The following demonstration will implement a secure environment using various MAC modules with properly configured policies. This is only a test and should not be considered the complete answer to everyone's security woes. Just implementing a policy and ignoring it never works and could be disastrous in a production environment.
Before beginning this process, the
multilabel
option must be set on each file
system as stated at the beginning of this chapter. Not doing
so will result in errors. While at it, ensure that the
net-mngt/nagios-plugins,
net-mngt/nagios, and
www/apache13 ports are all
installed, configured, and working correctly.
Begin the procedure by adding the following user class
to the /etc/login.conf
file:
insecure:\ :copyright=/etc/COPYRIGHT:\ :welcome=/etc/motd:\ :setenv=MAIL=/var/mail/$,BLOCKSIZE=K:\ :path=~/bin:/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin :manpath=/usr/share/man /usr/local/man:\ :nologin=/usr/sbin/nologin:\ :cputime=1h30m:\ :datasize=8M:\ :vmemoryuse=100M:\ :stacksize=2M:\ :memorylocked=4M:\ :memoryuse=8M:\ :filesize=8M:\ :coredumpsize=8M:\ :openfiles=24:\ :maxproc=32:\ :priority=0:\ :requirehome:\ :passwordtime=91d:\ :umask=022:\ :ignoretime@:\ :label=biba/10(10-10):
And adding the following line to the default user class:
:label=biba/high:
Once this is completed, the following command must be issued to rebuild the database:
#
cap_mkdb /etc/login.conf
Do not reboot yet, just add the following lines to
/boot/loader.conf
so the required
modules will load during system initialization:
mac_biba_load="YES" mac_seeotheruids_load="YES"
Set the root
user to the default
class using:
#
pw usermod root -L default
All user accounts that are not root
or system users will now require a login class. The login
class is required otherwise users will be refused access
to common commands such as vi(1).
The following sh
script should do the
trick:
#
for x in `awk -F: '($3 >= 1001) && ($3 != 65534) { print $1 }' \
/etc/passwd`; do pw usermod $x -L default; done;
Drop the nagios
and
www
users into the insecure class:
#
pw usermod nagios -L insecure
#
pw usermod www -L insecure
A contexts file should now be created; the following example
file should be placed in
/etc/policy.contexts
.
# This is the default BIBA policy for this system. # System: /var/run biba/equal /var/run/* biba/equal /dev biba/equal /dev/* biba/equal /var biba/equal /var/spool biba/equal /var/spool/* biba/equal /var/log biba/equal /var/log/* biba/equal /tmp biba/equal /tmp/* biba/equal /var/tmp biba/equal /var/tmp/* biba/equal /var/spool/mqueue biba/equal /var/spool/clientmqueue biba/equal # For Nagios: /usr/local/etc/nagios /usr/local/etc/nagios/* biba/10 /var/spool/nagios biba/10 /var/spool/nagios/* biba/10 # For apache /usr/local/etc/apache biba/10 /usr/local/etc/apache/* biba/10
This policy will enforce security by setting restrictions
on the flow of information. In this specific configuration,
users, root
and others, should never be
allowed to access Nagios.
Configuration files and processes that are a part of
Nagios will be completely self
contained or jailed.
This file may now be read into our system by issuing the following command:
#
setfsmac -ef /etc/policy.contexts /
#
setfsmac -ef /etc/policy.contexts /
The above file system layout may be different depending on environment; however, it must be run on every single file system.
The /etc/mac.conf
file requires
the following modifications in the main section:
default_labels file ?biba default_labels ifnet ?biba default_labels process ?biba default_labels socket ?biba
Add the following line to
/boot/loader.conf
:
security.mac.biba.trust_all_interfaces=1
And the following to the network card configuration stored
in rc.conf
. If the primary Internet
configuration is done via DHCP, this may
need to be configured manually after every system boot:
maclabel biba/equal
Ensure that the web server and
Nagios will not be started
on system initialization, and reboot. Ensure the
root
user cannot access any of the files
in the Nagios configuration
directory. If root
can issue an ls(1)
command on /var/spool/nagios
, then something
is wrong. Otherwise a „permission denied” error
should be returned.
If all seems well, Nagios, Apache, and Sendmail can now be started in a way fitting of the security policy. The following commands will make this happen:
#
cd /etc/mail && make stop && \ setpmac biba/equal make start && setpmac biba/10\(10-10\) apachectl start && \ setpmac biba/10\(10-10\) /usr/local/etc/rc.d/nagios.sh forcestart
Double check to ensure that everything is working properly. If not, check the log files or error messages. Use the sysctl(8) utility to disable the mac_biba(4) security policy module enforcement and try starting everything again, like normal.
The root
user can change the security
enforcement and edit the configuration files without fear.
The following command will permit the degradation of the
security policy to a lower grade for a newly spawned
shell:
#
setpmac biba/10 csh
To block this from happening, force the user into a range
via login.conf(5). If setpmac(8) attempts to run
a command outside of the compartment's range, an error will
be returned and the command will not be executed. In this
case, setting root to
biba/high(high-high)
.
All FreeBSD documents are available for download at http://ftp.FreeBSD.org/pub/FreeBSD/doc/
Questions that are not answered by the
documentation may be
sent to <freebsd-questions@FreeBSD.org>.
Send questions about this document to <freebsd-doc@FreeBSD.org>.