aboutsummaryrefslogtreecommitdiff
path: root/en_US.ISO8859-1/books/handbook/mac
diff options
context:
space:
mode:
authorDru Lavigne <dru@FreeBSD.org>2014-03-31 17:01:17 +0000
committerDru Lavigne <dru@FreeBSD.org>2014-03-31 17:01:17 +0000
commitc399c5040860ae445a5436cd614ab453feba75d5 (patch)
treec5bab6e00c5de5acfcb8dcbcdffa5b9e0096cd72 /en_US.ISO8859-1/books/handbook/mac
parenta6f5a0961d443ce77e383684dd08ca75fe00dcfe (diff)
downloaddoc-c399c5040860ae445a5436cd614ab453feba75d5.tar.gz
doc-c399c5040860ae445a5436cd614ab453feba75d5.zip
White space fix only. Translators can ignore.
Sponsored by: iXsystems
Notes
Notes: svn path=/head/; revision=44399
Diffstat (limited to 'en_US.ISO8859-1/books/handbook/mac')
-rw-r--r--en_US.ISO8859-1/books/handbook/mac/chapter.xml327
1 files changed, 164 insertions, 163 deletions
diff --git a/en_US.ISO8859-1/books/handbook/mac/chapter.xml b/en_US.ISO8859-1/books/handbook/mac/chapter.xml
index d7c13ede94..61436bb259 100644
--- a/en_US.ISO8859-1/books/handbook/mac/chapter.xml
+++ b/en_US.ISO8859-1/books/handbook/mac/chapter.xml
@@ -1414,15 +1414,13 @@ test: biba/low</screen>
<para>This section demonstrates the steps that are needed to
implement the <application>Nagios</application> network
- monitoring system in a <acronym>MAC</acronym> environment.
- This is meant as an example which still requires the administrator
- to test that the implemented policy meets the security
- requirements of the network before using in a
- production environment.</para>
-
- <para>This example requires <option>multilabel</option>
- to be set on each file system. It also
- assumes that
+ monitoring system in a <acronym>MAC</acronym> environment. This
+ is meant as an example which still requires the administrator to
+ test that the implemented policy meets the security requirements
+ of the network before using in a production environment.</para>
+
+ <para>This example requires <option>multilabel</option> to be set
+ on each file system. It also assumes that
<package>net-mgmt/nagios-plugins</package>,
<package>net-mgmt/nagios</package>, and
<package>www/apache22</package> are all installed, configured,
@@ -1459,12 +1457,13 @@ test: biba/low</screen>
:ignoretime@:\
:label=biba/10(10-10):</programlisting>
- <para>Then, add the following line to the default user class section:</para>
+ <para>Then, add the following line to the default user class
+ section:</para>
<programlisting>:label=biba/high:</programlisting>
- <para>Save the edits and issue the following command to rebuild the
- database:</para>
+ <para>Save the edits and issue the following command to rebuild
+ the database:</para>
<screen>&prompt.root; <userinput>cap_mkdb /etc/login.conf</userinput></screen>
</sect2>
@@ -1478,22 +1477,21 @@ test: biba/low</screen>
<screen>&prompt.root; <userinput>pw usermod root -L default</userinput></screen>
<para>All user accounts that are not <systemitem
- class="username">root</systemitem> will now
- require a login class. The login class is required, otherwise
- users will be refused access to common commands.
- The following <command>sh</command> script should
- do the trick:</para>
+ class="username">root</systemitem> will now require a login
+ class. The login class is required, otherwise users will be
+ refused access to common commands. The following
+ <command>sh</command> script should do the trick:</para>
<screen>&prompt.root; <userinput>for x in `awk -F: '($3 &gt;= 1001) &amp;&amp; ($3 != 65534) { print $1 }' \</userinput>
<userinput>/etc/passwd`; do pw usermod $x -L default; done;</userinput></screen>
- <para>Next, drop the <systemitem class="username">nagios</systemitem>
- and <systemitem class="username">www</systemitem> accounts into
- the insecure class:</para>
+ <para>Next, drop the <systemitem
+ class="username">nagios</systemitem> and <systemitem
+ class="username">www</systemitem> accounts into the insecure
+ class:</para>
<screen>&prompt.root; <userinput>pw usermod nagios -L insecure</userinput>
&prompt.root; <userinput>pw usermod www -L insecure</userinput></screen>
-
</sect2>
<sect2>
@@ -1528,8 +1526,8 @@ test: biba/low</screen>
# For apache
/usr/local/etc/apache(/.*)? biba/10</programlisting>
- <para>This policy enforces security by setting restrictions
- on the flow of information. In this specific configuration,
+ <para>This policy enforces security by setting restrictions on
+ the flow of information. In this specific configuration,
users, including <systemitem
class="username">root</systemitem>, should never be
allowed to access <application>Nagios</application>.
@@ -1537,14 +1535,14 @@ test: biba/low</screen>
<application>Nagios</application> will be completely self
contained or jailed.</para>
- <para>This file will be read after running
+ <para>This file will be read after running
<command>setfsmac</command> on every file system. This
example sets the policy on the root file system:</para>
<screen>&prompt.root; <userinput>setfsmac -ef /etc/policy.contexts /</userinput></screen>
- <para>Next, add these edits
- to the main section of <filename>/etc/mac.conf</filename>:</para>
+ <para>Next, add these edits to the main section of
+ <filename>/etc/mac.conf</filename>:</para>
<programlisting>default_labels file ?biba
default_labels ifnet ?biba
@@ -1557,15 +1555,16 @@ default_labels socket ?biba</programlisting>
<para>To finish the configuration, add the following lines to
<filename>/boot/loader.conf</filename>:</para>
-
+
<programlisting>mac_biba_load="YES"
mac_seeotheruids_load="YES"
security.mac.biba.trust_all_interfaces=1</programlisting>
- <para>And the following line to the network card configuration stored
- in <filename>/etc/rc.conf</filename>. If the primary network
- configuration is done via <acronym>DHCP</acronym>, this may
- need to be configured manually after every system boot:</para>
+ <para>And the following line to the network card configuration
+ stored in <filename>/etc/rc.conf</filename>. If the primary
+ network configuration is done via <acronym>DHCP</acronym>,
+ this may need to be configured manually after every system
+ boot:</para>
<programlisting>maclabel biba/equal</programlisting>
</sect2>
@@ -1580,13 +1579,13 @@ security.mac.biba.trust_all_interfaces=1</programlisting>
<para>First, ensure that the web server and
<application>Nagios</application> will not be started on
system initialization and reboot. Ensure that <systemitem
- class="username">root</systemitem> cannot access any of
- the files in the <application>Nagios</application>
- configuration directory. If <systemitem
- class="username">root</systemitem> can list the contents of
- <filename>/var/spool/nagios</filename>, something
- is wrong. Instead, a <quote>permission denied</quote> error
- should be returned.</para>
+ class="username">root</systemitem> cannot access any of the
+ files in the <application>Nagios</application> configuration
+ directory. If <systemitem class="username">root</systemitem>
+ can list the contents of
+ <filename>/var/spool/nagios</filename>, something is wrong.
+ Instead, a <quote>permission denied</quote> error should be
+ returned.</para>
<para>If all seems well, <application>Nagios</application>,
<application>Apache</application>, and
@@ -1597,9 +1596,9 @@ setpmac biba/equal make start &amp;&amp; setpmac biba/10\(10-10\) apachectl star
setpmac biba/10\(10-10\) /usr/local/etc/rc.d/nagios.sh forcestart</userinput></screen>
<para>Double check to ensure that everything is working
- properly. If not, check the log files for error messages.
- If needed, use &man.sysctl.8; to disable the &man.mac.biba.4; security
- policy module and try starting everything again as
+ properly. If not, check the log files for error messages. If
+ needed, use &man.sysctl.8; to disable the &man.mac.biba.4;
+ security policy module and try starting everything again as
usual.</para>
<note>
@@ -1633,141 +1632,143 @@ setpmac biba/10\(10-10\) /usr/local/etc/rc.d/nagios.sh forcestart</userinput></s
<variablelist>
<varlistentry>
- <term>The <option>multilabel</option> flag does not stay
+ <term>The <option>multilabel</option> flag does not stay
enabled on the root (<filename>/</filename>)
partition:</term>
- <listitem>
- <para>The following steps may resolve this transient
- error:</para>
-
- <procedure>
- <step>
- <para>Edit <filename>/etc/fstab</filename> and set the
- root partition to <option>ro</option> for
- read-only.</para>
- </step>
-
- <step>
- <para>Reboot into single user mode.</para>
- </step>
-
- <step>
- <para>Run <command>tunefs</command> <option>-l
- enable</option> on <filename>/</filename>.</para>
- </step>
-
- <step>
- <para>Reboot the system.</para>
- </step>
-
- <step>
- <para>Run <command>mount</command> <option>-urw</option>
- <filename>/</filename> and change the
- <option>ro</option> back to <option>rw</option> in
- <filename>/etc/fstab</filename> and reboot the system
- again.</para>
- </step>
-
- <step>
- <para>Double-check the output from
- <command>mount</command> to ensure that
- <option>multilabel</option> has been properly set on the
- root file system.</para>
- </step>
- </procedure>
- </listitem>
- </varlistentry>
+ <listitem>
+ <para>The following steps may resolve this transient
+ error:</para>
+
+ <procedure>
+ <step>
+ <para>Edit <filename>/etc/fstab</filename> and set the
+ root partition to <option>ro</option> for
+ read-only.</para>
+ </step>
+
+ <step>
+ <para>Reboot into single user mode.</para>
+ </step>
+
+ <step>
+ <para>Run <command>tunefs</command> <option>-l
+ enable</option> on <filename>/</filename>.</para>
+ </step>
+
+ <step>
+ <para>Reboot the system.</para>
+ </step>
+
+ <step>
+ <para>Run <command>mount</command> <option>-urw</option>
+ <filename>/</filename> and change the
+ <option>ro</option> back to <option>rw</option> in
+ <filename>/etc/fstab</filename> and reboot the system
+ again.</para>
+ </step>
+
+ <step>
+ <para>Double-check the output from
+ <command>mount</command> to ensure that
+ <option>multilabel</option> has been properly set on
+ the root file system.</para>
+ </step>
+ </procedure>
+ </listitem>
+ </varlistentry>
<varlistentry>
<term>After establishing a secure environment with
- <acronym>MAC</acronym>,
- <application>Xorg</application> no longer starts:</term>
- <listitem>
- <para>This could be caused by the <acronym>MAC</acronym>
- <literal>partition</literal> policy or by a mislabeling in
- one of the <acronym>MAC</acronym> labeling policies. To
- debug, try the following:</para>
-
- <procedure>
- <step>
- <para>Check the error message. If the user is in the
- <literal>insecure</literal> class, the
- <literal>partition</literal> policy may be the culprit.
- Try setting the user's class back to the
- <literal>default</literal> class and rebuild the
- database with <command>cap_mkdb</command>. If this does
- not alleviate the problem, go to step two.</para>
- </step>
-
- <step>
- <para>Double-check that the label policies
- are set correctly for the user, <application>Xorg</application>,
- and the <filename>/dev</filename>
- entries.</para>
- </step>
-
- <step>
- <para>If neither of these resolve the problem, send the
- error message and a description of the environment to
- the &a.questions;.</para>
- </step>
- </procedure>
- </listitem>
- </varlistentry>
+ <acronym>MAC</acronym>, <application>Xorg</application> no
+ longer starts:</term>
+ <listitem>
+ <para>This could be caused by the <acronym>MAC</acronym>
+ <literal>partition</literal> policy or by a mislabeling
+ in one of the <acronym>MAC</acronym> labeling policies.
+ To debug, try the following:</para>
+
+ <procedure>
+ <step>
+ <para>Check the error message. If the user is in the
+ <literal>insecure</literal> class, the
+ <literal>partition</literal> policy may be the
+ culprit. Try setting the user's class back to the
+ <literal>default</literal> class and rebuild the
+ database with <command>cap_mkdb</command>. If this
+ does not alleviate the problem, go to step two.</para>
+ </step>
+
+ <step>
+ <para>Double-check that the label policies are set
+ correctly for the user,
+ <application>Xorg</application>, and the
+ <filename>/dev</filename> entries.</para>
+ </step>
+
+ <step>
+ <para>If neither of these resolve the problem, send the
+ error message and a description of the environment to
+ the &a.questions;.</para>
+ </step>
+ </procedure>
+ </listitem>
+ </varlistentry>
<varlistentry>
<term>The <errorname>_secure_path: unable to stat
.login_conf</errorname> error appears:</term>
- <listitem>
- <para>This error can appear when a user attempts to switch from the <systemitem
- class="username">root</systemitem> user to another user in
- the system. This message usually occurs when the user has a higher
- label setting than that of the user they are attempting to
- become. For instance, if <systemitem
- class="username">joe</systemitem> has a default label of
- <option>biba/low</option> and <systemitem
- class="username">root</systemitem> has a label
- of <option>biba/high</option>, <systemitem
- class="username">root</systemitem> cannot view <systemitem
- class="username">joe</systemitem>'s home directory. This
- will happen whether or not <systemitem
- class="username">root</systemitem> has used
- <command>su</command> to become <systemitem
- class="username">joe</systemitem> as the Biba integrity
- model will not permit <systemitem
- class="username">root</systemitem> to view objects set at
- a lower integrity level.</para>
- </listitem>
- </varlistentry>
+ <listitem>
+ <para>This error can appear when a user attempts to switch
+ from the <systemitem class="username">root</systemitem>
+ user to another user in the system. This message
+ usually occurs when the user has a higher label setting
+ than that of the user they are attempting to become.
+ For instance, if <systemitem
+ class="username">joe</systemitem> has a default label
+ of <option>biba/low</option> and <systemitem
+ class="username">root</systemitem> has a label of
+ <option>biba/high</option>, <systemitem
+ class="username">root</systemitem> cannot view
+ <systemitem class="username">joe</systemitem>'s home
+ directory. This will happen whether or not <systemitem
+ class="username">root</systemitem> has used
+ <command>su</command> to become <systemitem
+ class="username">joe</systemitem> as the Biba
+ integrity model will not permit <systemitem
+ class="username">root</systemitem> to view objects set
+ at a lower integrity level.</para>
+ </listitem>
+ </varlistentry>
<varlistentry>
<term>The system no longer recognizes <systemitem
class="username">root</systemitem>:</term>
- <listitem>
- <para>When this occurs,
- <command>whoami</command> returns <literal>0</literal> and
- <command>su</command> returns <errorname>who are
- you?</errorname>.</para>
-
- <para>This can happen if a labeling policy has been disabled
- by &man.sysctl.8; or the policy module was
- unloaded. If the policy is disabled, the login capabilities
- database needs to be reconfigured. Double check
- <filename>/etc/login.conf</filename> to ensure that all
- <option>label</option> options have been removed and rebuild
- the database with <command>cap_mkdb</command>.</para>
-
- <para>This may also happen if a policy restricts access to
- <filename>master.passwd</filename>. This is usually caused
- by an administrator altering the file under a label which
- conflicts with the general policy being used by the system.
- In these cases, the user information would be read by the
- system and access would be blocked as the file has inherited
- the new label. Disable the policy using &man.sysctl.8; and
- everything should return to normal.</para>
- </listitem>
- </varlistentry>
- </variablelist>
+ <listitem>
+ <para>When this occurs, <command>whoami</command> returns
+ <literal>0</literal> and <command>su</command> returns
+ <errorname>who are you?</errorname>.</para>
+
+ <para>This can happen if a labeling policy has been
+ disabled by &man.sysctl.8; or the policy module was
+ unloaded. If the policy is disabled, the login
+ capabilities database needs to be reconfigured. Double
+ check <filename>/etc/login.conf</filename> to ensure
+ that all <option>label</option> options have been
+ removed and rebuild the database with
+ <command>cap_mkdb</command>.</para>
+
+ <para>This may also happen if a policy restricts access to
+ <filename>master.passwd</filename>. This is usually
+ caused by an administrator altering the file under a
+ label which conflicts with the general policy being used
+ by the system. In these cases, the user information
+ would be read by the system and access would be blocked
+ as the file has inherited the new label. Disable the
+ policy using &man.sysctl.8; and everything should return
+ to normal.</para>
+ </listitem>
+ </varlistentry>
+ </variablelist>
</sect1>
</chapter>