|
The following demonstration will implement a secure environment using various MAC modules with properly configured policies. This is only a test and should not be considered the complete answer to everyone's security woes. Just implementing a policy and ignoring it never works and could be disastrous in a production environment.
Before beginning this process, the multilabel option must be set on each file system as stated at the beginning of this chapter. Not doing so will result in errors.
Begin the procedure by adding the following user class to the /etc/login.conf file:
insecure:\ :copyright=/etc/COPYRIGHT:\ :welcome=/etc/motd:\ :setenv=MAIL=/var/mail/$,BLOCKSIZE=K:\ :path=~/bin:/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin :manpath=/usr/share/man /usr/local/man:\ :nologin=/usr/sbin/nologin:\ :cputime=1h30m:\ :datasize=8M:\ :vmemoryuse=100M:\ :stacksize=2M:\ :memorylocked=4M:\ :memoryuse=8M:\ :filesize=8M:\ :coredumpsize=8M:\ :openfiles=24:\ :maxproc=32:\ :priority=0:\ :requirehome:\ :passwordtime=91d:\ :umask=022:\ :ignoretime@:\ :label=partition/13,mls/5:
And adding the following line to the default user class:
:label=mls/equal,biba/equal,partition/15:
Once this is completed, the following command must be issued to rebuild the database:
# cap_mkdb /etc/login.conf
Add the following lines to /boot/loader.conf so the required modules will load during system initialization:
mac_biba_load="YES" mac_mls_load="YES" mac_seeotheruids_load="YES" mac_partition_load="YES"
All user accounts that are not root or system users will now require a login class. The login class is required otherwise users will be refused access to common commands such as vi(1). The following sh script should do the trick:
# for x in `awk -F: '($3 >= 1001) && ($3 != 65534) { print $1 }' \ /etc/passwd`; do pw usermod $x -L insecure; done;
The cap_mkdb command will need to be run on /etc/master.passwd after this change.
A contexts file should now be created; the following example was taken from Robert Watson's example policy and should be placed in /etc/policy.contexts.
# This is the default BIBA/MLS policy for this system. .* biba/high,mls/high /sbin/dhclient biba/high(low),mls/high(low) /dev(/.*)? biba/equal,mls/equal # This is not an exhaustive list of all "privileged" devices. /dev/mdctl biba/high,mls/high /dev/pci biba/high,mls/high /dev/k?mem biba/high,mls/high /dev/io biba/high,mls/high /dev/agp.* biba/high,mls/high (/var)?/tmp(/.*)? biba/equal,mls/equal /tmp/\.X11-unix biba/high(equal),mls/high(equal) /tmp/\.X11-unix/.* biba/equal,mls/equal /proc(/.*)? biba/equal,mls/equal /mnt.* biba/low,mls/low (/usr)?/home biba/high(low),mls/high(low) (/usr)?/home/.* biba/low,mls/low /var/mail(/.*)? biba/low,mls/low /var/spool/mqueue(/.*)? biba/low,mls/low (/mnt)?/cdrom(/.*)? biba/high,mls/high (/usr)?/home/(ftp|samba)(/.*)? biba/high,mls/high /var/log/sendmail\.st biba/low,mls/low /var/run/utmp biba/equal,mls/equal /var/log/(lastlog|wtmp) biba/equal,mls/equal
This policy will enforce security by setting restrictions on both the downward and upward flow of information with regards to the directories and utilities listed on the left.
This can now be read into our system by issuing the following command:
# setfsmac -ef /etc/policy.contexts / # setfsmac -ef /etc/policy.contexts /usr
Note: The above file system layout may be different depending on environment.
The /etc/mac.conf file requires the following modifications in the main section:
default_labels file ?biba,?mls default_labels ifnet ?biba,?mls default_labels process ?biba,?mls,?partition default_labels socket ?biba,?mls
Add a user with the adduser command and place that user in the insecure class for these tests.
The examples below will show a mix of root and regular user tests; use the prompt to distinguish between the two.
% getpmac biba/15(15-15),mls/15(15-15),partition/15 # setpmac partition/15,mls/equal top
Note: The top process will be killed before we start another top process.
% ps Zax biba/15(15-15),mls/15(15-15),partition/15 1096 #C: S 0:00.03 -su (bash) biba/15(15-15),mls/15(15-15),partition/15 1101 #C: R+ 0:00.01 ps Zax
We should not be permitted to see any processes owned by other users.
Disable the MAC seeotheruids policy for the rest of these tests:
# sysctl security.mac.seeotheruids.enabled=0 % ps Zax LABEL PID TT STAT TIME COMMAND biba/equal(low-high),mls/equal(low-high),partition/15 1122 #C: S+ 0:00.02 top biba/15(15-15),mls/15(15-15),partition/15 1096 #C: S 0:00.05 -su (bash) biba/15(15-15),mls/15(15-15),partition/15 1123 #C: R+ 0:00.01 ps Zax
All users should be permitted to see every process in their partition.
# setpmac partition/15,mls/equal,biba/high\(high-high\) top % ps Zax LABEL PID TT STAT TIME COMMAND biba/high(high-high),mls/equal(low-high),partition/15 1251 #C: S+ 0:00.02 top biba/15(15-15),mls/15(15-15),partition/15 1096 #C: S 0:00.06 -su (bash) biba/15(15-15),mls/15(15-15),partition/15 1157 #C: R+ 0:00.00 ps Zax
The Biba policy allows us to read higher-labeled objects.
# setpmac partition/15,mls/equal,biba/low top % ps Zax LABEL PID TT STAT TIME COMMAND biba/15(15-15),mls/15(15-15),partition/15 1096 #C: S 0:00.07 -su (bash) biba/15(15-15),mls/15(15-15),partition/15 1226 #C: R+ 0:00.01 ps Zax
The Biba policy does not allow lower-labeled objects to be read; however, MLS does.
% ifconfig bge0 | grep maclabel maclabel biba/low(low-low),mls/low(low-low) % ping -c 1 192.0.34.166 PING 192.0.34.166 (192.0.34.166): 56 data bytes ping: sendto: Permission denied
Users are unable to ping example.com, or any domain for that matter.
To prevent this error from occurring, run the following command:
# sysctl security.mac.biba.trust_all_interfaces=1
This sets the default interface label to insecure mode, so the default Biba policy label will not be enforced.
# ifconfig bge0 maclabel biba/equal\(low-high\),mls/equal\(low-high\) % ping -c 1 192.0.34.166 PING 192.0.34.166 (192.0.34.166): 56 data bytes 64 bytes from 192.0.34.166: icmp_seq=0 ttl=50 time=204.455 ms --- 192.0.34.166 ping statistics --- 1 packets transmitted, 1 packets received, 0% packet loss round-trip min/avg/max/stddev = 204.455/204.455/204.455/0.000 ms
By setting a more correct label, we can issue ping requests.
Now to create a few files for some read and write testing procedures:
# touch test1 test2 test3 test4 test5 # getfmac test1 test1: biba/equal,mls/equal # setfmac biba/low test1 test2; setfmac biba/high test4 test5; \ setfmac mls/low test1 test3; setfmac mls/high test2 test4 # setfmac mls/equal,biba/equal test3 && getfmac test? test1: biba/low,mls/low test2: biba/low,mls/high test3: biba/equal,mls/equal test4: biba/high,mls/high test5: biba/high,mls/equal # chown testuser:testuser test?
All of these files should now be owned by our testuser user. And now for some read tests:
% ls test1 test2 test3 test4 test5 % ls test? ls: test1: Permission denied ls: test2: Permission denied ls: test4: Permission denied test3 test5
We should not be permitted to observe pairs; e.g.: (biba/low,mls/low), (biba/low,mls/high) and (biba/high,mls/high). And of course, read access should be denied. Now for some write tests:
% for i in `echo test*`; do echo 1 > $i; done -su: test1: Permission denied -su: test4: Permission denied -su: test5: Permission denied
Like with the read tests, write access should not be permitted to write pairs; e.g.: (biba/low,mls/high) and (biba/equal,mls/equal).
% cat test? cat: test1: Permission denied cat: test2: Permission denied 1 cat: test4: Permission denied
And now as root:
# cat test2 1
This, and other documents, can be downloaded from ftp://ftp.FreeBSD.org/pub/FreeBSD/doc/.
For questions about FreeBSD, read the documentation before contacting <questions@FreeBSD.org>.
For questions about this documentation, e-mail <doc@FreeBSD.org>.
Hosting by: Hurra Communications Ltd.
Generated: 2007-01-26 17:58:42