os/doc
3
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

White space fix only. Translators can ignore.

Browse source 
Sponsored by:	iXsystems
This commit is contained in:
Dru Lavigne 2014-03-31 17:01:17 +00:00
parent a6f5a0961d
commit c399c50408
Notes: svn2git 2020-12-08 03:00:23 +00:00 
svn path=/head/; revision=44399
1 changed files with 152 additions and 151 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

303
en_US.ISO8859-1/books/handbook/mac/chapter.xml
View file

@ -1414,15 +1414,13 @@ test: biba/low</screen>
<para>This section demonstrates the steps that are needed to
implement the <application>Nagios</application> network
monitoring system in a <acronym>MAC</acronym> environment.
This is meant as an example which still requires the administrator
to test that the implemented policy meets the security
requirements of the network before using in a
production environment.</para>
monitoring system in a <acronym>MAC</acronym> environment. This
is meant as an example which still requires the administrator to
test that the implemented policy meets the security requirements
of the network before using in a production environment.</para>
<para>This example requires <option>multilabel</option>
to be set on each file system. It also
assumes that
<para>This example requires <option>multilabel</option> to be set
on each file system. It also assumes that
<package>net-mgmt/nagios-plugins</package>,
<package>net-mgmt/nagios</package>, and
<package>www/apache22</package> are all installed, configured,
@ -1459,12 +1457,13 @@ test: biba/low</screen>
:ignoretime@:\
:label=biba/10(10-10):</programlisting>
<para>Then, add the following line to the default user class section:</para>
<para>Then, add the following line to the default user class
section:</para>
<programlisting>:label=biba/high:</programlisting>
<para>Save the edits and issue the following command to rebuild the
database:</para>
<para>Save the edits and issue the following command to rebuild
the database:</para>
<screen>&prompt.root; <userinput>cap_mkdb /etc/login.conf</userinput></screen>
</sect2>
@ -1478,22 +1477,21 @@ test: biba/low</screen>
<screen>&prompt.root; <userinput>pw usermod root -L default</userinput></screen>
<para>All user accounts that are not <systemitem
class="username">root</systemitem> will now
require a login class. The login class is required, otherwise
users will be refused access to common commands.
The following <command>sh</command> script should
do the trick:</para>
class="username">root</systemitem> will now require a login
class. The login class is required, otherwise users will be
refused access to common commands. The following
<command>sh</command> script should do the trick:</para>
<screen>&prompt.root; <userinput>for x in `awk -F: '($3 &gt;= 1001) &amp;&amp; ($3 != 65534) { print $1 }' \</userinput>
<userinput>/etc/passwd`; do pw usermod $x -L default; done;</userinput></screen>
<para>Next, drop the <systemitem class="username">nagios</systemitem>
and <systemitem class="username">www</systemitem> accounts into
the insecure class:</para>
<para>Next, drop the <systemitem
class="username">nagios</systemitem> and <systemitem
class="username">www</systemitem> accounts into the insecure
class:</para>
<screen>&prompt.root; <userinput>pw usermod nagios -L insecure</userinput>
&prompt.root; <userinput>pw usermod www -L insecure</userinput></screen>
</sect2>
<sect2>
@ -1528,8 +1526,8 @@ test: biba/low</screen>
# For apache
/usr/local/etc/apache(/.*)? biba/10</programlisting>
<para>This policy enforces security by setting restrictions
on the flow of information. In this specific configuration,
<para>This policy enforces security by setting restrictions on
the flow of information. In this specific configuration,
users, including <systemitem
class="username">root</systemitem>, should never be
allowed to access <application>Nagios</application>.
@ -1537,14 +1535,14 @@ test: biba/low</screen>
<application>Nagios</application> will be completely self
contained or jailed.</para>
<para>This file will be read after running
<para>This file will be read after running
<command>setfsmac</command> on every file system. This
example sets the policy on the root file system:</para>
<screen>&prompt.root; <userinput>setfsmac -ef /etc/policy.contexts /</userinput></screen>
<para>Next, add these edits
to the main section of <filename>/etc/mac.conf</filename>:</para>
<para>Next, add these edits to the main section of
<filename>/etc/mac.conf</filename>:</para>
<programlisting>default_labels file ?biba
default_labels ifnet ?biba
@ -1557,15 +1555,16 @@ default_labels socket ?biba</programlisting>
<para>To finish the configuration, add the following lines to
<filename>/boot/loader.conf</filename>:</para>
<programlisting>mac_biba_load="YES"
mac_seeotheruids_load="YES"
security.mac.biba.trust_all_interfaces=1</programlisting>
<para>And the following line to the network card configuration stored
in <filename>/etc/rc.conf</filename>. If the primary network
configuration is done via <acronym>DHCP</acronym>, this may
need to be configured manually after every system boot:</para>
<para>And the following line to the network card configuration
stored in <filename>/etc/rc.conf</filename>. If the primary
network configuration is done via <acronym>DHCP</acronym>,
this may need to be configured manually after every system
boot:</para>
<programlisting>maclabel biba/equal</programlisting>
</sect2>
@ -1580,13 +1579,13 @@ security.mac.biba.trust_all_interfaces=1</programlisting>
<para>First, ensure that the web server and
<application>Nagios</application> will not be started on
system initialization and reboot. Ensure that <systemitem
class="username">root</systemitem> cannot access any of
the files in the <application>Nagios</application>
configuration directory. If <systemitem
class="username">root</systemitem> can list the contents of
<filename>/var/spool/nagios</filename>, something
is wrong. Instead, a <quote>permission denied</quote> error
should be returned.</para>
class="username">root</systemitem> cannot access any of the
files in the <application>Nagios</application> configuration
directory. If <systemitem class="username">root</systemitem>
can list the contents of
<filename>/var/spool/nagios</filename>, something is wrong.
Instead, a <quote>permission denied</quote> error should be
returned.</para>
<para>If all seems well, <application>Nagios</application>,
<application>Apache</application>, and
@ -1597,9 +1596,9 @@ setpmac biba/equal make start &amp;&amp; setpmac biba/10\(10-10\) apachectl star
setpmac biba/10\(10-10\) /usr/local/etc/rc.d/nagios.sh forcestart</userinput></screen>
<para>Double check to ensure that everything is working
properly. If not, check the log files for error messages.
If needed, use &man.sysctl.8; to disable the &man.mac.biba.4; security
policy module and try starting everything again as
properly. If not, check the log files for error messages. If
needed, use &man.sysctl.8; to disable the &man.mac.biba.4;
security policy module and try starting everything again as
usual.</para>
<note>
@ -1633,141 +1632,143 @@ setpmac biba/10\(10-10\) /usr/local/etc/rc.d/nagios.sh forcestart</userinput></s
<variablelist>
<varlistentry>
<term>The <option>multilabel</option> flag does not stay
<term>The <option>multilabel</option> flag does not stay
enabled on the root (<filename>/</filename>)
partition:</term>
<listitem>
<para>The following steps may resolve this transient
error:</para>
<listitem>
<para>The following steps may resolve this transient
error:</para>
<procedure>
<step>
<para>Edit <filename>/etc/fstab</filename> and set the
root partition to <option>ro</option> for
read-only.</para>
</step>
<procedure>
<step>
<para>Edit <filename>/etc/fstab</filename> and set the
root partition to <option>ro</option> for
read-only.</para>
</step>
<step>
<para>Reboot into single user mode.</para>
</step>
<step>
<para>Reboot into single user mode.</para>
</step>
<step>
<para>Run <command>tunefs</command> <option>-l
enable</option> on <filename>/</filename>.</para>
</step>
<step>
<para>Run <command>tunefs</command> <option>-l
enable</option> on <filename>/</filename>.</para>
</step>
<step>
<para>Reboot the system.</para>
</step>
<step>
<para>Reboot the system.</para>
</step>
<step>
<para>Run <command>mount</command> <option>-urw</option>
<filename>/</filename> and change the
<option>ro</option> back to <option>rw</option> in
<filename>/etc/fstab</filename> and reboot the system
again.</para>
</step>
<step>
<para>Run <command>mount</command> <option>-urw</option>
<filename>/</filename> and change the
<option>ro</option> back to <option>rw</option> in
<filename>/etc/fstab</filename> and reboot the system
again.</para>
</step>
<step>
<para>Double-check the output from
<command>mount</command> to ensure that
<option>multilabel</option> has been properly set on the
root file system.</para>
</step>
</procedure>
</listitem>
</varlistentry>
<step>
<para>Double-check the output from
<command>mount</command> to ensure that
<option>multilabel</option> has been properly set on
the root file system.</para>
</step>
</procedure>
</listitem>
</varlistentry>
<varlistentry>
<term>After establishing a secure environment with
<acronym>MAC</acronym>,
<application>Xorg</application> no longer starts:</term>
<listitem>
<para>This could be caused by the <acronym>MAC</acronym>
<literal>partition</literal> policy or by a mislabeling in
one of the <acronym>MAC</acronym> labeling policies. To
debug, try the following:</para>
<acronym>MAC</acronym>, <application>Xorg</application> no
longer starts:</term>
<listitem>
<para>This could be caused by the <acronym>MAC</acronym>
<literal>partition</literal> policy or by a mislabeling
in one of the <acronym>MAC</acronym> labeling policies.
To debug, try the following:</para>
<procedure>
<step>
<para>Check the error message. If the user is in the
<literal>insecure</literal> class, the
<literal>partition</literal> policy may be the culprit.
Try setting the user's class back to the
<literal>default</literal> class and rebuild the
database with <command>cap_mkdb</command>. If this does
not alleviate the problem, go to step two.</para>
</step>
<procedure>
<step>
<para>Check the error message. If the user is in the
<literal>insecure</literal> class, the
<literal>partition</literal> policy may be the
culprit. Try setting the user's class back to the
<literal>default</literal> class and rebuild the
database with <command>cap_mkdb</command>. If this
does not alleviate the problem, go to step two.</para>
</step>
<step>
<para>Double-check that the label policies
are set correctly for the user, <application>Xorg</application>,
and the <filename>/dev</filename>
entries.</para>
</step>
<step>
<para>Double-check that the label policies are set
correctly for the user,
<application>Xorg</application>, and the
<filename>/dev</filename> entries.</para>
</step>
<step>
<para>If neither of these resolve the problem, send the
error message and a description of the environment to
the &a.questions;.</para>
</step>
</procedure>
</listitem>
</varlistentry>
<step>
<para>If neither of these resolve the problem, send the
error message and a description of the environment to
the &a.questions;.</para>
</step>
</procedure>
</listitem>
</varlistentry>
<varlistentry>
<term>The <errorname>_secure_path: unable to stat
.login_conf</errorname> error appears:</term>
<listitem>
<para>This error can appear when a user attempts to switch from the <systemitem
class="username">root</systemitem> user to another user in
the system. This message usually occurs when the user has a higher
label setting than that of the user they are attempting to
become. For instance, if <systemitem
class="username">joe</systemitem> has a default label of
<option>biba/low</option> and <systemitem
class="username">root</systemitem> has a label
of <option>biba/high</option>, <systemitem
class="username">root</systemitem> cannot view <systemitem
class="username">joe</systemitem>'s home directory. This
will happen whether or not <systemitem
class="username">root</systemitem> has used
<command>su</command> to become <systemitem
class="username">joe</systemitem> as the Biba integrity
model will not permit <systemitem
class="username">root</systemitem> to view objects set at
a lower integrity level.</para>
</listitem>
</varlistentry>
<listitem>
<para>This error can appear when a user attempts to switch
from the <systemitem class="username">root</systemitem>
user to another user in the system. This message
usually occurs when the user has a higher label setting
than that of the user they are attempting to become.
For instance, if <systemitem
class="username">joe</systemitem> has a default label
of <option>biba/low</option> and <systemitem
class="username">root</systemitem> has a label of
<option>biba/high</option>, <systemitem
class="username">root</systemitem> cannot view
<systemitem class="username">joe</systemitem>'s home
directory. This will happen whether or not <systemitem
class="username">root</systemitem> has used
<command>su</command> to become <systemitem
class="username">joe</systemitem> as the Biba
integrity model will not permit <systemitem
class="username">root</systemitem> to view objects set
at a lower integrity level.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>The system no longer recognizes <systemitem
class="username">root</systemitem>:</term>
<listitem>
<para>When this occurs,
<command>whoami</command> returns <literal>0</literal> and
<command>su</command> returns <errorname>who are
you?</errorname>.</para>
<listitem>
<para>When this occurs, <command>whoami</command> returns
<literal>0</literal> and <command>su</command> returns
<errorname>who are you?</errorname>.</para>
<para>This can happen if a labeling policy has been disabled
by &man.sysctl.8; or the policy module was
unloaded. If the policy is disabled, the login capabilities
database needs to be reconfigured. Double check
<filename>/etc/login.conf</filename> to ensure that all
<option>label</option> options have been removed and rebuild
the database with <command>cap_mkdb</command>.</para>
<para>This can happen if a labeling policy has been
disabled by &man.sysctl.8; or the policy module was
unloaded. If the policy is disabled, the login
capabilities database needs to be reconfigured. Double
check <filename>/etc/login.conf</filename> to ensure
that all <option>label</option> options have been
removed and rebuild the database with
<command>cap_mkdb</command>.</para>
<para>This may also happen if a policy restricts access to
<filename>master.passwd</filename>. This is usually caused
by an administrator altering the file under a label which
conflicts with the general policy being used by the system.
In these cases, the user information would be read by the
system and access would be blocked as the file has inherited
the new label. Disable the policy using &man.sysctl.8; and
everything should return to normal.</para>
</listitem>
</varlistentry>
</variablelist>
<para>This may also happen if a policy restricts access to
<filename>master.passwd</filename>. This is usually
caused by an administrator altering the file under a
label which conflicts with the general policy being used
by the system. In these cases, the user information
would be read by the system and access would be blocked
as the file has inherited the new label. Disable the
policy using &man.sysctl.8; and everything should return
to normal.</para>
</listitem>
</varlistentry>
</variablelist>
</sect1>
</chapter>