From 94d3851b1fb4828c65524995fb55325ca393e3c2 Mon Sep 17 00:00:00 2001 From: Dru Lavigne Date: Fri, 28 Mar 2014 15:55:53 +0000 Subject: Editorial review of Available MAC Policies. Sponsored by: iXsystems --- en_US.ISO8859-1/books/handbook/mac/chapter.xml | 404 +++++++++---------------- 1 file changed, 150 insertions(+), 254 deletions(-) (limited to 'en_US.ISO8859-1/books/handbook/mac') diff --git a/en_US.ISO8859-1/books/handbook/mac/chapter.xml b/en_US.ISO8859-1/books/handbook/mac/chapter.xml index e173f475ac..8851e2f08e 100644 --- a/en_US.ISO8859-1/books/handbook/mac/chapter.xml +++ b/en_US.ISO8859-1/books/handbook/mac/chapter.xml @@ -552,13 +552,10 @@ test: biba/high Planning the Security Configuration - Whenever a new technology is implemented, a planning phase + Before implementing any MAC policies, a planning phase is recommended. During the planning stages, an administrator - should consider the implementation requirements and the - implementation goals. - - For MAC installations, these - include: + should consider the implementation requirements and + goals, such as: @@ -573,29 +570,19 @@ test: biba/high - Which MAC module or modules will be + Which MAC modules will be required to achieve this goal. - Good planning helps to ensure a trouble-free and efficient - trusted system implementation. A trial run of the trusted + A trial run of the trusted system and its configuration should occur before a MAC - implementation is used on production systems. The idea of - just letting loose on a system with MAC is - like setting up for failure. - - Different environments have different needs and - requirements. Establishing an in depth and complete security + implementation is used on production systems. Since different + environments have different needs and + requirements, establishing a complete security profile will decrease the need of changes once the system - goes live. The rest of this chapter covers the available - modules, describes their use and configuration, and in some - cases, provides insight on applicable situations. For instance, - a web server might use the &man.mac.biba.4; and - &man.mac.bsdextended.4; policies. In the case of a machine - with few local users, &man.mac.partition.4; might be a good - choice. + goes live. Consider how the MAC framework augments the security of @@ -624,8 +611,8 @@ test: biba/high user will not be permitted to change security attributes at will. All user utilities, programs, and scripts must work within the constraints of the access rules provided by the - selected security policy modules and total control of the - MAC access rules are in the hands of the + selected security policy modules and control of the + MAC access rules is in the hands of the system administrator. It is the duty of the system administrator to @@ -659,47 +646,37 @@ test: biba/high framework will help administrators choose the best policies for their situations. + The rest of this chapter covers the available + modules, describes their use and configuration, and in some + cases, provides insight on applicable situations. + Implementing MAC is much like - implementing a firewall, care must be taken to prevent being + implementing a firewall since care must be taken to prevent being completely locked out of the system. The ability to revert back to a previous configuration should be considered and the - implementation of MAC remotely should be + implementation of MAC over a remote connection should be done with extreme caution. - - Module Configuration + + Available MAC Policies Beginning with &os; 8.0, the default &os; kernel includes options MAC. This means that every module included with the MAC - framework may be loaded as a run-time kernel module. The - recommended method is to add the module name to + framework can be loaded with kldload as a run-time kernel module. + After testing the module, add the module name to /boot/loader.conf so that it will load during boot. Each module also provides a kernel option for those administrators who choose to compile their own custom kernel. - Some modules support the use of labeling, which is - controlling access by enforcing a label such as this is - allowed and this is not. A label configuration file may - control how files may be accessed, network communication can be - exchanged, and more. The previous section showed how the - flag could be set on file systems to - enable per-file or per-partition access control. - - A single label configuration enforces only one label - across the system, that is why the tunefs - option is called . - - - - Available MAC Policies - &os; includes a group of policies that will cover most - security requirements. Each policy is discussed below. + security requirements. Each policy is summarized below. The + last three policies support integer settings in place of the + three default labels. The MAC See Other UIDs Policy @@ -716,21 +693,21 @@ test: biba/high Boot option: mac_seeotheruids_load="YES" - The &man.mac.seeotheruids.4; module mimics and extends + The &man.mac.seeotheruids.4; module extends the security.bsd.see_other_uids and security.bsd.see_other_gids sysctl tunables. This option does not require any labels to be set before configuration and can - operate transparently with the other modules. + operate transparently with other modules. After loading the module, the following - sysctl tunables may be used to control the + sysctl tunables may be used to control its features: security.mac.seeotheruids.enabled - enables the module and uses the default settings which + enables the module and implements the default settings which deny users the ability to view processes and sockets owned by other users. @@ -738,10 +715,10 @@ test: biba/high security.mac.seeotheruids.specificgid_enabled - allows certain groups to be exempt from this policy. To - exempt specific groups from this policy, use the + allows specified groups to be exempt from this policy. To + exempt specific groups, use the security.mac.seeotheruids.specificgid=XXX - sysctl tunable. Replace + sysctl tunable, replacing XXX with the numeric group ID to be exempted. @@ -773,15 +750,15 @@ test: biba/high Boot option: mac_bsdextended_load="YES" - The &man.mac.bsdextended.4; module enforces the file - system firewall. This module's policy provides an extension + The &man.mac.bsdextended.4; module enforces a file + system firewall. It provides an extension to the standard file system permissions model, permitting an administrator to create a firewall-like ruleset to protect files, utilities, and directories in the file system hierarchy. When access to a file system object is attempted, the list of rules is iterated until either a matching rule is located or the end is reached. This behavior may be changed - by the use of a &man.sysctl.8; parameter, + using security.mac.bsdextended.firstmatch_enabled. Similar to other firewall modules in &os;, a file containing the access control rules can be created and read by the system @@ -792,13 +769,6 @@ test: biba/high written by using the functions in the &man.libugidfw.3; library. - Extreme caution should be taken when working with this - module as incorrect use could block access to certain parts of - the file system. - - - Examples - After the &man.mac.bsdextended.4; module has been loaded, the following command may be used to list the current rule configuration: @@ -807,17 +777,15 @@ test: biba/high 0 slots, 0 rules By default, no rules are defined and everything is - completely accessible. To create a rule which will block - all access by users but leave root unaffected, run the - following command: + completely accessible. To create a rule which blocks + all access by users but leaves root unaffected: &prompt.root; ugidfw add subject not uid root new object not uid root mode n - This is a very bad idea as it will block all users from - issuing even the most simple commands, such as - ls. The next example will block - user1 any and all + While this rule is simple to implement, it is a very bad idea as it blocks all users from + issuing any commands. A more realistic example blocks + user1 all access, including directory listings, to user2's home directory: @@ -828,17 +796,15 @@ test: biba/high Instead of user1, could be - used. This enforces the same access restrictions for all - users instead of just one user. + used in order to enforce the same access restrictions for all + users. However, the root + user is unaffected by these rules. - The root - user is unaffected by these changes. - - - For more information, refer to &man.mac.bsdextended.4; - and &man.ugidfw.8; - + Extreme caution should be taken when working with this + module as incorrect use could block access to certain parts of + the file system. + @@ -855,26 +821,26 @@ test: biba/high Boot option: mac_ifoff_load="YES" - The &man.mac.ifoff.4; module exists solely to disable - network interfaces on the fly and keep network interfaces from - being brought up during system boot. It does not require any - labels to be set up on the system, nor does it depend on other + The &man.mac.ifoff.4; module is used to disable + network interfaces on the fly and to keep network interfaces from + being brought up during system boot. It does not use + labels and does not depend on any other MAC modules. - Most of this module's control is performed through the - sysctl tunables listed below. + Most of this module's control is performed through these + sysctl tunables: security.mac.ifoff.lo_enabled - enables or disables all traffic on the loopback - (&man.lo.4;) interface. + enables or disables all traffic on the loopback, + &man.lo.4;, interface. security.mac.ifoff.bpfrecv_enabled enables or disables all traffic on the Berkeley Packet - Filter interface (&man.bpf.4;) + Filter interface, &man.bpf.4;. @@ -887,7 +853,7 @@ test: biba/high One of the most common uses of &man.mac.ifoff.4; is network monitoring in an environment where network traffic should not be permitted during the boot sequence. Another - suggested use would be to write a script which uses + use would be to write a script which uses an application such as security/aide to automatically block network traffic if it finds new or altered files in protected directories. @@ -908,9 +874,8 @@ test: biba/high mac_portacl_load="YES" The &man.mac.portacl.4; module is used to limit binding to - local TCP and UDP ports - using a variety of sysctl variables. - &man.mac.portacl.4; makes it possible to allow non-TCP and UDP ports, + making it possible to allow non-root users to bind to specified privileged ports below 1024. @@ -939,76 +904,54 @@ test: biba/high security.mac.portacl.rules - specifies the mac_portacl policy, which is a text string - of the form: rule[,rule,...] with as - many rules as needed. Each rule is of the form: + specifies the policy as a text string + of the form rule[,rule,...], with as + many rules as needed, and where each rule is of the form idtype:id:protocol:port. The - idtype parameter can be - uid or gid and is - used to interpret the id parameter - as either a user id or group id, respectively. The - protocol parameter is used to - determine if the rule should apply to - TCP or UDP by - setting the parameter to tcp or - udp. The final + idtype is either + uid or gid. The + protocol parameter can be + tcp or + udp. The port parameter is the port number - to allow the specified user or group to bind to. + to allow the specified user or group to bind to. Only + numeric values can be used for the user ID, group ID, + and port parameters. - - Since the ruleset is interpreted directly by the kernel, - only numeric values can be used for the user ID, group ID, - and port parameters. Names cannot be used for users, - groups, or services. - - - By default, ports below 1024 can only be used by or bound - to privileged processes, which run as By default, ports below 1024 can only be used by + privileged processes which run as root. For &man.mac.portacl.4; to allow non-privileged processes to bind to ports below 1024, - this restriction has to be disabled by setting the - &man.sysctl.8; variables - net.inet.ip.portrange.reservedlow and - net.inet.ip.portrange.reservedhigh to - zero: + set the following tunables as + follows: &prompt.root; sysctl security.mac.portacl.port_high=1023 -&prompt.root; sysctl net.inet.ip.portrange.reservedlow=0 -net.inet.ip.portrange.reservedhigh=0 +&prompt.root; sysctl net.inet.ip.portrange.reservedlow=0 +&prompt.root; sysctl net.inet.ip.portrange.reservedhigh=0 - See the examples below or refer to &man.mac.portacl.4; for - further information. - - - Examples - - Since the root - user should not be crippled by this policy, this example - starts by setting the + To prevent the root + user from being affected by this policy, set security.mac.portacl.suser_exempt to a non-zero value. &prompt.root; sysctl security.mac.portacl.suser_exempt=1 - Next, allow the user with UID 80 - to bind to port 80. This allows the www user to run a web server - without ever having root privilege. + To allow the www user with UID 80 + to bind to port 80 + without ever needing root privilege: &prompt.root; sysctl security.mac.portacl.rules=uid:80:tcp:80 - The next example permits the user with the - UID of 1001 to bind to the - TCP ports 110 (pop3) and - 995 (pop3s). This permits this user to start - a server that accepts connections on ports 110 and - 995. + This next example permits the user with the + UID of 1001 to bind to + TCP ports 110 (POP3) and + 995 (POP3s): &prompt.root; sysctl security.mac.portacl.rules=uid:1001:tcp:110,uid:1001:tcp:995 - @@ -1025,13 +968,9 @@ net.inet.ip.portrange.reservedhigh=0 Boot option: mac_partition_load="YES" - The &man.mac.partition.4; policy will drop processes into + The &man.mac.partition.4; policy drops processes into specific partitions based on their - MAC label. This module should be added to - &man.loader.conf.5; so that it loads and enables the policy - at system boot. - - Most configuration for this policy is done using + MAC label. Most configuration for this policy is done using &man.setpmac.8;. One sysctl tunable is available for this policy: @@ -1051,26 +990,20 @@ net.inet.ip.portrange.reservedhigh=0 access top as well as many other commands that must spawn a process. - To set or drop utilities into a partition label, use the - setpmac utility: - - &prompt.root; setpmac partition/13 top - This example adds top to the label set on users in the insecure class. All processes spawned by users in the insecure class will stay in the partition/13 label. - - Examples + &prompt.root; setpmac partition/13 top - The following command will display the partition label + This command displays the partition label and the process list: &prompt.root; ps Zax - This command will display another user's process + This command displays another user's process partition label and that user's currently running processes: @@ -1081,19 +1014,6 @@ net.inet.ip.portrange.reservedhigh=0 class="username">root's label unless the &man.mac.seeotheruids.4; policy is loaded. - - A really crafty implementation could have all of the - services disabled in /etc/rc.conf and - started by a script that starts them with the proper - labeling set. - - - The following policies support integer settings - in place of the three default labels offered. These - options, including their limitations, are further - explained in the module manual pages. - - @@ -1116,37 +1036,32 @@ net.inet.ip.portrange.reservedhigh=0 In MLS environments, a clearance level is set in the label of each subject or object, along with compartments. Since these - clearance or sensibility levels can reach numbers greater than - several thousand; it would be a daunting task for any system - administrator to thoroughly configure each subject or object. - Thankfully, three instant labels are included - in this policy. - - These labels are mls/low, - mls/equal and mls/high. - Since these labels are described in depth in the manual page, - they will only get a brief description here: + clearance levels can reach numbers greater than + several thousand, it would be a daunting task + to thoroughly configure every subject or object. + To ease this administrative overhead, three labels are included + in this policy: mls/low, + mls/equal and mls/high, + where: - The mls/low label contains a low - configuration which permits it to be dominated by all - other objects. Anything labeled with + Anything labeled with mls/low will have a low clearance level and not be permitted to access information of a higher level. This label also prevents objects of a higher - clearance level from writing or passing information on to - them. + clearance level from writing or passing information to a + lower level. - The mls/equal label should be - placed on objects considered to be exempt from the + mls/equal should be + placed on objects which should be exempt from the policy. - The mls/high label is the highest + mls/high is the highest level of clearance possible. Objects assigned this label will hold dominance over all other objects in the system; however, they will not permit the leaking of information @@ -1158,8 +1073,8 @@ net.inet.ip.portrange.reservedhigh=0 - A hierarchical security level with a set of non - hierarchical categories. + A hierarchical security level with a set of + non-hierarchical categories. @@ -1167,7 +1082,7 @@ net.inet.ip.portrange.reservedhigh=0 down. This means that a subject can have read access to objects on its own level or below, but not above. Similarly, a subject can have write access to - objects on its own level or above but not beneath. + objects on its own level or above, but not beneath. @@ -1183,8 +1098,7 @@ net.inet.ip.portrange.reservedhigh=0 The following sysctl tunables are - available for the configuration of special services and - interfaces: + available: @@ -1212,32 +1126,27 @@ net.inet.ip.portrange.reservedhigh=0 - To manipulate the MLS labels, use - &man.setfmac.8;. To assign a label to an object, issue the - following command: + To manipulate MLS labels, use + &man.setfmac.8;. To assign a label to an object: &prompt.root; setfmac mls/5 test To get the MLS label for the file - test, issue the following command: + test: &prompt.root; getfmac test Another approach is to create a master policy file in /etc/ which specifies the MLS policy information and to feed that - file to setfmac. This method will be - explained after all policies are covered. - - - Planning Mandatory Sensitivity + file to setfmac. - When using the MLS policy module, an administrator plans + When using the MLS policy module, an administrator plans to control the flow of sensitive information. The default block read up block write down sets everything to a low state. Everything is accessible and an administrator slowly augments the confidentiality of the - information during the configuration stage;. + information. Beyond the three basic label options, an administrator may group users and groups as required to block the @@ -1248,14 +1157,13 @@ net.inet.ip.portrange.reservedhigh=0 and Top Secret. Some administrators instead create different groups based on project levels. Regardless of the classification method, a well thought out - plan must exist before implementing such a restrictive + plan must exist before implementing a restrictive policy. - Some example situations for the MLS policy module + Some example situations for the MLS policy module include an e-commerce web server, a file server holding critical company information, and financial institution environments. - @@ -1277,36 +1185,35 @@ net.inet.ip.portrange.reservedhigh=0 rules for information flow are slightly reversed. This is to prevent the downward flow of sensitive information whereas the MLS policy prevents the upward flow of - sensitive information. Much of this section can apply to both - policies. + sensitive information. In Biba environments, an integrity label is set on each subject or object. These labels are made up of - hierarchical grades and non-hierarchical components. As an + hierarchical grades and non-hierarchical components. As a grade ascends, so does its integrity. Supported labels are biba/low, biba/equal, and - biba/high; as explained below: + biba/high, where: - The biba/low label is considered + biba/low is considered the lowest integrity an object or subject may have. - Setting this on objects or subjects will block their write - access to objects or subjects marked high. They still - have read access though. + Setting this on objects or subjects blocks their write + access to objects or subjects marked as biba/high, but will not prevent + read access. - The biba/equal label should only be + biba/equal should only be placed on objects considered to be exempt from the policy. - The biba/high label will permit - writing to objects set at a lower label, but not permit + biba/high permits + writing to objects set at a lower label, but does not permit reading that object. It is recommended that this label be placed on objects that affect the integrity of the entire system. @@ -1317,8 +1224,8 @@ net.inet.ip.portrange.reservedhigh=0 - Hierarchical integrity level with a set of non - hierarchical integrity categories. + Hierarchical integrity levels with a set of + non-hierarchical integrity categories. @@ -1336,12 +1243,12 @@ net.inet.ip.portrange.reservedhigh=0 - Integrity levels instead of MLS sensitivity + Integrity levels instead of MLS sensitivity levels. - The following sysctl tunables can be + The following tunables can be used to manipulate the Biba policy: @@ -1372,26 +1279,20 @@ net.inet.ip.portrange.reservedhigh=0 &prompt.root; getfmac test test: biba/low - - Planning Mandatory Integrity - - Integrity, which is different from sensitivity, - guarantees that the information will never be manipulated by + Integrity, which is different from sensitivity, is used to + guarantee that information is not manipulated by untrusted parties. This includes information passed between - subjects, objects, and both. It ensures that users will - only be able to modify or access information they explicitly - need to. - - The &man.mac.biba.4; security policy module permits an - administrator to address which files and programs a user may + subjects and objects. It ensures that users will + only be able to modify or access information they have been given explicit + access to. The &man.mac.biba.4; security policy module permits an + administrator to configure which files and programs a user may see and invoke while assuring that the programs and files - are free from threats and trusted by the system for that + are trusted by the system for that user. During the initial planning phase, an administrator must be prepared to partition users into grades, levels, and - areas. Users will be blocked access not only to data but to - programs and utilities both before and after they start. + areas. The system will default to a high label once this policy module is enabled, and it is up to the administrator to configure the different grades and levels for users. @@ -1405,7 +1306,7 @@ test: biba/low A lower integrity subject is unable to write to a higher integrity subject and a higher integrity subject cannot - observe or read a lower integrity object. Setting a label + list or read a lower integrity object. Setting a label at the lowest possible grade could make it inaccessible to subjects. Some prospective environments for this security policy module would include a constrained web server, a @@ -1413,11 +1314,10 @@ test: biba/low A less useful implementation would be a personal workstation, a machine used as a router, or a network firewall. - - The MAC LOMAC Module + The MAC Low-watermark Module MAC LOMAC @@ -1435,38 +1335,34 @@ test: biba/low objects only after decreasing the integrity level to not disrupt any integrity rules. - The MAC version of the Low-watermark - integrity policy works almost identically to Biba, but with + The Low-watermark + integrity policy works almost identically to Biba, with the exception of using floating labels to support subject demotion via an auxiliary grade compartment. This secondary compartment takes the form [auxgrade]. - When assigning a LOMAC policy with an auxiliary grade, use the - syntax lomac/10[2] where the number two - (2) is the auxiliary grade. + When assigning a policy with an auxiliary grade, use the + syntax lomac/10[2], where + 2 is the auxiliary grade. - The MAC LOMAC policy relies on the + This policy relies on the ubiquitous labeling of all system objects with integrity labels, permitting subjects to read from low integrity objects and then downgrading the label on the subject to prevent future writes to high integrity objects using - [auxgrade]. The policy may provide for + [auxgrade]. The policy may provide greater compatibility and require less initial configuration than Biba. - - Examples - Like the Biba and MLS policies, setfmac and setpmac are used to place labels on system objects: &prompt.root; setfmac /usr/home/trhodes lomac/high[low] -&prompt.root; getfmac /usr/home/trhodes lomac/high[low] +&prompt.root; getfmac /usr/home/trhodes lomac/high[low] The auxiliary grade low is a feature - provided only by the MAC LOMAC + provided only by the MAC LOMAC policy. - -- cgit v1.2.3