aboutsummaryrefslogtreecommitdiff
path: root/en_US.ISO8859-1/books/handbook/mac
diff options
context:
space:
mode:
authorGabor Kovesdan <gabor@FreeBSD.org>2013-02-05 09:14:34 +0000
committerGabor Kovesdan <gabor@FreeBSD.org>2013-02-05 09:14:34 +0000
commita06603e1e8c43dac65e769d0577e15561dde3acb (patch)
tree56789ede4270141e038c244e602fe2503127b62f /en_US.ISO8859-1/books/handbook/mac
parent5be98520031882d40220ca83d603138abb7ef89a (diff)
parentfbf79ce9835e43f0e5de684052af39c914b817ab (diff)
downloaddoc-a06603e1e8c43dac65e769d0577e15561dde3acb.tar.gz
doc-a06603e1e8c43dac65e769d0577e15561dde3acb.zip
- MFH
Notes
Notes: svn path=/projects/xml-tools/; revision=40889
Diffstat (limited to 'en_US.ISO8859-1/books/handbook/mac')
-rw-r--r--en_US.ISO8859-1/books/handbook/mac/chapter.xml868
1 files changed, 453 insertions, 415 deletions
diff --git a/en_US.ISO8859-1/books/handbook/mac/chapter.xml b/en_US.ISO8859-1/books/handbook/mac/chapter.xml
index 9daede6b5e..5bce8a18d0 100644
--- a/en_US.ISO8859-1/books/handbook/mac/chapter.xml
+++ b/en_US.ISO8859-1/books/handbook/mac/chapter.xml
@@ -27,38 +27,39 @@
</indexterm>
<para>&os;&nbsp;5.X introduced new security extensions from the
- TrustedBSD project based on the &posix;.1e draft. Two of the most
- significant new security mechanisms are file system Access Control
- Lists (<acronym>ACL</acronym>s) and Mandatory Access Control
- (<acronym>MAC</acronym>) facilities. Mandatory Access Control allows
- new access control modules to be loaded, implementing new security
- policies. Some provide protections of a narrow subset of the
- system, hardening a particular service. Others provide
- comprehensive labeled security across all subjects and objects.
- The mandatory part
- of the definition comes from the fact that the enforcement of
- the controls is done by administrators and the system, and is
- not left up to the discretion of users as is done with
- discretionary access control (<acronym>DAC</acronym>, the standard
- file and System V <acronym>IPC</acronym> permissions on &os;).</para>
+ TrustedBSD project based on the &posix;.1e draft. Two of the
+ most significant new security mechanisms are file system Access
+ Control Lists (<acronym>ACL</acronym>s) and Mandatory Access
+ Control (<acronym>MAC</acronym>) facilities. Mandatory Access
+ Control allows new access control modules to be loaded,
+ implementing new security policies. Some provide protections
+ of a narrow subset of the system, hardening a particular
+ service. Others provide comprehensive labeled security across
+ all subjects and objects. The mandatory part of the definition
+ comes from the fact that the enforcement of the controls is
+ done by administrators and the system, and is not left up to
+ the discretion of users as is done with discretionary access
+ control (<acronym>DAC</acronym>, the standard file and System
+ V <acronym>IPC</acronym> permissions on &os;).</para>
<para>This chapter will focus on the
- Mandatory Access Control Framework (<acronym>MAC</acronym> Framework), and a set
- of pluggable security policy modules enabling various security
- mechanisms.</para>
+ Mandatory Access Control Framework (<acronym>MAC</acronym>
+ Framework), and a set of pluggable security policy modules
+ enabling various security mechanisms.</para>
<para>After reading this chapter, you will know:</para>
<itemizedlist>
<listitem>
- <para>What <acronym>MAC</acronym> security policy modules are currently
- included in &os; and their associated mechanisms.</para>
+ <para>What <acronym>MAC</acronym> security policy modules
+ are currently included in &os; and their associated
+ mechanisms.</para>
</listitem>
<listitem>
- <para>What <acronym>MAC</acronym> security policy modules implement as
- well as the difference between a labeled and non-labeled
- policy.</para>
+ <para>What <acronym>MAC</acronym> security policy modules
+ implement as well as the difference between a labeled and
+ non-labeled policy.</para>
</listitem>
<listitem>
@@ -67,19 +68,20 @@
</listitem>
<listitem>
- <para>How to configure the different security policy modules included with the
- <acronym>MAC</acronym> framework.</para>
+ <para>How to configure the different security policy modules
+ included with the <acronym>MAC</acronym> framework.</para>
</listitem>
<listitem>
- <para>How to implement a more secure environment using the
+ <para>How to implement a more secure environment using the
<acronym>MAC</acronym> framework and the examples
shown.</para>
</listitem>
<listitem>
<para>How to test the <acronym>MAC</acronym> configuration
- to ensure the framework has been properly implemented.</para>
+ to ensure the framework has been properly
+ implemented.</para>
</listitem>
</itemizedlist>
@@ -107,36 +109,37 @@
<para>The improper use of the
information contained herein may cause loss of system access,
aggravation of users, or inability to access the features
- provided by X11. More importantly, <acronym>MAC</acronym> should not
- be relied upon to completely secure a system. The
- <acronym>MAC</acronym> framework only augments
- existing security policy; without sound security practices and
+ provided by X11. More importantly, <acronym>MAC</acronym>
+ should not be relied upon to completely secure a system. The
+ <acronym>MAC</acronym> framework only augments existing
+ security policy; without sound security practices and
regular security checks, the system will never be completely
secure.</para>
<para>It should also be noted that the examples contained
within this chapter are just that, examples. It is not
recommended that these particular settings be rolled out
- on a production system. Implementing the various security policy modules takes
- a good deal of thought and testing. One who does not fully understand
- exactly how everything works may find him or herself going
- back through the entire system and reconfiguring many files
- or directories.</para>
+ on a production system. Implementing the various security
+ policy modules takes a good deal of thought and testing. One
+ who does not fully understand exactly how everything works
+ may find him or herself going back through the entire system
+ and reconfiguring many files or directories.</para>
</warning>
<sect2>
<title>What Will Not Be Covered</title>
- <para>This chapter covers a broad range of security issues relating
- to the <acronym>MAC</acronym> framework. The
- development of new <acronym>MAC</acronym> security policy modules
- will not be covered. A number of security policy modules included with the
- <acronym>MAC</acronym> framework have specific characteristics
- which are provided for both testing and new module
- development. These include the &man.mac.test.4;,
- &man.mac.stub.4; and &man.mac.none.4;.
- For more information on these security policy modules and the various
- mechanisms they provide, please review the manual pages.</para>
+ <para>This chapter covers a broad range of security issues
+ relating to the <acronym>MAC</acronym> framework. The
+ development of new <acronym>MAC</acronym> security policy
+ modules will not be covered. A number of security policy
+ modules included with the <acronym>MAC</acronym> framework
+ have specific characteristics which are provided for both
+ testing and new module development. These include the
+ &man.mac.test.4;, &man.mac.stub.4; and &man.mac.none.4;.
+ For more information on these security policy modules and
+ the various mechanisms they provide, please review the manual
+ pages.</para>
</sect2>
</sect1>
@@ -165,29 +168,29 @@
for the purpose of accessing higher level information. In
most cases, the original level is restored after the process
is complete. Currently, the &os; <acronym>MAC</acronym>
- framework does not have a policy for this, but the definition
- is included for completeness.</para>
+ framework does not have a policy for this, but the
+ definition is included for completeness.</para>
</listitem>
<listitem>
<para><emphasis>integrity</emphasis>: Integrity, as a key
concept, is the level of trust which can be placed on data.
- As the integrity of the data is elevated, so does the ability
- to trust that data.</para>
+ As the integrity of the data is elevated, so does the
+ ability to trust that data.</para>
</listitem>
<listitem>
<para><emphasis>label</emphasis>: A label is a security
attribute which can be applied to files, directories, or
- other items in the system. It could be considered
- a confidentiality stamp; when a label is placed on
- a file it describes the security properties for that specific
+ other items in the system. It could be considered a
+ confidentiality stamp; when a label is placed on a file it
+ describes the security properties for that specific
file and will only permit access by files, users, resources,
etc. with a similar security setting. The meaning and
- interpretation of label values depends on the policy configuration: while
- some policies might treat a label as representing the
- integrity or secrecy of an object, other policies might use
- labels to hold rules for access.</para>
+ interpretation of label values depends on the policy
+ configuration: while some policies might treat a label as
+ representing the integrity or secrecy of an object, other
+ policies might use labels to hold rules for access.</para>
</listitem>
<listitem>
@@ -213,20 +216,21 @@
&man.tunefs.8; utility, during the boot operation
using the &man.fstab.5; file, or during the creation of
a new file system. This option will permit an administrator
- to apply different <acronym>MAC</acronym> labels on different
- objects. This option
- only applies to security policy modules which support labeling.</para>
+ to apply different <acronym>MAC</acronym> labels on
+ different objects. This option only applies to security
+ policy modules which support labeling.</para>
</listitem>
<listitem>
<para><emphasis>object</emphasis>: An object or system
object is an entity through which information flows
under the direction of a <emphasis>subject</emphasis>.
- This includes directories, files, fields, screens, keyboards,
- memory, magnetic storage, printers or any other data
- storage/moving device. Basically, an object is a data container or
- a system resource; access to an <emphasis>object</emphasis>
- effectively means access to the data.</para>
+ This includes directories, files, fields, screens,
+ keyboards, memory, magnetic storage, printers or any other
+ data storage/moving device. Basically, an object is a data
+ container or a system resource; access to an
+ <emphasis>object</emphasis> effectively means access to the
+ data.</para>
</listitem>
<listitem>
@@ -246,7 +250,8 @@
discussing <acronym>MLS</acronym>. A sensitivity level is
a term used to describe how important or secret the data
should be. As the sensitivity level increases, so does the
- importance of the secrecy, or confidentiality of the data.</para>
+ importance of the secrecy, or confidentiality of the
+ data.</para>
</listitem>
<listitem>
@@ -262,8 +267,8 @@
<para><emphasis>subject</emphasis>: a subject is any
active entity that causes information to flow between
<emphasis>objects</emphasis>; e.g., a user, user process,
- system process, etc. On &os;, this is almost always a thread
- acting in a process on behalf of a user.</para>
+ system process, etc. On &os;, this is almost always a
+ thread acting in a process on behalf of a user.</para>
</listitem>
</itemizedlist>
</sect1>
@@ -273,53 +278,56 @@
<para>With all of these new terms in mind, consider how the
<acronym>MAC</acronym> framework augments the security of
- the system as a whole. The various security policy modules provided by
- the <acronym>MAC</acronym> framework could be used to
- protect the network and file systems, block users from
- accessing certain ports and sockets, and more. Perhaps
- the best use of the policy modules is to blend them together, by loading
- several security policy modules at a time for a multi-layered
- security environment. In a multi-layered security environment,
- multiple policy modules are in effect to keep security in check. This
- is different to a hardening policy, which typically hardens
- elements of a system that is used only for specific purposes.
- The only downside is administrative overhead in cases of
- multiple file system labels, setting network access control
- user by user, etc.</para>
+ the system as a whole. The various security policy modules
+ provided by the <acronym>MAC</acronym> framework could be used
+ to protect the network and file systems, block users from
+ accessing certain ports and sockets, and more. Perhaps the
+ best use of the policy modules is to blend them together, by
+ loading several security policy modules at a time for a
+ multi-layered security environment. In a multi-layered security
+ environment, multiple policy modules are in effect to keep
+ security in check. This is different to a hardening policy,
+ which typically hardens elements of a system that is used only
+ for specific purposes. The only downside is administrative
+ overhead in cases of multiple file system labels, setting
+ network access control user by user, etc.</para>
<para>These downsides are minimal when compared to the lasting
- effect of the framework; for instance, the ability to pick and choose
- which policies are required for a specific configuration keeps
- performance overhead down. The reduction of support for unneeded
- policies can increase the overall performance of the system as well as
- offer flexibility of choice. A good implementation would
- consider the overall security requirements and effectively implement
- the various security policy modules offered by the framework.</para>
+ effect of the framework; for instance, the ability to pick
+ and choose which policies are required for a specific
+ configuration keeps performance overhead down. The reduction
+ of support for unneeded policies can increase the overall
+ performance of the system as well as offer flexibility of
+ choice. A good implementation would consider the overall
+ security requirements and effectively implement the various
+ security policy modules offered by the framework.</para>
<para>Thus a system utilizing <acronym>MAC</acronym> features
should at least guarantee that a user will not be permitted
to change security attributes at will; all user utilities,
programs and scripts must work within the constraints of
- the access rules provided by the selected security policy modules; and
- that total control of the <acronym>MAC</acronym> access
- rules are in the hands of the system administrator.</para>
+ the access rules provided by the selected security policy
+ modules; and that total control of the <acronym>MAC</acronym>
+ access rules are in the hands of the system
+ administrator.</para>
<para>It is the sole duty of the system administrator to
- carefully select the correct security policy modules. Some environments
- may need to limit access control over the network; in these
- cases, the &man.mac.portacl.4;, &man.mac.ifoff.4; and even
- &man.mac.biba.4; policy modules might make good starting points. In other
- cases, strict confidentiality of file system objects might
- be required. Policy modules such as &man.mac.bsdextended.4;
- and &man.mac.mls.4; exist for this purpose.</para>
+ carefully select the correct security policy modules. Some
+ environments may need to limit access control over the network;
+ in these cases, the &man.mac.portacl.4;, &man.mac.ifoff.4; and
+ even &man.mac.biba.4; policy modules might make good starting
+ points. In other cases, strict confidentiality of file system
+ objects might be required. Policy modules such as
+ &man.mac.bsdextended.4; and &man.mac.mls.4; exist for this
+ purpose.</para>
<para>Policy decisions could be made based on network
configuration. Perhaps only certain users should be permitted
access to facilities provided by &man.ssh.1; to access the
network or the Internet. The &man.mac.portacl.4; would be
- the policy module of choice for these situations. But what should be
- done in the case of file systems? Should all access to certain
- directories be severed from other groups or specific
+ the policy module of choice for these situations. But what
+ should be done in the case of file systems? Should all access
+ to certain directories be severed from other groups or specific
users? Or should we limit user or utility access to specific
files by setting certain objects as classified?</para>
@@ -330,19 +338,20 @@
project A might not be permitted to access objects written
by developers in project B. Yet they might need to access
objects created by developers in project C; that is quite a
- situation indeed. Using the different security policy modules provided by
- the <acronym>MAC</acronym> framework; users could
+ situation indeed. Using the different security policy modules
+ provided by the <acronym>MAC</acronym> framework; users could
be divided into these groups and then given access to the
appropriate areas without fear of information
leakage.</para>
- <para>Thus, each security policy module has a unique way of dealing with
- the overall security of a system. Module selection should be based
- on a well thought out security policy. In many cases, the
- overall policy may need to be revised and reimplemented on
- the system. Understanding the different security policy modules offered by
- the <acronym>MAC</acronym> framework will help administrators
- choose the best policies for their situations.</para>
+ <para>Thus, each security policy module has a unique way of
+ dealing with the overall security of a system. Module selection
+ should be based on a well thought out security policy. In many
+ cases, the overall policy may need to be revised and
+ reimplemented on the system. Understanding the different
+ security policy modules offered by the <acronym>MAC</acronym>
+ framework will help administrators choose the best policies
+ for their situations.</para>
<para>The default &os; kernel does not include the option for
the <acronym>MAC</acronym> framework; thus the following
@@ -351,7 +360,8 @@
<programlisting>options MAC</programlisting>
- <para>And the kernel will require a rebuild and a reinstall.</para>
+ <para>And the kernel will require a rebuild and a
+ reinstall.</para>
<caution>
<para>While the various manual pages for <acronym>MAC</acronym>
@@ -375,11 +385,11 @@
<para>When setting a label, the user must be able to comprehend
what it is, exactly, that is being done. The attributes
- available on an object depend on the policy module loaded, and that
- policy modules interpret their attributes in different
- ways. If improperly configured due to lack of comprehension, or
- the inability to understand the implications, the result will
- be the unexpected and perhaps, undesired, behavior of the
+ available on an object depend on the policy module loaded, and
+ that policy modules interpret their attributes in different
+ ways. If improperly configured due to lack of comprehension,
+ or the inability to understand the implications, the result
+ will be the unexpected and perhaps, undesired, behavior of the
system.</para>
<para>The security label on an object is used as a part of a
@@ -388,26 +398,27 @@
to make a decision; in other models, the labels may be processed
as part of a larger rule set, etc.</para>
- <para>For instance, setting the label of <literal>biba/low</literal>
- on a file will represent a label maintained by the Biba security policy module,
- with a value of <quote>low</quote>.</para>
+ <para>For instance, setting the label of
+ <literal>biba/low</literal> on a file will represent a label
+ maintained by the Biba security policy module, with a value
+ of <quote>low</quote>.</para>
- <para>A few policy modules which support the labeling feature in
- &os; offer three specific predefined labels. These
+ <para>A few policy modules which support the labeling feature
+ in &os; offer three specific predefined labels. These
are the low, high, and equal labels. Although they enforce
- access control in a different manner with each policy module, you
- can be sure that the low label will be the lowest setting,
+ access control in a different manner with each policy module,
+ you can be sure that the low label will be the lowest setting,
the equal label will set the subject or object to be disabled
or unaffected, and the high label will enforce the highest
setting available in the Biba and <acronym>MLS</acronym>
policy modules.</para>
- <para>Within single label file system environments, only one label may be
- used on objects. This will enforce one set of
+ <para>Within single label file system environments, only one
+ label may be used on objects. This will enforce one set of
access permissions across the entire system and in many
environments may be all that is required. There are a few
- cases where multiple labels may be set on objects
- or subjects in the file system. For those cases, the
+ cases where multiple labels may be set on objects or subjects
+ in the file system. For those cases, the
<option>multilabel</option> option may be passed to
&man.tunefs.8;.</para>
@@ -420,13 +431,14 @@
<para>In most cases the administrator will only be setting up a
single label to use throughout the file system.</para>
- <para><emphasis>Hey wait, this is similar to <acronym>DAC</acronym>!
- I thought <acronym>MAC</acronym> gave control strictly to the
- administrator.</emphasis> That statement still holds true, to some
- extent as <username>root</username> is the one in control and who
+ <para><emphasis>Hey wait, this is similar to
+ <acronym>DAC</acronym>! I thought <acronym>MAC</acronym> gave
+ control strictly to the administrator.</emphasis> That
+ statement still holds true, to some extent as
+ <username>root</username> is the one in control and who
configures the policies so that users are placed in the
- appropriate categories/access levels. Alas, many policy modules can
- restrict the <username>root</username> user as well. Basic
+ appropriate categories/access levels. Alas, many policy modules
+ can restrict the <username>root</username> user as well. Basic
control over objects will then be released to the group, but
<username>root</username> may revoke or modify the settings
at any time. This is the hierarchal/clearance model covered
@@ -457,17 +469,18 @@
error may be a <errorname>Permission denied</errorname> and
is usually obtained when the label is being set or modified
on an object which is restricted.<footnote><para>Other conditions
- may produce different failures. For instance, the file may not
- be owned by the user attempting to relabel the object, the
- object may not exist or may be read only. A mandatory policy
- will not allow the process to relabel the file, maybe because
- of a property of the file, a property of the process, or a
- property of the proposed new label value. For example: a user
- running at low integrity tries to change the label of a high
- integrity file. Or perhaps a user running at low integrity
- tries to change the label of a low integrity file to a high
- integrity label.</para></footnote> The system administrator
- may use the following commands to overcome this:</para>
+ may produce different failures. For instance, the file may
+ not be owned by the user attempting to relabel the object,
+ the object may not exist or may be read only. A mandatory
+ policy will not allow the process to relabel the file, maybe
+ because of a property of the file, a property of the
+ process, or a property of the proposed new label value. For
+ example: a user running at low integrity tries to change the
+ label of a high integrity file. Or perhaps a user running
+ at low integrity tries to change the label of a low
+ integrity file to a high integrity label.</para></footnote> The
+ system administrator may use the following commands to
+ overcome this:</para>
<screen>&prompt.root; <userinput>setfmac biba/high test</userinput>
<errorname>Permission denied</errorname>
@@ -476,15 +489,15 @@
test: biba/high</screen>
<para>As we see above, <command>setpmac</command>
- can be used to override the policy module's settings by assigning
- a different label to the invoked process. The
- <command>getpmac</command> utility is usually used with currently
- running processes, such as <application>sendmail</application>:
- although it takes a process ID in place of
- a command the logic is extremely similar. If users
- attempt to manipulate a file not in their access, subject to the
- rules of the loaded policy modules, the
- <errorname>Operation not permitted</errorname> error
+ can be used to override the policy module's settings by
+ assigning a different label to the invoked process. The
+ <command>getpmac</command> utility is usually used with
+ currently running processes, such as
+ <application>sendmail</application>: although it takes a
+ process ID in place of a command the logic is extremely
+ similar. If users attempt to manipulate a file not in their
+ access, subject to the rules of the loaded policy modules,
+ the <errorname>Operation not permitted</errorname> error
will be displayed by the <function>mac_set_link</function>
function.</para>
@@ -512,29 +525,30 @@ test: biba/high</screen>
</listitem>
<listitem>
- <para>The <literal>high</literal> label grants an object or
- subject the highest possible setting.</para>
+ <para>The <literal>high</literal> label grants an object
+ or subject the highest possible setting.</para>
</listitem>
</itemizedlist>
- <para>With respect to each policy module, each of those settings
- will instate a different information flow directive. Reading
- the proper manual pages will further explain the traits of
- these generic label configurations.</para>
+ <para>With respect to each policy module, each of those
+ settings will instate a different information flow
+ directive. Reading the proper manual pages will further
+ explain the traits of these generic label
+ configurations.</para>
- <sect4>
+ <sect4>
<title>Advanced Label Configuration</title>
<para>Numeric grade labels are used for
- <literal>comparison:compartment+compartment</literal>; thus
- the following:</para>
+ <literal>comparison:compartment+compartment</literal>;
+ thus the following:</para>
<programlisting>biba/10:2+3+6(5:2+3-20:2+3+4+5+6)</programlisting>
<para>May be interpreted as:</para>
- <para><quote>Biba Policy Label</quote>/<quote>Grade 10</quote>
- :<quote>Compartments 2, 3 and 6</quote>:
+ <para><quote>Biba Policy Label</quote>/<quote>Grade
+ 10</quote>:<quote>Compartments 2, 3 and 6</quote>:
(<quote>grade 5 ...</quote>)</para>
<para>In this example, the first grade would be considered
@@ -547,24 +561,24 @@ test: biba/high</screen>
<para>When applied to system objects, they will only have a
current grade/compartments as opposed to system subjects
- as they reflect the range of available rights in the system,
- and network interfaces, where they are used for access
- control.</para>
+ as they reflect the range of available rights in the
+ system, and network interfaces, where they are used for
+ access control.</para>
- <para>The grade and compartments in a subject and object pair
- are used to construct a relationship referred to as
+ <para>The grade and compartments in a subject and object
+ pair are used to construct a relationship referred to as
<quote>dominance</quote>, in which a subject dominates an
- object, the object dominates the subject, neither dominates
- the other, or both dominate each other. The
- <quote>both dominate</quote> case occurs when the two labels
- are equal. Due to the information flow nature of Biba, you
- have rights to a set of compartments,
+ object, the object dominates the subject, neither
+ dominates the other, or both dominate each other. The
+ <quote>both dominate</quote> case occurs when the two
+ labels are equal. Due to the information flow nature of
+ Biba, you have rights to a set of compartments,
<quote>need to know</quote>, that might correspond to
projects, but objects also have a set of compartments.
Users may have to subset their rights using
- <command>su</command> or <command>setpmac</command> in order
- to access objects in a compartment from which they are not
- restricted.</para>
+ <command>su</command> or <command>setpmac</command> in
+ order to access objects in a compartment from which they
+ are not restricted.</para>
</sect4>
</sect3>
@@ -575,11 +589,11 @@ test: biba/high</screen>
their files and processes may properly interact with the
security policy defined on the system. This is
configured through the <filename>login.conf</filename> file
- by use of login classes. Every policy module that uses labels
- will implement the user class setting.</para>
+ by use of login classes. Every policy module that uses
+ labels will implement the user class setting.</para>
- <para>An example entry containing every policy module setting is displayed
- below:</para>
+ <para>An example entry containing every policy module setting
+ is displayed below:</para>
<programlisting>default:\
:copyright=/etc/COPYRIGHT:\
@@ -657,8 +671,9 @@ test: biba/high</screen>
<para>will set the <acronym>MAC</acronym> label of
<literal>biba/equal</literal> on the &man.bge.4; interface.
When using a setting similar to
- <literal>biba/high(low-high)</literal> the entire label should
- be quoted; otherwise an error will be returned.</para>
+ <literal>biba/high(low-high)</literal> the entire label
+ should be quoted; otherwise an error will be
+ returned.</para>
<para>Each policy module which supports labeling has a tunable
which may be used to disable the <acronym>MAC</acronym>
@@ -672,7 +687,7 @@ test: biba/high</screen>
<sect2>
<title>Singlelabel or Multilabel?</title>
-<!-- Stopped here with my edits -->
+
<para>By default the system will use the
<option>singlelabel</option> option. But what does this
mean to the administrator? There are several differences
@@ -698,8 +713,8 @@ test: biba/high</screen>
<acronym>MLS</acronym> and <acronym>SEBSD</acronym>
policies.</para>
- <para>In many cases, the <option>multilabel</option> may not need
- to be set at all. Consider the following situation and
+ <para>In many cases, the <option>multilabel</option> may not
+ need to be set at all. Consider the following situation and
security model:</para>
<itemizedlist>
@@ -710,32 +725,32 @@ test: biba/high</screen>
<listitem>
<para>This machine only requires one label,
- <literal>biba/high</literal>, for everything in the system.
- Here the file system would not require the
+ <literal>biba/high</literal>, for everything in the
+ system. Here the file system would not require the
<option>multilabel</option> option as a single label
will always be in effect.</para>
</listitem>
<listitem>
- <para>But, this machine will be a web server and should have
- the web server run at <literal>biba/low</literal> to prevent
- write up capabilities. The Biba policy and how it works
- will be discussed later, so if the previous comment was
- difficult to interpret just continue reading and return.
- The server could use a separate partition set at
- <literal>biba/low</literal> for most if not all of its
- runtime state. Much is lacking from this example, for
- instance the restrictions on data, configuration and user
- settings; however, this is just a quick example to prove the
- aforementioned point.</para>
+ <para>But, this machine will be a web server and should
+ have the web server run at <literal>biba/low</literal>
+ to prevent write up capabilities. The Biba policy and
+ how it works will be discussed later, so if the previous
+ comment was difficult to interpret just continue reading
+ and return. The server could use a separate partition
+ set at <literal>biba/low</literal> for most if not all
+ of its runtime state. Much is lacking from this example,
+ for instance the restrictions on data, configuration and
+ user settings; however, this is just a quick example to
+ prove the aforementioned point.</para>
</listitem>
</itemizedlist>
<para>If any of the non-labeling policies are to be used,
then the <option>multilabel</option> option would never
- be required. These include the <literal>seeotheruids</literal>,
- <literal>portacl</literal> and <literal>partition</literal>
- policies.</para>
+ be required. These include the
+ <literal>seeotheruids</literal>, <literal>portacl</literal>
+ and <literal>partition</literal> policies.</para>
<para>It should also be noted that using
<option>multilabel</option> with a partition and establishing
@@ -766,10 +781,11 @@ test: biba/high</screen>
<sect1 id="mac-planning">
<title>Planning the Security Configuration</title>
- <para>Whenever a new technology is implemented, a planning phase is
- always a good idea. During the planning stages, an administrator
- should in general look at the <quote>big picture</quote>, trying
- to keep in view at least the following:</para>
+ <para>Whenever a new technology is implemented, a planning phase
+ is always a good idea. During the planning stages, an
+ administrator should in general look at the <quote>big
+ picture</quote>, trying to keep in view at least the
+ following:</para>
<itemizedlist>
<listitem>
@@ -781,7 +797,8 @@ test: biba/high</screen>
</listitem>
</itemizedlist>
- <para>For <acronym>MAC</acronym> installations, these include:</para>
+ <para>For <acronym>MAC</acronym> installations, these
+ include:</para>
<itemizedlist>
<listitem>
@@ -802,15 +819,16 @@ test: biba/high</screen>
</itemizedlist>
<para>It is always possible to reconfigure and change the
- system resources and security settings, it is quite often very inconvenient to
- search through the system and fix existing files and user
- accounts. Planning helps to ensure a trouble-free and efficient
- trusted system implementation. A trial run of the trusted system,
- including the configuration, is often vital and definitely
- beneficial <emphasis>before</emphasis> a <acronym>MAC</acronym>
- implementation is used on production systems. The idea of just
- letting loose on a system
- with <acronym>MAC</acronym> is like setting up for failure.</para>
+ system resources and security settings, it is quite often very
+ inconvenient to search through the system and fix existing
+ files and user accounts. Planning helps to ensure a
+ trouble-free and efficient trusted system implementation. A
+ trial run of the trusted system, including the configuration,
+ is often vital and definitely beneficial
+ <emphasis>before</emphasis> a <acronym>MAC</acronym>
+ implementation is used on production systems. The idea of
+ just letting loose on a system with <acronym>MAC</acronym> is
+ like setting up for failure.</para>
<para>Different environments may have explicit needs and
requirements. Establishing an in depth and complete security
@@ -841,11 +859,11 @@ test: biba/high</screen>
be a consideration of this chapter. Some modules support
the use of labeling, which is controlling access by enforcing
a label such as <quote>this is allowed and this is not</quote>.
- A label configuration file may control how files may be accessed,
- network communication can be exchanged, and more. The previous
- section showed how the <option>multilabel</option> flag could
- be set on file systems to enable per-file or per-partition
- access control.</para>
+ A label configuration file may control how files may be
+ accessed, network communication can be exchanged, and more.
+ The previous section showed how the <option>multilabel</option>
+ flag could be set on file systems to enable per-file or
+ per-partition access control.</para>
<para>A single label configuration would enforce only one label
across the system, that is why the <command>tunefs</command>
@@ -893,8 +911,8 @@ test: biba/high</screen>
To exempt specific groups from this policy, use the
<literal>security.mac.seeotheruids.specificgid=<replaceable>XXX</replaceable></literal>
<command>sysctl</command> tunable. In the above example,
- the <replaceable>XXX</replaceable> should be replaced with the
- numeric group ID to be exempted.</para>
+ the <replaceable>XXX</replaceable> should be replaced with
+ the numeric group ID to be exempted.</para>
</listitem>
<listitem>
@@ -912,8 +930,8 @@ test: biba/high</screen>
<title>The MAC bsdextended Module</title>
<indexterm>
- <primary>MAC</primary>
- <secondary>File System Firewall Policy</secondary>
+ <primary>MAC</primary>
+ <secondary>File System Firewall Policy</secondary>
</indexterm>
<para>Module name: <filename>mac_bsdextended.ko</filename></para>
@@ -926,21 +944,21 @@ test: biba/high</screen>
<para>The &man.mac.bsdextended.4; module enforces the file system
firewall. This module's policy provides an extension to the
standard file system permissions model, permitting an
- administrator to create a firewall-like ruleset to protect files,
- utilities, and directories in the file system hierarchy. When
- access to a file system object is attempted, the list of rules
- is iterated until either a matching rule is located or the end
- is reached. This behavior may be changed by the use of a
- &man.sysctl.8; parameter,
+ administrator to create a firewall-like ruleset to protect
+ files, utilities, and directories in the file system hierarchy.
+ When access to a file system object is attempted, the list of
+ rules is iterated until either a matching rule is located or
+ the end is reached. This behavior may be changed by the use
+ of a &man.sysctl.8; parameter,
security.mac.bsdextended.firstmatch_enabled. Similar to
- other firewall modules in &os;, a file containing access control
- rules can be created and read by the system at boot time using
- an &man.rc.conf.5; variable.</para>
+ other firewall modules in &os;, a file containing access
+ control rules can be created and read by the system at boot
+ time using an &man.rc.conf.5; variable.</para>
- <para>The rule list may be entered using a utility, &man.ugidfw.8;,
- that has a syntax similar to that of &man.ipfw.8;. More tools
- can be written by using the functions in the
- &man.libugidfw.3; library.</para>
+ <para>The rule list may be entered using a utility,
+ &man.ugidfw.8;, that has a syntax similar to that of
+ &man.ipfw.8;. More tools can be written by using the functions
+ in the &man.libugidfw.3; library.</para>
<para>Extreme caution should be taken when working with this
module; incorrect use could block access to certain parts of
@@ -949,9 +967,9 @@ test: biba/high</screen>
<sect2>
<title>Examples</title>
- <para>After the &man.mac.bsdextended.4; module has
- been loaded, the following command may be used to list the
- current rule configuration:</para>
+ <para>After the &man.mac.bsdextended.4; module has been loaded,
+ the following command may be used to list the current rule
+ configuration:</para>
<screen>&prompt.root; <userinput>ugidfw list</userinput>
0 slots, 0 rules</screen>
@@ -973,17 +991,19 @@ test: biba/high</screen>
&prompt.root; <userinput>ugidfw set 3 subject uid <replaceable>user1</replaceable> object gid <replaceable>user2</replaceable> mode n</userinput></screen>
<para>This will block any and all access, including directory
- listings, to <username><replaceable>user2</replaceable></username>'s home
+ listings, to
+ <username><replaceable>user2</replaceable></username>'s home
directory from the username <username>user1</username>.</para>
<para>In place of <username>user1</username>, the
- <option>not uid <replaceable>user2</replaceable></option> could
- be passed. This will enforce the same access restrictions
- above for all users in place of just one user.</para>
+ <option>not uid <replaceable>user2</replaceable></option>
+ could be passed. This will enforce the same access
+ restrictions above for all users in place of just one
+ user.</para>
<note>
<para>The <username>root</username> user will be unaffected
- by these changes.</para>
+ by these changes.</para>
</note>
<para>This should provide a general idea of how the
@@ -1007,11 +1027,11 @@ test: biba/high</screen>
<para>Boot option: <literal>mac_ifoff_load="YES"</literal></para>
- <para>The &man.mac.ifoff.4; module exists solely to disable network
- interfaces on the fly and keep network interfaces from being
- brought up during the initial system boot. It does not require
- any labels to be set up on the system, nor does it have a
- dependency on other <acronym>MAC</acronym> modules.</para>
+ <para>The &man.mac.ifoff.4; module exists solely to disable
+ network interfaces on the fly and keep network interfaces from
+ being brought up during the initial system boot. It does not
+ require any labels to be set up on the system, nor does it have
+ a dependency on other <acronym>MAC</acronym> modules.</para>
<para>Most of the control is done through the
<command>sysctl</command> tunables listed below.</para>
@@ -1024,9 +1044,9 @@ test: biba/high</screen>
</listitem>
<listitem>
- <para><literal>security.mac.ifoff.bpfrecv_enabled</literal> will
- enable/disable all traffic on the Berkeley Packet Filter
- interface (&man.bpf.4;)</para>
+ <para><literal>security.mac.ifoff.bpfrecv_enabled</literal>
+ will enable/disable all traffic on the Berkeley Packet
+ Filter interface (&man.bpf.4;)</para>
</listitem>
<listitem>
@@ -1039,9 +1059,9 @@ test: biba/high</screen>
monitoring in an environment where network traffic should not
be permitted during the boot sequence. Another suggested use
would be to write a script which uses
- <filename role="package">security/aide</filename> to automatically
- block network traffic if it finds new or altered files in
- protected directories.</para>
+ <filename role="package">security/aide</filename> to
+ automatically block network traffic if it finds new or altered
+ files in protected directories.</para>
</sect1>
<sect1 id="mac-portacl">
@@ -1055,7 +1075,8 @@ test: biba/high</screen>
<para>Kernel configuration line:
<literal>MAC_PORTACL</literal></para>
- <para>Boot option: <literal>mac_portacl_load="YES"</literal></para>
+ <para>Boot option:
+ <literal>mac_portacl_load="YES"</literal></para>
<para>The &man.mac.portacl.4; module is used to limit binding to
local <acronym>TCP</acronym> and <acronym>UDP</acronym> ports
@@ -1075,14 +1096,14 @@ test: biba/high</screen>
</listitem>
<listitem>
- <para><literal>security.mac.portacl.port_high</literal> will set
- the highest port number that &man.mac.portacl.4;
+ <para><literal>security.mac.portacl.port_high</literal> will
+ set the highest port number that &man.mac.portacl.4;
will enable protection for.</para>
</listitem>
<listitem>
- <para><literal>security.mac.portacl.suser_exempt</literal> will,
- when set to a non-zero value, exempt the
+ <para><literal>security.mac.portacl.suser_exempt</literal>
+ will, when set to a non-zero value, exempt the
<username>root</username> user from this policy.</para>
</listitem>
@@ -1102,27 +1123,28 @@ test: biba/high</screen>
<literal>uid</literal> or <literal>gid</literal> and used to
interpret the <parameter>id</parameter> parameter as either a
user id or group id, respectively. The
- <parameter>protocol</parameter> parameter is used to determine if
- the rule should apply to <acronym>TCP</acronym> or
+ <parameter>protocol</parameter> parameter is used to determine
+ if the rule should apply to <acronym>TCP</acronym> or
<acronym>UDP</acronym> by setting the parameter to
<literal>tcp</literal> or <literal>udp</literal>. The final
- <parameter>port</parameter> parameter is the port number to allow
- the specified user or group to bind to.</para>
+ <parameter>port</parameter> parameter is the port number to
+ allow the specified user or group to bind to.</para>
<note>
<para>Since the ruleset is interpreted directly by the kernel
- only numeric values can be used for the user ID, group ID, and
- port parameters. Names cannot be used for users, groups, or
- services.</para>
+ only numeric values can be used for the user ID, group ID,
+ and port parameters. Names cannot be used for users, groups,
+ or services.</para>
</note>
<para>By default, on &unix;-like systems, ports below 1024
can only be used by/bound to privileged processes,
i.e., those run as <username>root</username>. For
&man.mac.portacl.4; to allow non-privileged processes to bind
- to ports below 1024 this standard &unix; restriction has to be
- disabled. This can be accomplished by setting the &man.sysctl.8;
- variables <literal>net.inet.ip.portrange.reservedlow</literal> and
+ to ports below 1024 this standard &unix; restriction has to
+ be disabled. This can be accomplished by setting the
+ &man.sysctl.8; variables
+ <literal>net.inet.ip.portrange.reservedlow</literal> and
<literal>net.inet.ip.portrange.reservedhigh</literal>
to zero.</para>
@@ -1162,7 +1184,7 @@ test: biba/high</screen>
<screen>&prompt.root; <userinput>sysctl security.mac.portacl.rules=uid:1001:tcp:110,uid:1001:tcp:995</userinput></screen>
<para>Permit the user with the <acronym>UID</acronym> of
- 1001 to bind to the <acronym>TCP</acronym> ports 110
+ 1001 to bind to the <acronym>TCP</acronym> ports 110
(<quote>pop3</quote>) and 995 (<quote>pop3s</quote>).
This will permit this user to start a server that accepts
connections on ports 110 and 995.</para>
@@ -1208,8 +1230,8 @@ test: biba/high</screen>
<para>When this policy is enabled, users will only be permitted
to see their processes, and any others within their partition,
- but will not be permitted to work with
- utilities outside the scope of this partition. For instance, a user in the
+ but will not be permitted to work with utilities outside the
+ scope of this partition. For instance, a user in the
<literal>insecure</literal> class above will not be permitted
to access the <command>top</command> command as well as many
other commands that must spawn a process.</para>
@@ -1252,9 +1274,9 @@ test: biba/high</screen>
<note>
<para>The following policies support integer settings
- in place of the three default labels offered. These options,
- including their limitations, are further explained in
- the module manual pages.</para>
+ in place of the three default labels offered. These
+ options, including their limitations, are further explained
+ in the module manual pages.</para>
</note>
</sect2>
</sect1>
@@ -1295,10 +1317,10 @@ test: biba/high</screen>
<para>The <literal>mls/low</literal> label contains a low
configuration which permits it to be dominated by all other
objects. Anything labeled with <literal>mls/low</literal>
- will have a low clearance level and not be permitted to access
- information of a higher level. In addition, this label will
- prevent objects of a higher clearance level from writing or
- passing information on to them.</para>
+ will have a low clearance level and not be permitted to
+ access information of a higher level. In addition, this
+ label will prevent objects of a higher clearance level from
+ writing or passing information on to them.</para>
</listitem>
<listitem>
@@ -1308,11 +1330,11 @@ test: biba/high</screen>
</listitem>
<listitem>
- <para>The <literal>mls/high</literal> label is the highest level
- of clearance possible. Objects assigned this label will
- hold dominance over all other objects in the system; however,
- they will not permit the leaking of information to objects
- of a lower class.</para>
+ <para>The <literal>mls/high</literal> label is the highest
+ level of clearance possible. Objects assigned this label
+ will hold dominance over all other objects in the system;
+ however, they will not permit the leaking of information
+ to objects of a lower class.</para>
</listitem>
</itemizedlist>
@@ -1354,22 +1376,22 @@ test: biba/high</screen>
</listitem>
<listitem>
- <para><literal>security.mac.mls.ptys_equal</literal> will label
- all &man.pty.4; devices as <literal>mls/equal</literal> during
- creation.</para>
+ <para><literal>security.mac.mls.ptys_equal</literal> will
+ label all &man.pty.4; devices as
+ <literal>mls/equal</literal> during creation.</para>
</listitem>
<listitem>
- <para><literal>security.mac.mls.revocation_enabled</literal> is
- used to revoke access to objects after their label changes
- to a label of a lower grade.</para>
+ <para><literal>security.mac.mls.revocation_enabled</literal>
+ is used to revoke access to objects after their label
+ changes to a label of a lower grade.</para>
</listitem>
<listitem>
- <para><literal>security.mac.mls.max_compartments</literal> is
- used to set the maximum number of compartment levels with
- objects; basically the maximum compartment number allowed
- on a system.</para>
+ <para><literal>security.mac.mls.max_compartments</literal>
+ is used to set the maximum number of compartment levels
+ with objects; basically the maximum compartment number
+ allowed on a system.</para>
</listitem>
</itemizedlist>
@@ -1385,11 +1407,12 @@ test: biba/high</screen>
<screen>&prompt.root; <userinput>getfmac test</userinput></screen>
<para>This is a summary of the <acronym>MLS</acronym>
- policy's features. Another approach is to create a master policy
- file in <filename class="directory">/etc</filename> which
- specifies the <acronym>MLS</acronym> policy information and to
- feed that file into the <command>setfmac</command> command. This
- method will be explained after all policies are covered.</para>
+ policy's features. Another approach is to create a master
+ policy file in <filename class="directory">/etc</filename>
+ which specifies the <acronym>MLS</acronym> policy information
+ and to feed that file into the <command>setfmac</command>
+ command. This method will be explained after all policies are
+ covered.</para>
<sect2>
<title>Planning Mandatory Sensitivity</title>
@@ -1402,22 +1425,23 @@ test: biba/high</screen>
slowly changes this during the configuration stage; augmenting
the confidentiality of the information.</para>
- <para>Beyond the three basic label options above, an administrator
- may group users and groups as required to block the information
- flow between them. It might be easier to look at the
- information in clearance levels familiarized with words, for
- instance classifications such as
+ <para>Beyond the three basic label options above, an
+ administrator may group users and groups as required to block
+ the information flow between them. It might be easier to
+ look at the information in clearance levels familiarized with
+ words, for instance classifications such as
<literal>Confidential</literal>, <literal>Secret</literal>,
and <literal>Top Secret</literal>. Some administrators might
just create different groups based on project levels.
Regardless of classification method, a well thought out plan
- must exist before implementing such a restrictive policy.</para>
+ must exist before implementing such a restrictive
+ policy.</para>
<para>Some example situations for this security policy module
- could be an e-commerce web server, a file server holding critical
- company information, and financial institution environments.
- The most unlikely place would be a personal workstation with
- only two or three users.</para>
+ could be an e-commerce web server, a file server holding
+ critical company information, and financial institution
+ environments. The most unlikely place would be a personal
+ workstation with only two or three users.</para>
</sect2>
</sect1>
@@ -1429,7 +1453,8 @@ test: biba/high</screen>
</indexterm>
<para>Module name: <filename>mac_biba.ko</filename></para>
- <para>Kernel configuration line: <literal>options MAC_BIBA</literal></para>
+ <para>Kernel configuration line:
+ <literal>options MAC_BIBA</literal></para>
<para>Boot option: <literal>mac_biba_load="YES"</literal></para>
@@ -1444,8 +1469,9 @@ test: biba/high</screen>
<para>In Biba environments, an <quote>integrity</quote> label is
set on each subject or object. These labels are made up of
- hierarchal grades, and non-hierarchal components. As an object's
- or subject's grade ascends, so does its integrity.</para>
+ hierarchal grades, and non-hierarchal components. As an
+ object's or subject's grade ascends, so does its
+ integrity.</para>
<para>Supported labels are <literal>biba/low</literal>,
<literal>biba/equal</literal>, and <literal>biba/high</literal>;
@@ -1486,9 +1512,9 @@ test: biba/high</screen>
<listitem>
<para>Fixed rules: no write up, no read down (opposite of
<acronym>MLS</acronym>). A subject can have write access
- to objects on its own level or below, but not above. Similarly, a
- subject can have read access to objects on its own level
- or above, but not below;</para>
+ to objects on its own level or below, but not above.
+ Similarly, a subject can have read access to objects on
+ its own level or above, but not below;</para>
</listitem>
<listitem>
@@ -1544,35 +1570,36 @@ test: biba/low</screen>
to.</para>
<para>The &man.mac.biba.4; security policy module permits an
- administrator to address which files and programs a user or
+ administrator to address which files and programs a user or
users may see and invoke while assuring that the programs and
files are free from threats and trusted by the system for that
user, or group of users.</para>
- <para>During the initial planning phase, an administrator must be
- prepared to partition users into grades, levels, and areas.
+ <para>During the initial planning phase, an administrator must
+ be prepared to partition users into grades, levels, and areas.
Users will be blocked access not only to data but programs
- and utilities both before and after they start. The system will
- default to a high label once this policy module is enabled, and
- it is up to the administrator to configure the different grades
- and levels for users. Instead of using clearance levels as
- described above, a good planning method could include topics.
- For instance, only allow developers modification access to the source code
- repository, source code compiler, and other development
- utilities. While other users would be grouped into other
- categories such as testers, designers, or just ordinary
- users and would only be permitted read access.</para>
-
- <para>With its natural security control, a lower integrity subject
- is unable to write to a higher integrity subject; a higher
- integrity subject cannot observe or read a lower integrity
- object. Setting a label at the lowest possible grade could make
- it inaccessible to subjects. Some prospective environments for
- this security policy module would include a constrained web
- server, development and test machine, and source code
- repository. A less useful implementation would be a personal
- workstation, a machine used as a router, or a network
- firewall.</para>
+ and utilities both before and after they start. The system
+ will default to a high label once this policy module is
+ enabled, and it is up to the administrator to configure the
+ different grades and levels for users. Instead of using
+ clearance levels as described above, a good planning method
+ could include topics. For instance, only allow developers
+ modification access to the source code repository, source
+ code compiler, and other development utilities. While other
+ users would be grouped into other categories such as testers,
+ designers, or just ordinary users and would only be permitted
+ read access.</para>
+
+ <para>With its natural security control, a lower integrity
+ subject is unable to write to a higher integrity subject; a
+ higher integrity subject cannot observe or read a lower
+ integrity object. Setting a label at the lowest possible
+ grade could make it inaccessible to subjects. Some
+ prospective environments for this security policy module
+ would include a constrained web server, development and test
+ machine, and source code repository. A less useful
+ implementation would be a personal workstation, a machine
+ used as a router, or a network firewall.</para>
</sect2>
</sect1>
@@ -1584,7 +1611,8 @@ test: biba/low</screen>
</indexterm>
<para>Module name: <filename>mac_lomac.ko</filename></para>
- <para>Kernel configuration line: <literal>options MAC_LOMAC</literal></para>
+ <para>Kernel configuration line:
+ <literal>options MAC_LOMAC</literal></para>
<para>Boot option: <literal>mac_lomac_load="YES"</literal></para>
<para>Unlike the <acronym>MAC</acronym> Biba policy, the
@@ -1593,14 +1621,15 @@ test: biba/low</screen>
any integrity rules.</para>
<para>The <acronym>MAC</acronym> version of the Low-watermark
- integrity policy, not to be confused with the older &man.lomac.4;
- implementation, works almost identically to Biba, but with the
- exception of using floating labels to support subject
- demotion via an auxiliary grade compartment. This secondary
- compartment takes the form of <literal>[auxgrade]</literal>.
- When assigning a lomac policy with an auxiliary grade, it
- should look a little bit like: <literal>lomac/10[2]</literal>
- where the number two (2) is the auxiliary grade.</para>
+ integrity policy, not to be confused with the older
+ &man.lomac.4; implementation, works almost identically to Biba,
+ but with the exception of using floating labels to support
+ subject demotion via an auxiliary grade compartment. This
+ secondary compartment takes the form of
+ <literal>[auxgrade]</literal>. When assigning a lomac policy
+ with an auxiliary grade, it should look a little bit like:
+ <literal>lomac/10[2]</literal> where the number two (2) is the
+ auxiliary grade.</para>
<para>The <acronym>MAC</acronym> LOMAC policy relies on the
ubiquitous labeling of all system objects with integrity labels,
@@ -1616,7 +1645,8 @@ test: biba/low</screen>
<para>Like the Biba and <acronym>MLS</acronym> policies;
the <command>setfmac</command> and <command>setpmac</command>
- utilities may be used to place labels on system objects:</para>
+ utilities may be used to place labels on system
+ objects:</para>
<screen>&prompt.root; <userinput>setfmac /usr/home/trhodes lomac/high[low]</userinput>
&prompt.root; <userinput>getfmac /usr/home/trhodes</userinput> lomac/high[low]</screen>
@@ -1655,7 +1685,7 @@ test: biba/low</screen>
<title>Create an insecure User Class</title>
<para>Begin the procedure by adding the following user class
- to the <filename>/etc/login.conf</filename> file:</para>
+ to the <filename>/etc/login.conf</filename> file:</para>
<programlisting>insecure:\
:copyright=/etc/COPYRIGHT:\
@@ -1725,17 +1755,19 @@ mac_seeotheruids_load="YES"</programlisting>
<username>www</username> users into the insecure class:</para>
<screen>&prompt.root; <userinput>pw usermod nagios -L insecure</userinput></screen>
+
<screen>&prompt.root; <userinput>pw usermod www -L insecure</userinput></screen>
- </sect2>
- <sect2>
- <title>Create the Contexts File</title>
+ </sect2>
- <para>A contexts file should now be created; the following example
- file should be placed in
- <filename>/etc/policy.contexts</filename>.</para>
+ <sect2>
+ <title>Create the Contexts File</title>
- <programlisting># This is the default BIBA policy for this system.
+ <para>A contexts file should now be created; the following
+ example file should be placed in
+ <filename>/etc/policy.contexts</filename>.</para>
+
+ <programlisting># This is the default BIBA policy for this system.
# System:
/var/run biba/equal
@@ -1827,16 +1859,16 @@ default_labels socket ?biba</programlisting>
on system initialization, and reboot. Ensure the
<username>root</username> user cannot access any of the files
in the <application>Nagios</application> configuration
- directory. If <username>root</username> can issue an &man.ls.1;
- command on <filename>/var/spool/nagios</filename>, then something
- is wrong. Otherwise a <quote>permission denied</quote> error
- should be returned.</para>
+ directory. If <username>root</username> can issue an
+ &man.ls.1; command on <filename>/var/spool/nagios</filename>,
+ then something is wrong. Otherwise a <quote>permission
+ denied</quote> error should be returned.</para>
<para>If all seems well, <application>Nagios</application>,
<application>Apache</application>, and
- <application>Sendmail</application> can now be started in a way
- fitting of the security policy. The following commands will
- make this happen:</para>
+ <application>Sendmail</application> can now be started in a
+ way fitting of the security policy. The following commands
+ will make this happen:</para>
<screen>&prompt.root; <userinput>cd /etc/mail &amp;&amp; make stop &amp;&amp; \
setpmac biba/equal make start &amp;&amp; setpmac biba/10\(10-10\) apachectl start &amp;&amp; \
@@ -1849,19 +1881,19 @@ setpmac biba/10\(10-10\) /usr/local/etc/rc.d/nagios.sh forcestart</userinput></s
again, like normal.</para>
<note>
- <para>The <username>root</username> user can change the security
- enforcement and edit the configuration files without fear.
- The following command will permit the degradation of the
- security policy to a lower grade for a newly spawned
- shell:</para>
+ <para>The <username>root</username> user can change the
+ security enforcement and edit the configuration files
+ without fear. The following command will permit the
+ degradation of the security policy to a lower grade for a
+ newly spawned shell:</para>
<screen>&prompt.root; <userinput>setpmac biba/10 csh</userinput></screen>
- <para>To block this from happening, force the user into a range
- via &man.login.conf.5;. If &man.setpmac.8; attempts to run
- a command outside of the compartment's range, an error will
- be returned and the command will not be executed. In this
- case, setting root to
+ <para>To block this from happening, force the user into a
+ range via &man.login.conf.5;. If &man.setpmac.8; attempts
+ to run a command outside of the compartment's range, an
+ error will be returned and the command will not be executed.
+ In this case, setting root to
<literal>biba/high(high-high)</literal>.</para>
</note>
</sect2>
@@ -1871,9 +1903,9 @@ setpmac biba/10\(10-10\) /usr/local/etc/rc.d/nagios.sh forcestart</userinput></s
<title>User Lock Down</title>
<para>This example considers a relatively small, fewer than fifty
- users, storage system. Users would have login capabilities, and
- be permitted to not only store data but access resources as
- well.</para>
+ users, storage system. Users would have login capabilities,
+ and be permitted to not only store data but access resources
+ as well.</para>
<para>For this scenario, the &man.mac.bsdextended.4; mixed with
&man.mac.seeotheruids.4; could co-exist and block access not
@@ -1892,22 +1924,23 @@ setpmac biba/10\(10-10\) /usr/local/etc/rc.d/nagios.sh forcestart</userinput></s
<programlisting>ugidfw_enable="YES"</programlisting>
<para>Default rules stored in
- <filename>/etc/rc.bsdextended</filename> will be loaded at system
- initialization; however, the default entries may need
+ <filename>/etc/rc.bsdextended</filename> will be loaded at
+ system initialization; however, the default entries may need
modification. Since this machine is expected only to service
users, everything may be left commented out except the last
two. These will force the loading of user owned system objects
by default.</para>
<para>Add the required users to this machine and reboot. For
- testing purposes, try logging in as a different user across two
- consoles. Run the <command>ps aux</command> command to see if
- processes of other users are visible. Try to run &man.ls.1; on
- another users home directory, it should fail.</para>
+ testing purposes, try logging in as a different user across
+ two consoles. Run the <command>ps aux</command> command to
+ see if processes of other users are visible. Try to run
+ &man.ls.1; on another users home directory, it should
+ fail.</para>
<para>Do not try to test with the <username>root</username> user
- unless the specific <command>sysctl</command>s have been modified
- to block super user access.</para>
+ unless the specific <command>sysctl</command>s have been
+ modified to block super user access.</para>
<note>
<para>When a new user is added, their &man.mac.bsdextended.4;
@@ -1930,8 +1963,8 @@ setpmac biba/10\(10-10\) /usr/local/etc/rc.d/nagios.sh forcestart</userinput></s
are listed below:</para>
<sect2>
- <title>The <option>multilabel</option> option cannot be enabled on
- <filename>/</filename></title>
+ <title>The <option>multilabel</option> option cannot be enabled
+ on <filename>/</filename></title>
<para>The <option>multilabel</option> flag does not stay
enabled on my root (<filename>/</filename>) partition!</para>
@@ -1956,7 +1989,8 @@ setpmac biba/10\(10-10\) /usr/local/etc/rc.d/nagios.sh forcestart</userinput></s
</step>
<step>
- <para>Run <command>tunefs</command> <option>-l enable</option>
+ <para>Run <command>tunefs</command> <option>-l
+ enable</option>
on <filename>/</filename>.</para>
</step>
@@ -1966,22 +2000,24 @@ setpmac biba/10\(10-10\) /usr/local/etc/rc.d/nagios.sh forcestart</userinput></s
<step>
<para>Run <command>mount</command> <option>-urw</option>
- <filename>/</filename> and change the <option>ro</option>
- back to <option>rw</option> in <filename>/etc/fstab</filename>
- and reboot the system again.</para>
+ <filename>/</filename> and change the <option>ro</option>
+ back to <option>rw</option> in
+ <filename>/etc/fstab</filename> and reboot the system
+ again.</para>
</step>
<step>
<para>Double-check the output from the
- <command>mount</command> to ensure that
- <option>multilabel</option> has been properly set on the
- root file system.</para>
+ <command>mount</command> to ensure that
+ <option>multilabel</option> has been properly set on the
+ root file system.</para>
</step>
- </procedure>
+ </procedure>
</sect2>
<sect2>
- <title>X11 Server Will Not Start After <acronym>MAC</acronym></title>
+ <title>X11 Server Will Not Start After
+ <acronym>MAC</acronym></title>
<para>After establishing a secure environment with
<acronym>MAC</acronym>, I am no longer able to start
@@ -2023,24 +2059,26 @@ setpmac biba/10\(10-10\) /usr/local/etc/rc.d/nagios.sh forcestart</userinput></s
</sect2>
<sect2>
- <title>Error: &man..secure.path.3; cannot stat <filename>.login_conf</filename></title>
+ <title>Error: &man..secure.path.3; cannot stat
+ <filename>.login_conf</filename></title>
- <para>When I attempt to switch from the <username>root</username> user
- to another user in the system, the error message
- <errorname>_secure_path: unable to state .login_conf</errorname> appears.</para>
+ <para>When I attempt to switch from the
+ <username>root</username> user to another user in the system,
+ the error message <errorname>_secure_path: unable to state
+ .login_conf</errorname> appears.</para>
<para>This message is usually shown when the user has a higher
- label setting then that of the user whom they are attempting to
- become. For instance a user on the system,
- <username>joe</username>, has a default label of
- <option>biba/low</option>. The <username>root</username> user,
- who has a label of <option>biba/high</option>, cannot view
- <username>joe</username>'s home directory. This will happen
- regardless if <username>root</username> has used the
- <command>su</command> command to become <username>joe</username>,
- or not. In this scenario, the Biba integrity model will not
- permit <username>root</username> to view objects set at a lower
- integrity level.</para>
+ label setting then that of the user whom they are attempting
+ to become. For instance a user on the system,
+ <username>joe</username>, has a default label of
+ <option>biba/low</option>. The <username>root</username>
+ user, who has a label of <option>biba/high</option>, cannot
+ view <username>joe</username>'s home directory. This will
+ happen regardless if <username>root</username> has used the
+ <command>su</command> command to become
+ <username>joe</username>, or not. In this scenario, the Biba
+ integrity model will not permit <username>root</username> to
+ view objects set at a lower integrity level.</para>
</sect2>
<sect2>
@@ -2049,8 +2087,8 @@ setpmac biba/10\(10-10\) /usr/local/etc/rc.d/nagios.sh forcestart</userinput></s
<para>In normal or even single user mode, the
<username>root</username> is not recognized. The
<command>whoami</command> command returns 0 (zero) and
- <command>su</command> returns <errorname>who are you?</errorname>.
- What could be going on?</para>
+ <command>su</command> returns <errorname>who are
+ you?</errorname>. What could be going on?</para>
<para>This can happen if a labeling policy has been disabled,
either by a &man.sysctl.8; or the policy module was unloaded.