:</programlisting>
<para>Save the edits and issue the following command to rebuild the
database:</para>
<screen>&prompt.root; <userinput>cap_mkdb /etc/login.conf</userinput></screen>
</sect2>
<sect2>
<title>Configure Users</title>
<para>Set the <systemitem class="username">root</systemitem>
user to the default class using:</para>
<screen>&prompt.root; <userinput>pw usermod root -L default</userinput></screen>
<para>All user accounts that are not <systemitem
class="username">root</systemitem> will now
require a login class. The login class is required, otherwise
users will be refused access to common commands.
The following <command>sh</command> script should
do the trick:</para>
<screen>&prompt.root; <userinput>for x in `awk -F: '($3 &gt;= 1001) &amp;&amp; ($3 != 65534) { print $1 }' \</userinput>
<userinput>/etc/passwd`; do pw usermod $x -L default; done;</userinput></screen>
<para>Next, drop the <systemitem class="username">nagios</systemitem>
and <systemitem class="username">www</systemitem> accounts into
the insecure class:</para>
<screen>&prompt.root; <userinput>pw usermod nagios -L insecure</userinput>
&prompt.root; <userinput>pw usermod www -L insecure</userinput></screen>
</sect2>
<sect2>
<title>Create the Contexts File</title>
<para>A contexts file should now be created as
<filename>/etc/policy.contexts</filename>:</para>
<programlisting># This is the default BIBA policy for this system.
# System:
/var/run(/.*)? biba/equal
/dev/(/.*)? biba/equal
/var biba/equal
/var/spool(/.*)? biba/equal
/var/log(/.*)? biba/equal
/tmp(/.*)? biba/equal
/var/tmp(/.*)? biba/equal
/var/spool/mqueue biba/equal
/var/spool/clientmqueue biba/equal
# For Nagios:
/usr/local/etc/nagios(/.*)? biba/10
/var/spool/nagios(/.*)? biba/10
# For apache
/usr/local/etc/apache(/.*)? biba/10</programlisting>
<para>This policy enforces security by setting restrictions
on the flow of information. In this specific configuration,
users, including <systemitem
class="username">root</systemitem>, should never be
allowed to access <application>Nagios</application>.
Configuration files and processes that are a part of
<application>Nagios</application> will be completely self
contained or jailed.</para>
<para>This file will be read after running
<command>setfsmac</command> on every file system. This
example sets the policy on the root file system:</para>
<screen>&prompt.root; <userinput>setfsmac -ef /etc/policy.contexts /</userinput></screen>
<para>Next, add these edits
to the main section of <filename>/etc/mac.conf</filename>:</para>
<programlisting>default_labels file ?biba
default_labels ifnet ?biba
default_labels process ?biba
default_labels socket ?biba</programlisting>
</sect2>
<sect2>
<title>Loader Configuration</title>
<para>To finish the configuration, add the following lines to
<filename>/boot/loader.conf</filename>:</para>
<programlisting>mac_biba_load="YES"
mac_seeotheruids_load="YES"
security.mac.biba.trust_all_interfaces=1</programlisting>
<para>And the following line to the network card configuration stored
in <filename>/etc/rc.conf</filename>. If the primary network
configuration is done via <acronym>DHCP</acronym>, this may
need to be configured manually after every system boot:</para>
<programlisting>maclabel biba/equal</programlisting>
</sect2>
<sect2>
<title>Testing the Configuration</title>
<indexterm>
<primary>MAC Configuration Testing</primary>
</indexterm>
<para>First, ensure that the web server and
<application>Nagios</application> will not be started on
system initialization and reboot. Ensure that <systemitem
class="username">root</systemitem> cannot access any of
the files in the <application>Nagios</application>
configuration directory. If <systemitem
class="username">root</systemitem> can list the contents of
<filename>/var/spool/nagios</filename>, something
is wrong. Instead, a <quote>permission denied</quote> error
should be returned.</para>
<para>If all seems well, <application>Nagios</application>,
<application>Apache</application>, and
<application>Sendmail</application> can now be started:</para>
<screen>&prompt.root; <userinput>cd /etc/mail &amp;&amp; make stop &amp;&amp; \
setpmac biba/equal make start &amp;&amp; setpmac biba/10\(10-10\) apachectl start &amp;&amp; \
setpmac biba/10\(10-10\) /usr/local/etc/rc.d/nagios.sh forcestart</userinput></screen>
<para>Double check to ensure that everything is working
properly. If not, check the log files for error messages.
If needed, use &man.sysctl.8; to disable the &man.mac.biba.4; security
policy module and try starting everything again as
usual.</para>
<note>
<para>The <systemitem class="username">root</systemitem> user
can still change the security enforcement and edit its
configuration files. The following command will permit the
degradation of the security policy to a lower grade for a
newly spawned shell:</para>
<screen>&prompt.root; <userinput>setpmac biba/10 csh</userinput></screen>
<para>To block this from happening, force the user into a
range using &man.login.conf.5;. If &man.setpmac.8; attempts
to run a command outside of the compartment's range, an
error will be returned and the command will not be executed.
In this case, set root to
<literal>biba/high(high-high)</literal>.</para>
</note>
</sect2>
</sect1>
<sect1 xml:id="mac-troubleshoot">
<title>Troubleshooting the MAC Framework</title>
@ -1640,14 +1628,16 @@ setpmac biba/10\(10-10\) /usr/local/etc/rc.d/nagios.sh forcestart</userinput></s
<primary>MAC Troubleshooting</primary>
</indexterm>
<para>This section discusses common configuration issues.</para>
<para>This section discusses common configuration errors and how
to resolve them.</para>
<variablelist>
<varlistentry>
<term>The <option>multilabel</option> flag does not stay
enabled on the root (<filename>/</filename>)
partition:</term>
<itemizedlist>
<listitem>
<para>The <option>multilabel</option> flag does not stay
enabled on my root (<filename>/</filename>)
partition!</para>
<para>The following steps may resolve this transient
error:</para>
@ -1687,12 +1677,13 @@ setpmac biba/10\(10-10\) /usr/local/etc/rc.d/nagios.sh forcestart</userinput></s
</step>
</procedure>
</listitem>
</varlistentry>
<listitem>
<para>After establishing a secure environment with
<acronym>MAC</acronym>, I am no longer able to start
Xorg!</para>
<varlistentry>
<term>After establishing a secure environment with
<acronym>MAC</acronym>,
<application>Xorg</application> no longer starts:</term>
<listitem>
<para>This could be caused by the <acronym>MAC</acronym>
<literal>partition</literal> policy or by a mislabeling in
one of the <acronym>MAC</acronym> labeling policies. To
@ -1700,7 +1691,7 @@ setpmac biba/10\(10-10\) /usr/local/etc/rc.d/nagios.sh forcestart</userinput></s
<procedure>
<step>
<para>Check the error message; if the user is in the
<para>Check the error message. If the user is in the
<literal>insecure</literal> class, the
<literal>partition</literal> policy may be the culprit.
Try setting the user's class back to the
@ -1710,36 +1701,35 @@ setpmac biba/10\(10-10\) /usr/local/etc/rc.d/nagios.sh forcestart</userinput></s
</step>
<step>
<para>Double-check the label policies. Ensure that the
policies are set correctly for the user, the Xorg
application, and the <filename>/dev</filename>
<para>Double-check that the label policies
are set correctly for the user, <application>Xorg</application>,
and the <filename>/dev</filename>
entries.</para>
</step>
<step>
<para>If neither of these resolve the problem, send the
error message and a description of the environment to
the &a.questions; mailing list.</para>
the &a.questions;.</para>
</step>
</procedure>
</listitem>
</varlistentry>
<listitem>
<para>The error: <errorname>_secure_path: unable to stat
.login_conf</errorname> shows up.</para>
<para>When a user attempts to switch from the <systemitem
<varlistentry>
<term>The <errorname>_secure_path: unable to stat
.login_conf</errorname> error appears:</term>
<listitem>
<para>This error can appear when a user attempts to switch from the <systemitem
class="username">root</systemitem> user to another user in
the system, the error message <errorname>_secure_path:
unable to stat .login_conf</errorname> appears.</para>
<para>This message is usually shown when the user has a higher
the system. This message usually occurs when the user has a higher
label setting than that of the user they are attempting to
become. For instance, <systemitem
become. For instance, if <systemitem
class="username">joe</systemitem> has a default label of
<option>biba/low</option>. The <systemitem
class="username">root</systemitem> user, who has a label
of <option>biba/high</option>, cannot view <systemitem
<option>biba/low</option> and <systemitem
class="username">root</systemitem> has a label
of <option>biba/high</option>, <systemitem
class="username">root</systemitem> cannot view <systemitem
class="username">joe</systemitem>'s home directory. This
will happen whether or not <systemitem
class="username">root</systemitem> has used
@ -1749,23 +1739,22 @@ setpmac biba/10\(10-10\) /usr/local/etc/rc.d/nagios.sh forcestart</userinput></s
class="username">root</systemitem> to view objects set at
a lower integrity level.</para>
</listitem>
</varlistentry>
<listitem>
<para>The system no longer recognizes the <systemitem
class="username">root</systemitem> user.</para>
<para>In normal or even single user mode, the <systemitem
class="username">root</systemitem> is not recognized,
<command>whoami</command> returns 0 (zero), and
<varlistentry>
<term>The system no longer recognizes <systemitem
class="username">root</systemitem>:</term>
<listitem>
<para>When this occurs,
<command>whoami</command> returns <literal>0</literal> and
<command>su</command> returns <errorname>who are
you?</errorname>.</para>
<para>This can happen if a labeling policy has been disabled,
either by a &man.sysctl.8; or the policy module was
<para>This can happen if a labeling policy has been disabled
by &man.sysctl.8; or the policy module was
unloaded. If the policy is disabled, the login capabilities
database needs to be reconfigured with
<option>label</option> removed. Double check
<filename>login.conf</filename> to ensure that all
database needs to be reconfigured. Double check
<filename>/etc/login.conf</filename> to ensure that all
<option>label</option> options have been removed and rebuild
the database with <command>cap_mkdb</command>.</para>
@ -1778,6 +1767,7 @@ setpmac biba/10\(10-10\) /usr/local/etc/rc.d/nagios.sh forcestart</userinput></s
the new label. Disable the policy using &man.sysctl.8; and
everything should return to normal.</para>
</listitem>
</itemizedlist>
</varlistentry>
</variablelist>
</sect1>
</chapter>