From a6f5a0961d443ce77e383684dd08ca75fe00dcfe Mon Sep 17 00:00:00 2001 From: Dru Lavigne Date: Mon, 31 Mar 2014 16:36:57 +0000 Subject: [PATCH] Finish editorial review of MAC chapter. Switch examples to put the easiest one first. Sponsored by: iXsystems --- .../books/handbook/mac/chapter.xml | 544 +++++++++--------- 1 file changed, 267 insertions(+), 277 deletions(-) diff --git a/en_US.ISO8859-1/books/handbook/mac/chapter.xml b/en_US.ISO8859-1/books/handbook/mac/chapter.xml index b33b4f1c87..d7c13ede94 100644 --- a/en_US.ISO8859-1/books/handbook/mac/chapter.xml +++ b/en_US.ISO8859-1/books/handbook/mac/chapter.xml @@ -45,8 +45,8 @@ - Which MAC security policy modules - are included in &os; and their associated mechanisms. + The terminology associated with the + MAC framework. @@ -56,13 +56,13 @@ - How to efficiently configure a system to use the + The considerations to take into account before + configuring a system to use the MAC framework. - - How to configure the different security policy modules - included with the MAC framework. + Which MAC security policy modules + are included in &os; and how to configure them. @@ -1355,240 +1355,12 @@ test: biba/low - - Nagios in a MAC Jail - - - Nagios in a MAC Jail - - - The following demonstration implements a secure - environment using various MAC modules - with properly configured policies. This is only a test as - implementing a policy and ignoring it could be disastrous in a - production environment. - - Before beginning this process, - must be set on each file system as not doing so will result in - errors. This example assumes that - net-mgmt/nagios-plugins, - net-mgmt/nagios, and - www/apache22 are all installed, configured, - and working correctly. - - - Create an Insecure User Class - - Begin the procedure by adding the following user class - to /etc/login.conf: - - insecure:\ -:copyright=/etc/COPYRIGHT:\ -:welcome=/etc/motd:\ -:setenv=MAIL=/var/mail/$,BLOCKSIZE=K:\ -:path=~/bin:/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin -:manpath=/usr/share/man /usr/local/man:\ -:nologin=/usr/sbin/nologin:\ -:cputime=1h30m:\ -:datasize=8M:\ -:vmemoryuse=100M:\ -:stacksize=2M:\ -:memorylocked=4M:\ -:memoryuse=8M:\ -:filesize=8M:\ -:coredumpsize=8M:\ -:openfiles=24:\ -:maxproc=32:\ -:priority=0:\ -:requirehome:\ -:passwordtime=91d:\ -:umask=022:\ -:ignoretime@:\ -:label=biba/10(10-10): - - Add the following line to the default user class: - - :label=biba/high: - - Next, issue the following command to rebuild the - database: - - &prompt.root; cap_mkdb /etc/login.conf - - - - Boot Configuration - - Add the following lines to - /boot/loader.conf: - - mac_biba_load="YES" -mac_seeotheruids_load="YES" - - - - Configure Users - - Set the root - user to the default class using: - - &prompt.root; pw usermod root -L default - - All user accounts that are not root or system users will now - require a login class. The login class is required otherwise - users will be refused access to common commands such as - &man.vi.1;. The following sh script should - do the trick: - - &prompt.root; for x in `awk -F: '($3 >= 1001) && ($3 != 65534) { print $1 }' \ - /etc/passwd`; do pw usermod $x -L default; done; - - Drop the nagios - and www users into - the insecure class: - - &prompt.root; pw usermod nagios -L insecure - - &prompt.root; pw usermod www -L insecure - - - - - Create the Contexts File - - A contexts file should now be created as - /etc/policy.contexts. - - # This is the default BIBA policy for this system. - -# System: -/var/run(/.*)? biba/equal - -/dev/(/.*)? biba/equal - -/var biba/equal -/var/spool(/.*)? biba/equal - -/var/log(/.*)? biba/equal - -/tmp(/.*)? biba/equal -/var/tmp(/.*)? biba/equal - -/var/spool/mqueue biba/equal -/var/spool/clientmqueue biba/equal - -# For Nagios: -/usr/local/etc/nagios(/.*)? biba/10 - -/var/spool/nagios(/.*)? biba/10 - -# For apache -/usr/local/etc/apache(/.*)? biba/10 - - This policy enforces security by setting restrictions - on the flow of information. In this specific configuration, - users, including root, should never be - allowed to access Nagios. - Configuration files and processes that are a part of - Nagios will be completely self - contained or jailed. - - This file will be read by the system by issuing the - following command: - - &prompt.root; setfsmac -ef /etc/policy.contexts / -&prompt.root; setfsmac -ef /etc/policy.contexts / - - - The above file system layout will differ depending - upon the environment and must be run on every file - system. - - - /etc/mac.conf requires the following - modifications in the main section: - - default_labels file ?biba -default_labels ifnet ?biba -default_labels process ?biba -default_labels socket ?biba - - - - Enable Networking - - Add the following line to - /boot/loader.conf: - - security.mac.biba.trust_all_interfaces=1 - - And the following to the network card configuration stored - in rc.conf. If the primary Internet - configuration is done via DHCP, this may - need to be configured manually after every system boot: - - maclabel biba/equal - - - - Testing the Configuration - - - MAC Configuration Testing - - - Ensure that the web server and - Nagios will not be started on - system initialization and reboot. Ensure the root user cannot access any of - the files in the Nagios - configuration directory. If root can issue an &man.ls.1; - command on /var/spool/nagios, something - is wrong. Otherwise a permission denied error - should be returned. - - If all seems well, Nagios, - Apache, and - Sendmail can now be started: - - &prompt.root; cd /etc/mail && make stop && \ -setpmac biba/equal make start && setpmac biba/10\(10-10\) apachectl start && \ -setpmac biba/10\(10-10\) /usr/local/etc/rc.d/nagios.sh forcestart - - Double check to ensure that everything is working - properly. If not, check the log files for error messages. - Use &man.sysctl.8; to disable the &man.mac.biba.4; security - policy module enforcement and try starting everything again as - usual. - - - The root user - can still change the security enforcement and edit its - configuration files. The following command will permit the - degradation of the security policy to a lower grade for a - newly spawned shell: - - &prompt.root; setpmac biba/10 csh - - To block this from happening, force the user into a - range using &man.login.conf.5;. If &man.setpmac.8; attempts - to run a command outside of the compartment's range, an - error will be returned and the command will not be executed. - In this case, set root to - biba/high(high-high). - - - - User Lock Down This example considers a relatively small storage system with fewer than fifty users. Users will have login - capabilities, and be permitted to store data and access + capabilities and are permitted to store data and access resources. For this scenario, the &man.mac.bsdextended.4; and @@ -1633,6 +1405,222 @@ setpmac biba/10\(10-10\) /usr/local/etc/rc.d/nagios.sh forcestart + + Nagios in a MAC Jail + + + Nagios in a MAC Jail + + + This section demonstrates the steps that are needed to + implement the Nagios network + monitoring system in a MAC environment. + This is meant as an example which still requires the administrator + to test that the implemented policy meets the security + requirements of the network before using in a + production environment. + + This example requires + to be set on each file system. It also + assumes that + net-mgmt/nagios-plugins, + net-mgmt/nagios, and + www/apache22 are all installed, configured, + and working correctly before attempting the integration into the + MAC framework. + + + Create an Insecure User Class + + Begin the procedure by adding the following user class + to /etc/login.conf: + + insecure:\ +:copyright=/etc/COPYRIGHT:\ +:welcome=/etc/motd:\ +:setenv=MAIL=/var/mail/$,BLOCKSIZE=K:\ +:path=~/bin:/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin +:manpath=/usr/share/man /usr/local/man:\ +:nologin=/usr/sbin/nologin:\ +:cputime=1h30m:\ +:datasize=8M:\ +:vmemoryuse=100M:\ +:stacksize=2M:\ +:memorylocked=4M:\ +:memoryuse=8M:\ +:filesize=8M:\ +:coredumpsize=8M:\ +:openfiles=24:\ +:maxproc=32:\ +:priority=0:\ +:requirehome:\ +:passwordtime=91d:\ +:umask=022:\ +:ignoretime@:\ +:label=biba/10(10-10): + + Then, add the following line to the default user class section: + + :label=biba/high: + + Save the edits and issue the following command to rebuild the + database: + + &prompt.root; cap_mkdb /etc/login.conf + + + + Configure Users + + Set the root + user to the default class using: + + &prompt.root; pw usermod root -L default + + All user accounts that are not root will now + require a login class. The login class is required, otherwise + users will be refused access to common commands. + The following sh script should + do the trick: + + &prompt.root; for x in `awk -F: '($3 >= 1001) && ($3 != 65534) { print $1 }' \ + /etc/passwd`; do pw usermod $x -L default; done; + + Next, drop the nagios + and www accounts into + the insecure class: + + &prompt.root; pw usermod nagios -L insecure +&prompt.root; pw usermod www -L insecure + + + + + Create the Contexts File + + A contexts file should now be created as + /etc/policy.contexts: + + # This is the default BIBA policy for this system. + +# System: +/var/run(/.*)? biba/equal + +/dev/(/.*)? biba/equal + +/var biba/equal +/var/spool(/.*)? biba/equal + +/var/log(/.*)? biba/equal + +/tmp(/.*)? biba/equal +/var/tmp(/.*)? biba/equal + +/var/spool/mqueue biba/equal +/var/spool/clientmqueue biba/equal + +# For Nagios: +/usr/local/etc/nagios(/.*)? biba/10 + +/var/spool/nagios(/.*)? biba/10 + +# For apache +/usr/local/etc/apache(/.*)? biba/10 + + This policy enforces security by setting restrictions + on the flow of information. In this specific configuration, + users, including root, should never be + allowed to access Nagios. + Configuration files and processes that are a part of + Nagios will be completely self + contained or jailed. + + This file will be read after running + setfsmac on every file system. This + example sets the policy on the root file system: + + &prompt.root; setfsmac -ef /etc/policy.contexts / + + Next, add these edits + to the main section of /etc/mac.conf: + + default_labels file ?biba +default_labels ifnet ?biba +default_labels process ?biba +default_labels socket ?biba + + + + Loader Configuration + + To finish the configuration, add the following lines to + /boot/loader.conf: + + mac_biba_load="YES" +mac_seeotheruids_load="YES" +security.mac.biba.trust_all_interfaces=1 + + And the following line to the network card configuration stored + in /etc/rc.conf. If the primary network + configuration is done via DHCP, this may + need to be configured manually after every system boot: + + maclabel biba/equal + + + + Testing the Configuration + + + MAC Configuration Testing + + + First, ensure that the web server and + Nagios will not be started on + system initialization and reboot. Ensure that root cannot access any of + the files in the Nagios + configuration directory. If root can list the contents of + /var/spool/nagios, something + is wrong. Instead, a permission denied error + should be returned. + + If all seems well, Nagios, + Apache, and + Sendmail can now be started: + + &prompt.root; cd /etc/mail && make stop && \ +setpmac biba/equal make start && setpmac biba/10\(10-10\) apachectl start && \ +setpmac biba/10\(10-10\) /usr/local/etc/rc.d/nagios.sh forcestart + + Double check to ensure that everything is working + properly. If not, check the log files for error messages. + If needed, use &man.sysctl.8; to disable the &man.mac.biba.4; security + policy module and try starting everything again as + usual. + + + The root user + can still change the security enforcement and edit its + configuration files. The following command will permit the + degradation of the security policy to a lower grade for a + newly spawned shell: + + &prompt.root; setpmac biba/10 csh + + To block this from happening, force the user into a + range using &man.login.conf.5;. If &man.setpmac.8; attempts + to run a command outside of the compartment's range, an + error will be returned and the command will not be executed. + In this case, set root to + biba/high(high-high). + + + + Troubleshooting the MAC Framework @@ -1640,14 +1628,16 @@ setpmac biba/10\(10-10\) /usr/local/etc/rc.d/nagios.sh forcestartMAC Troubleshooting - This section discusses common configuration issues. + This section discusses common configuration errors and how + to resolve them. + + + + The flag does not stay + enabled on the root (/) + partition: - - The flag does not stay - enabled on my root (/) - partition! - The following steps may resolve this transient error: @@ -1687,12 +1677,13 @@ setpmac biba/10\(10-10\) /usr/local/etc/rc.d/nagios.sh forcestart + - - After establishing a secure environment with - MAC, I am no longer able to start - Xorg! - + + After establishing a secure environment with + MAC, + Xorg no longer starts: + This could be caused by the MAC partition policy or by a mislabeling in one of the MAC labeling policies. To @@ -1700,7 +1691,7 @@ setpmac biba/10\(10-10\) /usr/local/etc/rc.d/nagios.sh forcestart - Check the error message; if the user is in the + Check the error message. If the user is in the insecure class, the partition policy may be the culprit. Try setting the user's class back to the @@ -1710,36 +1701,35 @@ setpmac biba/10\(10-10\) /usr/local/etc/rc.d/nagios.sh forcestart - Double-check the label policies. Ensure that the - policies are set correctly for the user, the Xorg - application, and the /dev + Double-check that the label policies + are set correctly for the user, Xorg, + and the /dev entries. If neither of these resolve the problem, send the error message and a description of the environment to - the &a.questions; mailing list. + the &a.questions;. + - - The error: _secure_path: unable to stat - .login_conf shows up. - - When a user attempts to switch from the + The _secure_path: unable to stat + .login_conf error appears: + + This error can appear when a user attempts to switch from the root user to another user in - the system, the error message _secure_path: - unable to stat .login_conf appears. - - This message is usually shown when the user has a higher + the system. This message usually occurs when the user has a higher label setting than that of the user they are attempting to - become. For instance, joe has a default label of - . The root user, who has a label - of , cannot view biba/low and root has a label + of , root cannot view joe's home directory. This will happen whether or not root has used @@ -1749,23 +1739,22 @@ setpmac biba/10\(10-10\) /usr/local/etc/rc.d/nagios.sh forcestartroot to view objects set at a lower integrity level. + - - The system no longer recognizes the root user. - - In normal or even single user mode, the root is not recognized, - whoami returns 0 (zero), and + + The system no longer recognizes root: + + When this occurs, + whoami returns 0 and su returns who are you?. - This can happen if a labeling policy has been disabled, - either by a &man.sysctl.8; or the policy module was + This can happen if a labeling policy has been disabled + by &man.sysctl.8; or the policy module was unloaded. If the policy is disabled, the login capabilities - database needs to be reconfigured with - removed. Double check - login.conf to ensure that all + database needs to be reconfigured. Double check + /etc/login.conf to ensure that all options have been removed and rebuild the database with cap_mkdb. @@ -1778,6 +1767,7 @@ setpmac biba/10\(10-10\) /usr/local/etc/rc.d/nagios.sh forcestart - + +