os/doc
3
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

White space fix only. Translators can ignore.

Browse source 
Sponsored by:	iXsystems
This commit is contained in:
Dru Lavigne 2014-03-31 17:01:17 +00:00
parent a6f5a0961d
commit c399c50408
Notes: svn2git 2020-12-08 03:00:23 +00:00 
svn path=/head/; revision=44399
1 changed files with 152 additions and 151 deletions
Download patch file Download diff file Expand all files Collapse all files

303
en_US.ISO8859-1/books/handbook/mac/chapter.xml
View file

@ -1414,15 +1414,13 @@ test: biba/low</screen>
<para>This section demonstrates the steps that are needed to <para>This section demonstrates the steps that are needed to
implement the <application>Nagios</application> network implement the <application>Nagios</application> network
monitoring system in a <acronym>MAC</acronym> environment. monitoring system in a <acronym>MAC</acronym> environment. This
This is meant as an example which still requires the administrator is meant as an example which still requires the administrator to
to test that the implemented policy meets the security test that the implemented policy meets the security requirements
requirements of the network before using in a of the network before using in a production environment.</para>
production environment.</para>
<para>This example requires <option>multilabel</option> <para>This example requires <option>multilabel</option> to be set
to be set on each file system. It also on each file system. It also assumes that
assumes that
<package>net-mgmt/nagios-plugins</package>, <package>net-mgmt/nagios-plugins</package>,
<package>net-mgmt/nagios</package>, and <package>net-mgmt/nagios</package>, and
<package>www/apache22</package> are all installed, configured, <package>www/apache22</package> are all installed, configured,
@ -1459,12 +1457,13 @@ test: biba/low</screen>
:ignoretime@:\ :ignoretime@:\
:label=biba/10(10-10):</programlisting> :label=biba/10(10-10):</programlisting>
<para>Then, add the following line to the default user class section:</para> <para>Then, add the following line to the default user class
section:</para>
<programlisting>:label=biba/high:</programlisting> <programlisting>:label=biba/high:</programlisting>
<para>Save the edits and issue the following command to rebuild the <para>Save the edits and issue the following command to rebuild
database:</para> the database:</para>
<screen>&prompt.root; <userinput>cap_mkdb /etc/login.conf</userinput></screen> <screen>&prompt.root; <userinput>cap_mkdb /etc/login.conf</userinput></screen>
</sect2> </sect2>
@ -1478,22 +1477,21 @@ test: biba/low</screen>
<screen>&prompt.root; <userinput>pw usermod root -L default</userinput></screen> <screen>&prompt.root; <userinput>pw usermod root -L default</userinput></screen>
<para>All user accounts that are not <systemitem <para>All user accounts that are not <systemitem
class="username">root</systemitem> will now class="username">root</systemitem> will now require a login
require a login class. The login class is required, otherwise class. The login class is required, otherwise users will be
users will be refused access to common commands. refused access to common commands. The following
The following <command>sh</command> script should <command>sh</command> script should do the trick:</para>
do the trick:</para>
<screen>&prompt.root; <userinput>for x in `awk -F: '($3 &gt;= 1001) &amp;&amp; ($3 != 65534) { print $1 }' \</userinput> <screen>&prompt.root; <userinput>for x in `awk -F: '($3 &gt;= 1001) &amp;&amp; ($3 != 65534) { print $1 }' \</userinput>
<userinput>/etc/passwd`; do pw usermod $x -L default; done;</userinput></screen> <userinput>/etc/passwd`; do pw usermod $x -L default; done;</userinput></screen>
<para>Next, drop the <systemitem class="username">nagios</systemitem> <para>Next, drop the <systemitem
and <systemitem class="username">www</systemitem> accounts into class="username">nagios</systemitem> and <systemitem
the insecure class:</para> class="username">www</systemitem> accounts into the insecure
class:</para>
<screen>&prompt.root; <userinput>pw usermod nagios -L insecure</userinput> <screen>&prompt.root; <userinput>pw usermod nagios -L insecure</userinput>
&prompt.root; <userinput>pw usermod www -L insecure</userinput></screen> &prompt.root; <userinput>pw usermod www -L insecure</userinput></screen>
</sect2> </sect2>
<sect2> <sect2>
@ -1528,8 +1526,8 @@ test: biba/low</screen>
# For apache # For apache
/usr/local/etc/apache(/.*)? biba/10</programlisting> /usr/local/etc/apache(/.*)? biba/10</programlisting>
<para>This policy enforces security by setting restrictions <para>This policy enforces security by setting restrictions on
on the flow of information. In this specific configuration, the flow of information. In this specific configuration,
users, including <systemitem users, including <systemitem
class="username">root</systemitem>, should never be class="username">root</systemitem>, should never be
allowed to access <application>Nagios</application>. allowed to access <application>Nagios</application>.
@ -1537,14 +1535,14 @@ test: biba/low</screen>
<application>Nagios</application> will be completely self <application>Nagios</application> will be completely self
contained or jailed.</para> contained or jailed.</para>
<para>This file will be read after running <para>This file will be read after running
<command>setfsmac</command> on every file system. This <command>setfsmac</command> on every file system. This
example sets the policy on the root file system:</para> example sets the policy on the root file system:</para>
<screen>&prompt.root; <userinput>setfsmac -ef /etc/policy.contexts /</userinput></screen> <screen>&prompt.root; <userinput>setfsmac -ef /etc/policy.contexts /</userinput></screen>
<para>Next, add these edits <para>Next, add these edits to the main section of
to the main section of <filename>/etc/mac.conf</filename>:</para> <filename>/etc/mac.conf</filename>:</para>
<programlisting>default_labels file ?biba <programlisting>default_labels file ?biba
default_labels ifnet ?biba default_labels ifnet ?biba
@ -1557,15 +1555,16 @@ default_labels socket ?biba</programlisting>
<para>To finish the configuration, add the following lines to <para>To finish the configuration, add the following lines to
<filename>/boot/loader.conf</filename>:</para> <filename>/boot/loader.conf</filename>:</para>
<programlisting>mac_biba_load="YES" <programlisting>mac_biba_load="YES"
mac_seeotheruids_load="YES" mac_seeotheruids_load="YES"
security.mac.biba.trust_all_interfaces=1</programlisting> security.mac.biba.trust_all_interfaces=1</programlisting>
<para>And the following line to the network card configuration stored <para>And the following line to the network card configuration
in <filename>/etc/rc.conf</filename>. If the primary network stored in <filename>/etc/rc.conf</filename>. If the primary
configuration is done via <acronym>DHCP</acronym>, this may network configuration is done via <acronym>DHCP</acronym>,
need to be configured manually after every system boot:</para> this may need to be configured manually after every system
boot:</para>
<programlisting>maclabel biba/equal</programlisting> <programlisting>maclabel biba/equal</programlisting>
</sect2> </sect2>
@ -1580,13 +1579,13 @@ security.mac.biba.trust_all_interfaces=1</programlisting>
<para>First, ensure that the web server and <para>First, ensure that the web server and
<application>Nagios</application> will not be started on <application>Nagios</application> will not be started on
system initialization and reboot. Ensure that <systemitem system initialization and reboot. Ensure that <systemitem
class="username">root</systemitem> cannot access any of class="username">root</systemitem> cannot access any of the
the files in the <application>Nagios</application> files in the <application>Nagios</application> configuration
configuration directory. If <systemitem directory. If <systemitem class="username">root</systemitem>
class="username">root</systemitem> can list the contents of can list the contents of
<filename>/var/spool/nagios</filename>, something <filename>/var/spool/nagios</filename>, something is wrong.
is wrong. Instead, a <quote>permission denied</quote> error Instead, a <quote>permission denied</quote> error should be
should be returned.</para> returned.</para>
<para>If all seems well, <application>Nagios</application>, <para>If all seems well, <application>Nagios</application>,
<application>Apache</application>, and <application>Apache</application>, and
@ -1597,9 +1596,9 @@ setpmac biba/equal make start &amp;&amp; setpmac biba/10\(10-10\) apachectl star
setpmac biba/10\(10-10\) /usr/local/etc/rc.d/nagios.sh forcestart</userinput></screen> setpmac biba/10\(10-10\) /usr/local/etc/rc.d/nagios.sh forcestart</userinput></screen>
<para>Double check to ensure that everything is working <para>Double check to ensure that everything is working
properly. If not, check the log files for error messages. properly. If not, check the log files for error messages. If
If needed, use &man.sysctl.8; to disable the &man.mac.biba.4; security needed, use &man.sysctl.8; to disable the &man.mac.biba.4;
policy module and try starting everything again as security policy module and try starting everything again as
usual.</para> usual.</para>
<note> <note>
@ -1633,141 +1632,143 @@ setpmac biba/10\(10-10\) /usr/local/etc/rc.d/nagios.sh forcestart</userinput></s
<variablelist> <variablelist>
<varlistentry> <varlistentry>
<term>The <option>multilabel</option> flag does not stay <term>The <option>multilabel</option> flag does not stay
enabled on the root (<filename>/</filename>) enabled on the root (<filename>/</filename>)
partition:</term> partition:</term>
<listitem> <listitem>
<para>The following steps may resolve this transient <para>The following steps may resolve this transient
error:</para> error:</para>
<procedure> <procedure>
<step> <step>
<para>Edit <filename>/etc/fstab</filename> and set the <para>Edit <filename>/etc/fstab</filename> and set the
root partition to <option>ro</option> for root partition to <option>ro</option> for
read-only.</para> read-only.</para>
</step> </step>
<step> <step>
<para>Reboot into single user mode.</para> <para>Reboot into single user mode.</para>
</step> </step>
<step> <step>
<para>Run <command>tunefs</command> <option>-l <para>Run <command>tunefs</command> <option>-l
enable</option> on <filename>/</filename>.</para> enable</option> on <filename>/</filename>.</para>
</step> </step>
<step> <step>
<para>Reboot the system.</para> <para>Reboot the system.</para>
</step> </step>
<step> <step>
<para>Run <command>mount</command> <option>-urw</option> <para>Run <command>mount</command> <option>-urw</option>
<filename>/</filename> and change the <filename>/</filename> and change the
<option>ro</option> back to <option>rw</option> in <option>ro</option> back to <option>rw</option> in
<filename>/etc/fstab</filename> and reboot the system <filename>/etc/fstab</filename> and reboot the system
again.</para> again.</para>
</step> </step>
<step> <step>
<para>Double-check the output from <para>Double-check the output from
<command>mount</command> to ensure that <command>mount</command> to ensure that
<option>multilabel</option> has been properly set on the <option>multilabel</option> has been properly set on
root file system.</para> the root file system.</para>
</step> </step>
</procedure> </procedure>
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term>After establishing a secure environment with <term>After establishing a secure environment with
<acronym>MAC</acronym>, <acronym>MAC</acronym>, <application>Xorg</application> no
<application>Xorg</application> no longer starts:</term> longer starts:</term>
<listitem> <listitem>
<para>This could be caused by the <acronym>MAC</acronym> <para>This could be caused by the <acronym>MAC</acronym>
<literal>partition</literal> policy or by a mislabeling in <literal>partition</literal> policy or by a mislabeling
one of the <acronym>MAC</acronym> labeling policies. To in one of the <acronym>MAC</acronym> labeling policies.
debug, try the following:</para> To debug, try the following:</para>
<procedure> <procedure>
<step> <step>
<para>Check the error message. If the user is in the <para>Check the error message. If the user is in the
<literal>insecure</literal> class, the <literal>insecure</literal> class, the
<literal>partition</literal> policy may be the culprit. <literal>partition</literal> policy may be the
Try setting the user's class back to the culprit. Try setting the user's class back to the
<literal>default</literal> class and rebuild the <literal>default</literal> class and rebuild the
database with <command>cap_mkdb</command>. If this does database with <command>cap_mkdb</command>. If this
not alleviate the problem, go to step two.</para> does not alleviate the problem, go to step two.</para>
</step> </step>
<step> <step>
<para>Double-check that the label policies <para>Double-check that the label policies are set
are set correctly for the user, <application>Xorg</application>, correctly for the user,
and the <filename>/dev</filename> <application>Xorg</application>, and the
entries.</para> <filename>/dev</filename> entries.</para>
</step> </step>
<step> <step>
<para>If neither of these resolve the problem, send the <para>If neither of these resolve the problem, send the
error message and a description of the environment to error message and a description of the environment to
the &a.questions;.</para> the &a.questions;.</para>
</step> </step>
</procedure> </procedure>
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term>The <errorname>_secure_path: unable to stat <term>The <errorname>_secure_path: unable to stat
.login_conf</errorname> error appears:</term> .login_conf</errorname> error appears:</term>
<listitem> <listitem>
<para>This error can appear when a user attempts to switch from the <systemitem <para>This error can appear when a user attempts to switch
class="username">root</systemitem> user to another user in from the <systemitem class="username">root</systemitem>
the system. This message usually occurs when the user has a higher user to another user in the system. This message
label setting than that of the user they are attempting to usually occurs when the user has a higher label setting
become. For instance, if <systemitem than that of the user they are attempting to become.
class="username">joe</systemitem> has a default label of For instance, if <systemitem
<option>biba/low</option> and <systemitem class="username">joe</systemitem> has a default label
class="username">root</systemitem> has a label of <option>biba/low</option> and <systemitem
of <option>biba/high</option>, <systemitem class="username">root</systemitem> has a label of
class="username">root</systemitem> cannot view <systemitem <option>biba/high</option>, <systemitem
class="username">joe</systemitem>'s home directory. This class="username">root</systemitem> cannot view
will happen whether or not <systemitem <systemitem class="username">joe</systemitem>'s home
class="username">root</systemitem> has used directory. This will happen whether or not <systemitem
<command>su</command> to become <systemitem class="username">root</systemitem> has used
class="username">joe</systemitem> as the Biba integrity <command>su</command> to become <systemitem
model will not permit <systemitem class="username">joe</systemitem> as the Biba
class="username">root</systemitem> to view objects set at integrity model will not permit <systemitem
a lower integrity level.</para> class="username">root</systemitem> to view objects set
</listitem> at a lower integrity level.</para>
</varlistentry> </listitem>
</varlistentry>
<varlistentry> <varlistentry>
<term>The system no longer recognizes <systemitem <term>The system no longer recognizes <systemitem
class="username">root</systemitem>:</term> class="username">root</systemitem>:</term>
<listitem> <listitem>
<para>When this occurs, <para>When this occurs, <command>whoami</command> returns
<command>whoami</command> returns <literal>0</literal> and <literal>0</literal> and <command>su</command> returns
<command>su</command> returns <errorname>who are <errorname>who are you?</errorname>.</para>
you?</errorname>.</para>
<para>This can happen if a labeling policy has been disabled <para>This can happen if a labeling policy has been
by &man.sysctl.8; or the policy module was disabled by &man.sysctl.8; or the policy module was
unloaded. If the policy is disabled, the login capabilities unloaded. If the policy is disabled, the login
database needs to be reconfigured. Double check capabilities database needs to be reconfigured. Double
<filename>/etc/login.conf</filename> to ensure that all check <filename>/etc/login.conf</filename> to ensure
<option>label</option> options have been removed and rebuild that all <option>label</option> options have been
the database with <command>cap_mkdb</command>.</para> removed and rebuild the database with
<command>cap_mkdb</command>.</para>
<para>This may also happen if a policy restricts access to <para>This may also happen if a policy restricts access to
<filename>master.passwd</filename>. This is usually caused <filename>master.passwd</filename>. This is usually
by an administrator altering the file under a label which caused by an administrator altering the file under a
conflicts with the general policy being used by the system. label which conflicts with the general policy being used
In these cases, the user information would be read by the by the system. In these cases, the user information
system and access would be blocked as the file has inherited would be read by the system and access would be blocked
the new label. Disable the policy using &man.sysctl.8; and as the file has inherited the new label. Disable the
everything should return to normal.</para> policy using &man.sysctl.8; and everything should return
</listitem> to normal.</para>
</varlistentry> </listitem>
</variablelist> </varlistentry>
</variablelist>
</sect1> </sect1>
</chapter> </chapter>