aboutsummaryrefslogtreecommitdiff
path: root/en_US.ISO8859-1/books/handbook/mac
diff options
context:
space:
mode:
authorGabor Kovesdan <gabor@FreeBSD.org>2013-11-07 15:39:28 +0000
committerGabor Kovesdan <gabor@FreeBSD.org>2013-11-07 15:39:28 +0000
commit24d129e8d1984a0b46a543bc523b63d216813bb0 (patch)
tree7dd0501c857c6f2139f4a71191c93bf19136412a /en_US.ISO8859-1/books/handbook/mac
parent35f1d6c78be90eb13320d655cd68f94333a0ab26 (diff)
downloaddoc-24d129e8d1984a0b46a543bc523b63d216813bb0.tar.gz
doc-24d129e8d1984a0b46a543bc523b63d216813bb0.zip
- Definitively upgrade to DocBook 5.0
Notes
Notes: svn path=/projects/db5/; revision=43125
Diffstat (limited to 'en_US.ISO8859-1/books/handbook/mac')
-rw-r--r--en_US.ISO8859-1/books/handbook/mac/chapter.xml137
1 files changed, 65 insertions, 72 deletions
diff --git a/en_US.ISO8859-1/books/handbook/mac/chapter.xml b/en_US.ISO8859-1/books/handbook/mac/chapter.xml
index 835959f2ab..52289f3590 100644
--- a/en_US.ISO8859-1/books/handbook/mac/chapter.xml
+++ b/en_US.ISO8859-1/books/handbook/mac/chapter.xml
@@ -3,21 +3,16 @@
The FreeBSD Documentation Project
$FreeBSD$
-->
-
-<chapter id="mac">
- <chapterinfo>
+<chapter xmlns="http://docbook.org/ns/docbook" xmlns:xlink="http://www.w3.org/1999/xlink" version="5.0" xml:id="mac">
+ <info><title>Mandatory Access Control</title>
<authorgroup>
- <author>
- <firstname>Tom</firstname>
- <surname>Rhodes</surname>
- <contrib>Written by </contrib>
- </author>
+ <author><personname><firstname>Tom</firstname><surname>Rhodes</surname></personname><contrib>Written by </contrib></author>
</authorgroup>
- </chapterinfo>
+ </info>
- <title>Mandatory Access Control</title>
+
- <sect1 id="mac-synopsis">
+ <sect1 xml:id="mac-synopsis">
<title>Synopsis</title>
<indexterm><primary>MAC</primary></indexterm>
@@ -27,8 +22,8 @@
</indexterm>
<para>&os;&nbsp;5.X introduced new security extensions from the
- <ulink url="http://www.trustedbsd.org">TrustedBSD
- Project</ulink> based on the &posix;.1e draft. Two of the
+ <link xlink:href="http://www.trustedbsd.org">TrustedBSD
+ Project</link> based on the &posix;.1e draft. Two of the
most significant new security mechanisms are file system Access
Control Lists (<acronym>ACL</acronym>s) and Mandatory Access
Control (<acronym>MAC</acronym>) facilities. MAC allows new
@@ -131,7 +126,7 @@
</sect2>
</sect1>
- <sect1 id="mac-inline-glossary">
+ <sect1 xml:id="mac-inline-glossary">
<title>Key Terms in This Chapter</title>
<para>Before reading this chapter, a few key terms must be
@@ -251,7 +246,7 @@
</itemizedlist>
</sect1>
- <sect1 id="mac-initial">
+ <sect1 xml:id="mac-initial">
<title>Explanation of MAC</title>
<para>With all of these new terms in mind, consider how the
@@ -326,7 +321,7 @@
</caution>
</sect1>
- <sect1 id="mac-understandlabel">
+ <sect1 xml:id="mac-understandlabel">
<title>Understanding MAC Labels</title>
<para>A <acronym>MAC</acronym> label is a security attribute
@@ -375,12 +370,12 @@
<para>In most cases, the administrator will set up a single label
to use throughout the file system. This is similar to
<acronym>DAC</acronym> to some extent as
- <username>root</username> is the one in control and who
+ <systemitem class="username">root</systemitem> is the one in control and who
configures the policies so that users are placed in the
appropriate categories/access levels. Alas, many policy modules
- can restrict the <username>root</username> user as well. Basic
+ can restrict the <systemitem class="username">root</systemitem> user as well. Basic
control over objects will then be released to the group, but
- <username>root</username> may revoke or modify the settings
+ <systemitem class="username">root</systemitem> may revoke or modify the settings
at any time. This is the hierarchical/clearance model covered
by policies such as Biba and <acronym>MLS</acronym>.</para>
@@ -693,7 +688,7 @@ test: biba/high</screen>
</sect2>
</sect1>
- <sect1 id="mac-planning">
+ <sect1 xml:id="mac-planning">
<title>Planning the Security Configuration</title>
<para>Whenever a new technology is implemented, a planning phase
@@ -742,7 +737,7 @@ test: biba/high</screen>
choice.</para>
</sect1>
- <sect1 id="mac-modules">
+ <sect1 xml:id="mac-modules">
<title>Module Configuration</title>
<para>Beginning with &os;&nbsp;8.0, the default &os; kernel
@@ -768,7 +763,7 @@ test: biba/high</screen>
option is called <option>multilabel</option>.</para>
</sect1>
- <sect1 id="mac-seeotheruids">
+ <sect1 xml:id="mac-seeotheruids">
<title>The MAC See Other UIDs Policy</title>
<indexterm>
@@ -823,7 +818,7 @@ test: biba/high</screen>
</itemizedlist>
</sect1>
- <sect1 id="mac-bsdextended">
+ <sect1 xml:id="mac-bsdextended">
<title>The MAC BSD Extended Policy</title>
<indexterm>
@@ -872,7 +867,7 @@ test: biba/high</screen>
<para>By default, no rules are defined and everything is
completely accessible. To create a rule which will block all
- access by users but leave <username>root</username>
+ access by users but leave <systemitem class="username">root</systemitem>
unaffected, run the following command:</para>
<screen>&prompt.root; <userinput>ugidfw add subject not uid root new object not uid root mode n</userinput></screen>
@@ -880,21 +875,21 @@ test: biba/high</screen>
<para>This is a very bad idea as it will block all users from
issuing even the most simple commands, such as
<command>ls</command>. The next example will block
- <username>user1</username> any and all access, including
+ <systemitem class="username">user1</systemitem> any and all access, including
directory listings, to
- <username><replaceable>user2</replaceable></username>'s home
+ <systemitem class="username"><replaceable>user2</replaceable></systemitem>'s home
directory:</para>
- <screen>&prompt.root; <userinput>ugidfw set 2 subject uid <replaceable>user1</replaceable> object uid <replaceable>user2</replaceable> mode n</userinput>
-&prompt.root; <userinput>ugidfw set 3 subject uid <replaceable>user1</replaceable> object gid <replaceable>user2</replaceable> mode n</userinput></screen>
+ <screen>&prompt.root; <userinput>ugidfw set 2 subject uid user1 object uid user2 mode n</userinput>
+&prompt.root; <userinput>ugidfw set 3 subject uid user1 object gid user2 mode n</userinput></screen>
- <para>Instead of <username>user1</username>,
+ <para>Instead of <systemitem class="username">user1</systemitem>,
<option>not uid <replaceable>user2</replaceable></option>
could be used. This enforces the same access restrictions for
all users instead of just one user.</para>
<note>
- <para>The <username>root</username> user is unaffected by
+ <para>The <systemitem class="username">root</systemitem> user is unaffected by
these changes.</para>
</note>
@@ -903,7 +898,7 @@ test: biba/high</screen>
</sect2>
</sect1>
- <sect1 id="mac-ifoff">
+ <sect1 xml:id="mac-ifoff">
<title>The MAC Interface Silencing Policy</title>
<indexterm>
@@ -949,12 +944,12 @@ test: biba/high</screen>
monitoring in an environment where network traffic should not
be permitted during the boot sequence. Another suggested use
would be to write a script which uses
- <filename role="package">security/aide</filename> to
+ <package>security/aide</package> to
automatically block network traffic if it finds new or altered
files in protected directories.</para>
</sect1>
- <sect1 id="mac-portacl">
+ <sect1 xml:id="mac-portacl">
<title>The MAC Port Access Control List Policy</title>
<indexterm>
@@ -972,7 +967,7 @@ test: biba/high</screen>
local <acronym>TCP</acronym> and <acronym>UDP</acronym> ports
using a variety of <command>sysctl</command> variables.
&man.mac.portacl.4; makes it possible to allow
- non-<username>root</username> users to bind to specified
+ non-<systemitem class="username">root</systemitem> users to bind to specified
privileged ports below 1024.</para>
<para>Once loaded, this module enables the
@@ -994,7 +989,7 @@ test: biba/high</screen>
<listitem>
<para><varname>security.mac.portacl.suser_exempt</varname>,
when set to a non-zero value, exempts the
- <username>root</username> user from this policy.</para>
+ <systemitem class="username">root</systemitem> user from this policy.</para>
</listitem>
<listitem>
@@ -1025,7 +1020,7 @@ test: biba/high</screen>
<para>By default, ports below 1024 can only be used by or bound
to privileged processes, which run as
- <username>root</username>. For &man.mac.portacl.4; to allow
+ <systemitem class="username">root</systemitem>. For &man.mac.portacl.4; to allow
non-privileged processes to bind to ports below 1024, this
restriction has to be disabled by setting the &man.sysctl.8;
variables
@@ -1043,7 +1038,7 @@ net.inet.ip.portrange.reservedhigh=0</userinput></screen>
<sect2>
<title>Examples</title>
- <para>Since the <username>root</username> user should not be
+ <para>Since the <systemitem class="username">root</systemitem> user should not be
crippled by this policy, this example starts by setting the
<varname>security.mac.portacl.suser_exempt</varname> to a
non-zero value.</para>
@@ -1051,9 +1046,9 @@ net.inet.ip.portrange.reservedhigh=0</userinput></screen>
<screen>&prompt.root; <userinput>sysctl security.mac.portacl.suser_exempt=1</userinput></screen>
<para>Next, allow the user with <acronym>UID</acronym> 80
- to bind to port 80. This allows the <username>www</username>
+ to bind to port 80. This allows the <systemitem class="username">www</systemitem>
user to run a web server without ever having
- <username>root</username> privilege.</para>
+ <systemitem class="username">root</systemitem> privilege.</para>
<screen>&prompt.root; <userinput>sysctl security.mac.portacl.rules=uid:80:tcp:80</userinput></screen>
@@ -1068,7 +1063,7 @@ net.inet.ip.portrange.reservedhigh=0</userinput></screen>
</sect2>
</sect1>
- <sect1 id="mac-partition">
+ <sect1 xml:id="mac-partition">
<title>The MAC Partition Policy</title>
<indexterm>
@@ -1132,7 +1127,7 @@ net.inet.ip.portrange.reservedhigh=0</userinput></screen>
<screen>&prompt.root; <userinput>ps -ZU trhodes</userinput></screen>
<note>
- <para>Users can see processes in <username>root</username>'s
+ <para>Users can see processes in <systemitem class="username">root</systemitem>'s
label unless the &man.mac.seeotheruids.4; policy is
loaded.</para>
</note>
@@ -1151,7 +1146,7 @@ net.inet.ip.portrange.reservedhigh=0</userinput></screen>
</sect2>
</sect1>
- <sect1 id="mac-mls">
+ <sect1 xml:id="mac-mls">
<title>The MAC Multi-Level Security Module</title>
<indexterm>
@@ -1277,7 +1272,7 @@ net.inet.ip.portrange.reservedhigh=0</userinput></screen>
<screen>&prompt.root; <userinput>getfmac test</userinput></screen>
<para>Another approach is to create a master policy file in
- <filename class="directory">/etc/</filename> which specifies the
+ <filename>/etc/</filename> which specifies the
<acronym>MLS</acronym> policy information and to feed that file
to <command>setfmac</command>. This method will be explained
after all policies are covered.</para>
@@ -1310,7 +1305,7 @@ net.inet.ip.portrange.reservedhigh=0</userinput></screen>
</sect2>
</sect1>
- <sect1 id="mac-biba">
+ <sect1 xml:id="mac-biba">
<title>The MAC Biba Module</title>
<indexterm>
@@ -1465,7 +1460,7 @@ test: biba/low</screen>
</sect2>
</sect1>
- <sect1 id="mac-lomac">
+ <sect1 xml:id="mac-lomac">
<title>The MAC LOMAC Module</title>
<indexterm>
@@ -1516,7 +1511,7 @@ test: biba/low</screen>
</sect2>
</sect1>
- <sect1 id="mac-implementing">
+ <sect1 xml:id="mac-implementing">
<title>Nagios in a MAC Jail</title>
<indexterm>
@@ -1531,10 +1526,9 @@ test: biba/low</screen>
<para>Before beginning this process, <option>multilabel</option>
must be set on each file system as not doing so will result in
- errors. This example assumes that <filename
- role="package">net-mngt/nagios-plugins</filename>,
- <filename role="package">net-mngt/nagios</filename>, and
- <filename role="package">www/apache22</filename> are all
+ errors. This example assumes that <package>net-mngt/nagios-plugins</package>,
+ <package>net-mngt/nagios</package>, and
+ <package>www/apache22</package> are all
installed, configured, and working correctly.</para>
<sect2>
@@ -1590,12 +1584,12 @@ mac_seeotheruids_load="YES"</programlisting>
<sect2>
<title>Configure Users</title>
- <para>Set the <username>root</username> user to the default
+ <para>Set the <systemitem class="username">root</systemitem> user to the default
class using:</para>
<screen>&prompt.root; <userinput>pw usermod root -L default</userinput></screen>
- <para>All user accounts that are not <username>root</username>
+ <para>All user accounts that are not <systemitem class="username">root</systemitem>
or system users will now require a login class. The login
class is required otherwise users will be refused access
to common commands such as &man.vi.1;. The following
@@ -1604,8 +1598,8 @@ mac_seeotheruids_load="YES"</programlisting>
<screen>&prompt.root; <userinput>for x in `awk -F: '($3 &gt;= 1001) &amp;&amp; ($3 != 65534) { print $1 }' \</userinput>
<userinput>/etc/passwd`; do pw usermod $x -L default; done;</userinput></screen>
- <para>Drop the <username>nagios</username> and
- <username>www</username> users into the insecure class:</para>
+ <para>Drop the <systemitem class="username">nagios</systemitem> and
+ <systemitem class="username">www</systemitem> users into the insecure class:</para>
<screen>&prompt.root; <userinput>pw usermod nagios -L insecure</userinput></screen>
@@ -1656,7 +1650,7 @@ mac_seeotheruids_load="YES"</programlisting>
<para>This policy enforces security by setting restrictions
on the flow of information. In this specific configuration,
- users, including <username>root</username>, should never be
+ users, including <systemitem class="username">root</systemitem>, should never be
allowed to access <application>Nagios</application>.
Configuration files and processes that are a part of
<application>Nagios</application> will be completely self
@@ -1709,9 +1703,9 @@ default_labels socket ?biba</programlisting>
<para>Ensure that the web server and
<application>Nagios</application> will not be started on
system initialization and reboot. Ensure the
- <username>root</username> user cannot access any of the files
+ <systemitem class="username">root</systemitem> user cannot access any of the files
in the <application>Nagios</application> configuration
- directory. If <username>root</username> can issue an
+ directory. If <systemitem class="username">root</systemitem> can issue an
&man.ls.1; command on <filename>/var/spool/nagios</filename>,
something is wrong. Otherwise a <quote>permission
denied</quote> error should be returned.</para>
@@ -1731,7 +1725,7 @@ setpmac biba/10\(10-10\) /usr/local/etc/rc.d/nagios.sh forcestart</userinput></s
usual.</para>
<note>
- <para>The <username>root</username> user can still change the
+ <para>The <systemitem class="username">root</systemitem> user can still change the
security enforcement and edit its configuration files. The
following command will permit the degradation of the
security policy to a lower grade for a newly spawned
@@ -1749,7 +1743,7 @@ setpmac biba/10\(10-10\) /usr/local/etc/rc.d/nagios.sh forcestart</userinput></s
</sect2>
</sect1>
- <sect1 id="mac-userlocked">
+ <sect1 xml:id="mac-userlocked">
<title>User Lock Down</title>
<para>This example considers a relatively small storage system
@@ -1786,7 +1780,7 @@ setpmac biba/10\(10-10\) /usr/local/etc/rc.d/nagios.sh forcestart</userinput></s
of other users are visible. Verify that running &man.ls.1; on
another user's home directory fails.</para>
- <para>Do not try to test with the <username>root</username> user
+ <para>Do not try to test with the <systemitem class="username">root</systemitem> user
unless the specific <command>sysctl</command>s have been
modified to block super user access.</para>
@@ -1798,7 +1792,7 @@ setpmac biba/10\(10-10\) /usr/local/etc/rc.d/nagios.sh forcestart</userinput></s
</note>
</sect1>
- <sect1 id="mac-troubleshoot">
+ <sect1 xml:id="mac-troubleshoot">
<title>Troubleshooting the MAC Framework</title>
<indexterm>
@@ -1876,8 +1870,7 @@ setpmac biba/10\(10-10\) /usr/local/etc/rc.d/nagios.sh forcestart</userinput></s
<step>
<para>Double-check the label policies. Ensure that the
policies are set correctly for the user, the Xorg
- application, and the <filename
- class="directory">/dev</filename> entries.</para>
+ application, and the <filename>/dev</filename> entries.</para>
</step>
<step>
@@ -1893,30 +1886,30 @@ setpmac biba/10\(10-10\) /usr/local/etc/rc.d/nagios.sh forcestart</userinput></s
.login_conf</errorname> shows up.</para>
<para>When a user attempts to switch from the
- <username>root</username> user to another user in the system,
+ <systemitem class="username">root</systemitem> user to another user in the system,
the error message <errorname>_secure_path: unable to stat
.login_conf</errorname> appears.</para>
<para>This message is usually shown when the user has a higher
label setting than that of the user they are attempting to
- become. For instance, <username>joe</username> has a default
+ become. For instance, <systemitem class="username">joe</systemitem> has a default
label of <option>biba/low</option>. The
- <username>root</username> user, who has a label of
+ <systemitem class="username">root</systemitem> user, who has a label of
<option>biba/high</option>, cannot view
- <username>joe</username>'s home directory. This will happen
- whether or not <username>root</username> has used
- <command>su</command> to become <username>joe</username> as
+ <systemitem class="username">joe</systemitem>'s home directory. This will happen
+ whether or not <systemitem class="username">root</systemitem> has used
+ <command>su</command> to become <systemitem class="username">joe</systemitem> as
the Biba integrity model will not permit
- <username>root</username> to view objects set at a lower
+ <systemitem class="username">root</systemitem> to view objects set at a lower
integrity level.</para>
</listitem>
<listitem>
<para>The system no longer recognizes the
- <username>root</username> user.</para>
+ <systemitem class="username">root</systemitem> user.</para>
<para>In normal or even single user mode, the
- <username>root</username> is not recognized,
+ <systemitem class="username">root</systemitem> is not recognized,
<command>whoami</command> returns 0 (zero), and
<command>su</command> returns <errorname>who are
you?</errorname>.</para>