diff options
Diffstat (limited to 'en_US.ISO8859-1/books/handbook/mac')
| -rw-r--r-- | en_US.ISO8859-1/books/handbook/mac/chapter.xml | 137 |
1 files changed, 65 insertions, 72 deletions
diff --git a/en_US.ISO8859-1/books/handbook/mac/chapter.xml b/en_US.ISO8859-1/books/handbook/mac/chapter.xml index 835959f2ab..52289f3590 100644 --- a/en_US.ISO8859-1/books/handbook/mac/chapter.xml +++ b/en_US.ISO8859-1/books/handbook/mac/chapter.xml @@ -3,21 +3,16 @@ The FreeBSD Documentation Project $FreeBSD$ --> - -<chapter id="mac"> - <chapterinfo> +<chapter xmlns="http://docbook.org/ns/docbook" xmlns:xlink="http://www.w3.org/1999/xlink" version="5.0" xml:id="mac"> + <info><title>Mandatory Access Control</title> <authorgroup> - <author> - <firstname>Tom</firstname> - <surname>Rhodes</surname> - <contrib>Written by </contrib> - </author> + <author><personname><firstname>Tom</firstname><surname>Rhodes</surname></personname><contrib>Written by </contrib></author> </authorgroup> - </chapterinfo> + </info> - <title>Mandatory Access Control</title> + - <sect1 id="mac-synopsis"> + <sect1 xml:id="mac-synopsis"> <title>Synopsis</title> <indexterm><primary>MAC</primary></indexterm> @@ -27,8 +22,8 @@ </indexterm> <para>&os; 5.X introduced new security extensions from the - <ulink url="http://www.trustedbsd.org">TrustedBSD - Project</ulink> based on the &posix;.1e draft. Two of the + <link xlink:href="http://www.trustedbsd.org">TrustedBSD + Project</link> based on the &posix;.1e draft. Two of the most significant new security mechanisms are file system Access Control Lists (<acronym>ACL</acronym>s) and Mandatory Access Control (<acronym>MAC</acronym>) facilities. MAC allows new @@ -131,7 +126,7 @@ </sect2> </sect1> - <sect1 id="mac-inline-glossary"> + <sect1 xml:id="mac-inline-glossary"> <title>Key Terms in This Chapter</title> <para>Before reading this chapter, a few key terms must be @@ -251,7 +246,7 @@ </itemizedlist> </sect1> - <sect1 id="mac-initial"> + <sect1 xml:id="mac-initial"> <title>Explanation of MAC</title> <para>With all of these new terms in mind, consider how the @@ -326,7 +321,7 @@ </caution> </sect1> - <sect1 id="mac-understandlabel"> + <sect1 xml:id="mac-understandlabel"> <title>Understanding MAC Labels</title> <para>A <acronym>MAC</acronym> label is a security attribute @@ -375,12 +370,12 @@ <para>In most cases, the administrator will set up a single label to use throughout the file system. This is similar to <acronym>DAC</acronym> to some extent as - <username>root</username> is the one in control and who + <systemitem class="username">root</systemitem> is the one in control and who configures the policies so that users are placed in the appropriate categories/access levels. Alas, many policy modules - can restrict the <username>root</username> user as well. Basic + can restrict the <systemitem class="username">root</systemitem> user as well. Basic control over objects will then be released to the group, but - <username>root</username> may revoke or modify the settings + <systemitem class="username">root</systemitem> may revoke or modify the settings at any time. This is the hierarchical/clearance model covered by policies such as Biba and <acronym>MLS</acronym>.</para> @@ -693,7 +688,7 @@ test: biba/high</screen> </sect2> </sect1> - <sect1 id="mac-planning"> + <sect1 xml:id="mac-planning"> <title>Planning the Security Configuration</title> <para>Whenever a new technology is implemented, a planning phase @@ -742,7 +737,7 @@ test: biba/high</screen> choice.</para> </sect1> - <sect1 id="mac-modules"> + <sect1 xml:id="mac-modules"> <title>Module Configuration</title> <para>Beginning with &os; 8.0, the default &os; kernel @@ -768,7 +763,7 @@ test: biba/high</screen> option is called <option>multilabel</option>.</para> </sect1> - <sect1 id="mac-seeotheruids"> + <sect1 xml:id="mac-seeotheruids"> <title>The MAC See Other UIDs Policy</title> <indexterm> @@ -823,7 +818,7 @@ test: biba/high</screen> </itemizedlist> </sect1> - <sect1 id="mac-bsdextended"> + <sect1 xml:id="mac-bsdextended"> <title>The MAC BSD Extended Policy</title> <indexterm> @@ -872,7 +867,7 @@ test: biba/high</screen> <para>By default, no rules are defined and everything is completely accessible. To create a rule which will block all - access by users but leave <username>root</username> + access by users but leave <systemitem class="username">root</systemitem> unaffected, run the following command:</para> <screen>&prompt.root; <userinput>ugidfw add subject not uid root new object not uid root mode n</userinput></screen> @@ -880,21 +875,21 @@ test: biba/high</screen> <para>This is a very bad idea as it will block all users from issuing even the most simple commands, such as <command>ls</command>. The next example will block - <username>user1</username> any and all access, including + <systemitem class="username">user1</systemitem> any and all access, including directory listings, to - <username><replaceable>user2</replaceable></username>'s home + <systemitem class="username"><replaceable>user2</replaceable></systemitem>'s home directory:</para> - <screen>&prompt.root; <userinput>ugidfw set 2 subject uid <replaceable>user1</replaceable> object uid <replaceable>user2</replaceable> mode n</userinput> -&prompt.root; <userinput>ugidfw set 3 subject uid <replaceable>user1</replaceable> object gid <replaceable>user2</replaceable> mode n</userinput></screen> + <screen>&prompt.root; <userinput>ugidfw set 2 subject uid user1 object uid user2 mode n</userinput> +&prompt.root; <userinput>ugidfw set 3 subject uid user1 object gid user2 mode n</userinput></screen> - <para>Instead of <username>user1</username>, + <para>Instead of <systemitem class="username">user1</systemitem>, <option>not uid <replaceable>user2</replaceable></option> could be used. This enforces the same access restrictions for all users instead of just one user.</para> <note> - <para>The <username>root</username> user is unaffected by + <para>The <systemitem class="username">root</systemitem> user is unaffected by these changes.</para> </note> @@ -903,7 +898,7 @@ test: biba/high</screen> </sect2> </sect1> - <sect1 id="mac-ifoff"> + <sect1 xml:id="mac-ifoff"> <title>The MAC Interface Silencing Policy</title> <indexterm> @@ -949,12 +944,12 @@ test: biba/high</screen> monitoring in an environment where network traffic should not be permitted during the boot sequence. Another suggested use would be to write a script which uses - <filename role="package">security/aide</filename> to + <package>security/aide</package> to automatically block network traffic if it finds new or altered files in protected directories.</para> </sect1> - <sect1 id="mac-portacl"> + <sect1 xml:id="mac-portacl"> <title>The MAC Port Access Control List Policy</title> <indexterm> @@ -972,7 +967,7 @@ test: biba/high</screen> local <acronym>TCP</acronym> and <acronym>UDP</acronym> ports using a variety of <command>sysctl</command> variables. &man.mac.portacl.4; makes it possible to allow - non-<username>root</username> users to bind to specified + non-<systemitem class="username">root</systemitem> users to bind to specified privileged ports below 1024.</para> <para>Once loaded, this module enables the @@ -994,7 +989,7 @@ test: biba/high</screen> <listitem> <para><varname>security.mac.portacl.suser_exempt</varname>, when set to a non-zero value, exempts the - <username>root</username> user from this policy.</para> + <systemitem class="username">root</systemitem> user from this policy.</para> </listitem> <listitem> @@ -1025,7 +1020,7 @@ test: biba/high</screen> <para>By default, ports below 1024 can only be used by or bound to privileged processes, which run as - <username>root</username>. For &man.mac.portacl.4; to allow + <systemitem class="username">root</systemitem>. For &man.mac.portacl.4; to allow non-privileged processes to bind to ports below 1024, this restriction has to be disabled by setting the &man.sysctl.8; variables @@ -1043,7 +1038,7 @@ net.inet.ip.portrange.reservedhigh=0</userinput></screen> <sect2> <title>Examples</title> - <para>Since the <username>root</username> user should not be + <para>Since the <systemitem class="username">root</systemitem> user should not be crippled by this policy, this example starts by setting the <varname>security.mac.portacl.suser_exempt</varname> to a non-zero value.</para> @@ -1051,9 +1046,9 @@ net.inet.ip.portrange.reservedhigh=0</userinput></screen> <screen>&prompt.root; <userinput>sysctl security.mac.portacl.suser_exempt=1</userinput></screen> <para>Next, allow the user with <acronym>UID</acronym> 80 - to bind to port 80. This allows the <username>www</username> + to bind to port 80. This allows the <systemitem class="username">www</systemitem> user to run a web server without ever having - <username>root</username> privilege.</para> + <systemitem class="username">root</systemitem> privilege.</para> <screen>&prompt.root; <userinput>sysctl security.mac.portacl.rules=uid:80:tcp:80</userinput></screen> @@ -1068,7 +1063,7 @@ net.inet.ip.portrange.reservedhigh=0</userinput></screen> </sect2> </sect1> - <sect1 id="mac-partition"> + <sect1 xml:id="mac-partition"> <title>The MAC Partition Policy</title> <indexterm> @@ -1132,7 +1127,7 @@ net.inet.ip.portrange.reservedhigh=0</userinput></screen> <screen>&prompt.root; <userinput>ps -ZU trhodes</userinput></screen> <note> - <para>Users can see processes in <username>root</username>'s + <para>Users can see processes in <systemitem class="username">root</systemitem>'s label unless the &man.mac.seeotheruids.4; policy is loaded.</para> </note> @@ -1151,7 +1146,7 @@ net.inet.ip.portrange.reservedhigh=0</userinput></screen> </sect2> </sect1> - <sect1 id="mac-mls"> + <sect1 xml:id="mac-mls"> <title>The MAC Multi-Level Security Module</title> <indexterm> @@ -1277,7 +1272,7 @@ net.inet.ip.portrange.reservedhigh=0</userinput></screen> <screen>&prompt.root; <userinput>getfmac test</userinput></screen> <para>Another approach is to create a master policy file in - <filename class="directory">/etc/</filename> which specifies the + <filename>/etc/</filename> which specifies the <acronym>MLS</acronym> policy information and to feed that file to <command>setfmac</command>. This method will be explained after all policies are covered.</para> @@ -1310,7 +1305,7 @@ net.inet.ip.portrange.reservedhigh=0</userinput></screen> </sect2> </sect1> - <sect1 id="mac-biba"> + <sect1 xml:id="mac-biba"> <title>The MAC Biba Module</title> <indexterm> @@ -1465,7 +1460,7 @@ test: biba/low</screen> </sect2> </sect1> - <sect1 id="mac-lomac"> + <sect1 xml:id="mac-lomac"> <title>The MAC LOMAC Module</title> <indexterm> @@ -1516,7 +1511,7 @@ test: biba/low</screen> </sect2> </sect1> - <sect1 id="mac-implementing"> + <sect1 xml:id="mac-implementing"> <title>Nagios in a MAC Jail</title> <indexterm> @@ -1531,10 +1526,9 @@ test: biba/low</screen> <para>Before beginning this process, <option>multilabel</option> must be set on each file system as not doing so will result in - errors. This example assumes that <filename - role="package">net-mngt/nagios-plugins</filename>, - <filename role="package">net-mngt/nagios</filename>, and - <filename role="package">www/apache22</filename> are all + errors. This example assumes that <package>net-mngt/nagios-plugins</package>, + <package>net-mngt/nagios</package>, and + <package>www/apache22</package> are all installed, configured, and working correctly.</para> <sect2> @@ -1590,12 +1584,12 @@ mac_seeotheruids_load="YES"</programlisting> <sect2> <title>Configure Users</title> - <para>Set the <username>root</username> user to the default + <para>Set the <systemitem class="username">root</systemitem> user to the default class using:</para> <screen>&prompt.root; <userinput>pw usermod root -L default</userinput></screen> - <para>All user accounts that are not <username>root</username> + <para>All user accounts that are not <systemitem class="username">root</systemitem> or system users will now require a login class. The login class is required otherwise users will be refused access to common commands such as &man.vi.1;. The following @@ -1604,8 +1598,8 @@ mac_seeotheruids_load="YES"</programlisting> <screen>&prompt.root; <userinput>for x in `awk -F: '($3 >= 1001) && ($3 != 65534) { print $1 }' \</userinput> <userinput>/etc/passwd`; do pw usermod $x -L default; done;</userinput></screen> - <para>Drop the <username>nagios</username> and - <username>www</username> users into the insecure class:</para> + <para>Drop the <systemitem class="username">nagios</systemitem> and + <systemitem class="username">www</systemitem> users into the insecure class:</para> <screen>&prompt.root; <userinput>pw usermod nagios -L insecure</userinput></screen> @@ -1656,7 +1650,7 @@ mac_seeotheruids_load="YES"</programlisting> <para>This policy enforces security by setting restrictions on the flow of information. In this specific configuration, - users, including <username>root</username>, should never be + users, including <systemitem class="username">root</systemitem>, should never be allowed to access <application>Nagios</application>. Configuration files and processes that are a part of <application>Nagios</application> will be completely self @@ -1709,9 +1703,9 @@ default_labels socket ?biba</programlisting> <para>Ensure that the web server and <application>Nagios</application> will not be started on system initialization and reboot. Ensure the - <username>root</username> user cannot access any of the files + <systemitem class="username">root</systemitem> user cannot access any of the files in the <application>Nagios</application> configuration - directory. If <username>root</username> can issue an + directory. If <systemitem class="username">root</systemitem> can issue an &man.ls.1; command on <filename>/var/spool/nagios</filename>, something is wrong. Otherwise a <quote>permission denied</quote> error should be returned.</para> @@ -1731,7 +1725,7 @@ setpmac biba/10\(10-10\) /usr/local/etc/rc.d/nagios.sh forcestart</userinput></s usual.</para> <note> - <para>The <username>root</username> user can still change the + <para>The <systemitem class="username">root</systemitem> user can still change the security enforcement and edit its configuration files. The following command will permit the degradation of the security policy to a lower grade for a newly spawned @@ -1749,7 +1743,7 @@ setpmac biba/10\(10-10\) /usr/local/etc/rc.d/nagios.sh forcestart</userinput></s </sect2> </sect1> - <sect1 id="mac-userlocked"> + <sect1 xml:id="mac-userlocked"> <title>User Lock Down</title> <para>This example considers a relatively small storage system @@ -1786,7 +1780,7 @@ setpmac biba/10\(10-10\) /usr/local/etc/rc.d/nagios.sh forcestart</userinput></s of other users are visible. Verify that running &man.ls.1; on another user's home directory fails.</para> - <para>Do not try to test with the <username>root</username> user + <para>Do not try to test with the <systemitem class="username">root</systemitem> user unless the specific <command>sysctl</command>s have been modified to block super user access.</para> @@ -1798,7 +1792,7 @@ setpmac biba/10\(10-10\) /usr/local/etc/rc.d/nagios.sh forcestart</userinput></s </note> </sect1> - <sect1 id="mac-troubleshoot"> + <sect1 xml:id="mac-troubleshoot"> <title>Troubleshooting the MAC Framework</title> <indexterm> @@ -1876,8 +1870,7 @@ setpmac biba/10\(10-10\) /usr/local/etc/rc.d/nagios.sh forcestart</userinput></s <step> <para>Double-check the label policies. Ensure that the policies are set correctly for the user, the Xorg - application, and the <filename - class="directory">/dev</filename> entries.</para> + application, and the <filename>/dev</filename> entries.</para> </step> <step> @@ -1893,30 +1886,30 @@ setpmac biba/10\(10-10\) /usr/local/etc/rc.d/nagios.sh forcestart</userinput></s .login_conf</errorname> shows up.</para> <para>When a user attempts to switch from the - <username>root</username> user to another user in the system, + <systemitem class="username">root</systemitem> user to another user in the system, the error message <errorname>_secure_path: unable to stat .login_conf</errorname> appears.</para> <para>This message is usually shown when the user has a higher label setting than that of the user they are attempting to - become. For instance, <username>joe</username> has a default + become. For instance, <systemitem class="username">joe</systemitem> has a default label of <option>biba/low</option>. The - <username>root</username> user, who has a label of + <systemitem class="username">root</systemitem> user, who has a label of <option>biba/high</option>, cannot view - <username>joe</username>'s home directory. This will happen - whether or not <username>root</username> has used - <command>su</command> to become <username>joe</username> as + <systemitem class="username">joe</systemitem>'s home directory. This will happen + whether or not <systemitem class="username">root</systemitem> has used + <command>su</command> to become <systemitem class="username">joe</systemitem> as the Biba integrity model will not permit - <username>root</username> to view objects set at a lower + <systemitem class="username">root</systemitem> to view objects set at a lower integrity level.</para> </listitem> <listitem> <para>The system no longer recognizes the - <username>root</username> user.</para> + <systemitem class="username">root</systemitem> user.</para> <para>In normal or even single user mode, the - <username>root</username> is not recognized, + <systemitem class="username">root</systemitem> is not recognized, <command>whoami</command> returns 0 (zero), and <command>su</command> returns <errorname>who are you?</errorname>.</para> |