Date: Mon, 31 Mar 2014 16:36:58 +0000 (UTC) From: Dru Lavigne <dru@FreeBSD.org> To: doc-committers@freebsd.org, svn-doc-all@freebsd.org, svn-doc-head@freebsd.org Subject: svn commit: r44398 - head/en_US.ISO8859-1/books/handbook/mac Message-ID: <201403311636.s2VGawMV074338@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: dru Date: Mon Mar 31 16:36:57 2014 New Revision: 44398 URL: http://svnweb.freebsd.org/changeset/doc/44398 Log: Finish editorial review of MAC chapter. Switch examples to put the easiest one first. Sponsored by: iXsystems Modified: head/en_US.ISO8859-1/books/handbook/mac/chapter.xml Modified: head/en_US.ISO8859-1/books/handbook/mac/chapter.xml ============================================================================== --- head/en_US.ISO8859-1/books/handbook/mac/chapter.xml Mon Mar 31 15:03:21 2014 (r44397) +++ head/en_US.ISO8859-1/books/handbook/mac/chapter.xml Mon Mar 31 16:36:57 2014 (r44398) @@ -45,8 +45,8 @@ <itemizedlist> <listitem> - <para>Which <acronym>MAC</acronym> security policy modules - are included in &os; and their associated mechanisms.</para> + <para>The terminology associated with the + <acronym>MAC</acronym> framework.</para> </listitem> <listitem> @@ -56,13 +56,13 @@ </listitem> <listitem> - <para>How to efficiently configure a system to use the + <para>The considerations to take into account before + configuring a system to use the <acronym>MAC</acronym> framework.</para> </listitem> - <listitem> - <para>How to configure the different security policy modules - included with the <acronym>MAC</acronym> framework.</para> + <para>Which <acronym>MAC</acronym> security policy modules + are included in &os; and how to configure them.</para> </listitem> <listitem> @@ -1355,6 +1355,56 @@ test: biba/low</screen> </sect2> </sect1> + <sect1 xml:id="mac-userlocked"> + <title>User Lock Down</title> + + <para>This example considers a relatively small storage system + with fewer than fifty users. Users will have login + capabilities and are permitted to store data and access + resources.</para> + + <para>For this scenario, the &man.mac.bsdextended.4; and + &man.mac.seeotheruids.4; policy modules could co-exist and block + access to system objects while hiding user processes.</para> + + <para>Begin by adding the following line to + <filename>/boot/loader.conf</filename>:</para> + + <programlisting>mac_seeotheruids_load="YES"</programlisting> + + <para>The &man.mac.bsdextended.4; security policy module may be + activated by adding this line to + <filename>/etc/rc.conf</filename>:</para> + + <programlisting>ugidfw_enable="YES"</programlisting> + + <para>Default rules stored in + <filename>/etc/rc.bsdextended</filename> will be loaded at + system initialization. However, the default entries may need + modification. Since this machine is expected only to service + users, everything may be left commented out except the last + two lines in order to force the loading of user owned system + objects by default.</para> + + <para>Add the required users to this machine and reboot. For + testing purposes, try logging in as a different user across + two consoles. Run <command>ps aux</command> to see if processes + of other users are visible. Verify that running &man.ls.1; on + another user's home directory fails.</para> + + <para>Do not try to test with the <systemitem + class="username">root</systemitem> user unless the specific + <command>sysctl</command>s have been modified to block super + user access.</para> + + <note> + <para>When a new user is added, their &man.mac.bsdextended.4; + rule will not be in the ruleset list. To update the ruleset + quickly, unload the security policy module and reload it again + using &man.kldunload.8; and &man.kldload.8;.</para> + </note> + </sect1> + <sect1 xml:id="mac-implementing"> <title>Nagios in a MAC Jail</title> @@ -1362,19 +1412,22 @@ test: biba/low</screen> <primary>Nagios in a MAC Jail</primary> </indexterm> - <para>The following demonstration implements a secure - environment using various <acronym>MAC</acronym> modules - with properly configured policies. This is only a test as - implementing a policy and ignoring it could be disastrous in a + <para>This section demonstrates the steps that are needed to + implement the <application>Nagios</application> network + monitoring system in a <acronym>MAC</acronym> environment. + This is meant as an example which still requires the administrator + to test that the implemented policy meets the security + requirements of the network before using in a production environment.</para> - <para>Before beginning this process, <option>multilabel</option> - must be set on each file system as not doing so will result in - errors. This example assumes that + <para>This example requires <option>multilabel</option> + to be set on each file system. It also + assumes that <package>net-mgmt/nagios-plugins</package>, <package>net-mgmt/nagios</package>, and <package>www/apache22</package> are all installed, configured, - and working correctly.</para> + and working correctly before attempting the integration into the + <acronym>MAC</acronym> framework.</para> <sect2> <title>Create an Insecure User Class</title> @@ -1406,27 +1459,17 @@ test: biba/low</screen> :ignoretime@:\ :label=biba/10(10-10):</programlisting> - <para>Add the following line to the default user class:</para> + <para>Then, add the following line to the default user class section:</para> <programlisting>:label=biba/high:</programlisting> - <para>Next, issue the following command to rebuild the + <para>Save the edits and issue the following command to rebuild the database:</para> <screen>&prompt.root; <userinput>cap_mkdb /etc/login.conf</userinput></screen> </sect2> <sect2> - <title>Boot Configuration</title> - - <para>Add the following lines to - <filename>/boot/loader.conf</filename>:</para> - - <programlisting>mac_biba_load="YES" -mac_seeotheruids_load="YES"</programlisting> - </sect2> - - <sect2> <title>Configure Users</title> <para>Set the <systemitem class="username">root</systemitem> @@ -1435,22 +1478,21 @@ mac_seeotheruids_load="YES"</programlist <screen>&prompt.root; <userinput>pw usermod root -L default</userinput></screen> <para>All user accounts that are not <systemitem - class="username">root</systemitem> or system users will now - require a login class. The login class is required otherwise - users will be refused access to common commands such as - &man.vi.1;. The following <command>sh</command> script should + class="username">root</systemitem> will now + require a login class. The login class is required, otherwise + users will be refused access to common commands. + The following <command>sh</command> script should do the trick:</para> <screen>&prompt.root; <userinput>for x in `awk -F: '($3 >= 1001) && ($3 != 65534) { print $1 }' \</userinput> <userinput>/etc/passwd`; do pw usermod $x -L default; done;</userinput></screen> - <para>Drop the <systemitem class="username">nagios</systemitem> - and <systemitem class="username">www</systemitem> users into + <para>Next, drop the <systemitem class="username">nagios</systemitem> + and <systemitem class="username">www</systemitem> accounts into the insecure class:</para> - <screen>&prompt.root; <userinput>pw usermod nagios -L insecure</userinput></screen> - - <screen>&prompt.root; <userinput>pw usermod www -L insecure</userinput></screen> + <screen>&prompt.root; <userinput>pw usermod nagios -L insecure</userinput> +&prompt.root; <userinput>pw usermod www -L insecure</userinput></screen> </sect2> @@ -1458,7 +1500,7 @@ mac_seeotheruids_load="YES"</programlist <title>Create the Contexts File</title> <para>A contexts file should now be created as - <filename>/etc/policy.contexts</filename>.</para> + <filename>/etc/policy.contexts</filename>:</para> <programlisting># This is the default BIBA policy for this system. @@ -1495,20 +1537,14 @@ mac_seeotheruids_load="YES"</programlist <application>Nagios</application> will be completely self contained or jailed.</para> - <para>This file will be read by the system by issuing the - following command:</para> - - <screen>&prompt.root; <userinput>setfsmac -ef /etc/policy.contexts /</userinput> -&prompt.root; <userinput>setfsmac -ef /etc/policy.contexts /</userinput></screen> + <para>This file will be read after running + <command>setfsmac</command> on every file system. This + example sets the policy on the root file system:</para> - <note> - <para>The above file system layout will differ depending - upon the environment and must be run on every file - system.</para> - </note> + <screen>&prompt.root; <userinput>setfsmac -ef /etc/policy.contexts /</userinput></screen> - <para><filename>/etc/mac.conf</filename> requires the following - modifications in the main section:</para> + <para>Next, add these edits + to the main section of <filename>/etc/mac.conf</filename>:</para> <programlisting>default_labels file ?biba default_labels ifnet ?biba @@ -1517,15 +1553,17 @@ default_labels socket ?biba</programlist </sect2> <sect2> - <title>Enable Networking</title> + <title>Loader Configuration</title> - <para>Add the following line to + <para>To finish the configuration, add the following lines to <filename>/boot/loader.conf</filename>:</para> + + <programlisting>mac_biba_load="YES" +mac_seeotheruids_load="YES" +security.mac.biba.trust_all_interfaces=1</programlisting> - <programlisting>security.mac.biba.trust_all_interfaces=1</programlisting> - - <para>And the following to the network card configuration stored - in <filename>rc.conf</filename>. If the primary Internet + <para>And the following line to the network card configuration stored + in <filename>/etc/rc.conf</filename>. If the primary network configuration is done via <acronym>DHCP</acronym>, this may need to be configured manually after every system boot:</para> @@ -1539,15 +1577,15 @@ default_labels socket ?biba</programlist <primary>MAC Configuration Testing</primary> </indexterm> - <para>Ensure that the web server and + <para>First, ensure that the web server and <application>Nagios</application> will not be started on - system initialization and reboot. Ensure the <systemitem - class="username">root</systemitem> user cannot access any of + system initialization and reboot. Ensure that <systemitem + class="username">root</systemitem> cannot access any of the files in the <application>Nagios</application> configuration directory. If <systemitem - class="username">root</systemitem> can issue an &man.ls.1; - command on <filename>/var/spool/nagios</filename>, something - is wrong. Otherwise a <quote>permission denied</quote> error + class="username">root</systemitem> can list the contents of + <filename>/var/spool/nagios</filename>, something + is wrong. Instead, a <quote>permission denied</quote> error should be returned.</para> <para>If all seems well, <application>Nagios</application>, @@ -1560,8 +1598,8 @@ setpmac biba/10\(10-10\) /usr/local/etc/ <para>Double check to ensure that everything is working properly. If not, check the log files for error messages. - Use &man.sysctl.8; to disable the &man.mac.biba.4; security - policy module enforcement and try starting everything again as + If needed, use &man.sysctl.8; to disable the &man.mac.biba.4; security + policy module and try starting everything again as usual.</para> <note> @@ -1583,56 +1621,6 @@ setpmac biba/10\(10-10\) /usr/local/etc/ </sect2> </sect1> - <sect1 xml:id="mac-userlocked"> - <title>User Lock Down</title> - - <para>This example considers a relatively small storage system - with fewer than fifty users. Users will have login - capabilities, and be permitted to store data and access - resources.</para> - - <para>For this scenario, the &man.mac.bsdextended.4; and - &man.mac.seeotheruids.4; policy modules could co-exist and block - access to system objects while hiding user processes.</para> - - <para>Begin by adding the following line to - <filename>/boot/loader.conf</filename>:</para> - - <programlisting>mac_seeotheruids_load="YES"</programlisting> - - <para>The &man.mac.bsdextended.4; security policy module may be - activated by adding this line to - <filename>/etc/rc.conf</filename>:</para> - - <programlisting>ugidfw_enable="YES"</programlisting> - - <para>Default rules stored in - <filename>/etc/rc.bsdextended</filename> will be loaded at - system initialization. However, the default entries may need - modification. Since this machine is expected only to service - users, everything may be left commented out except the last - two lines in order to force the loading of user owned system - objects by default.</para> - - <para>Add the required users to this machine and reboot. For - testing purposes, try logging in as a different user across - two consoles. Run <command>ps aux</command> to see if processes - of other users are visible. Verify that running &man.ls.1; on - another user's home directory fails.</para> - - <para>Do not try to test with the <systemitem - class="username">root</systemitem> user unless the specific - <command>sysctl</command>s have been modified to block super - user access.</para> - - <note> - <para>When a new user is added, their &man.mac.bsdextended.4; - rule will not be in the ruleset list. To update the ruleset - quickly, unload the security policy module and reload it again - using &man.kldunload.8; and &man.kldload.8;.</para> - </note> - </sect1> - <sect1 xml:id="mac-troubleshoot"> <title>Troubleshooting the MAC Framework</title> @@ -1640,14 +1628,16 @@ setpmac biba/10\(10-10\) /usr/local/etc/ <primary>MAC Troubleshooting</primary> </indexterm> - <para>This section discusses common configuration issues.</para> + <para>This section discusses common configuration errors and how + to resolve them.</para> - <itemizedlist> - <listitem> - <para>The <option>multilabel</option> flag does not stay - enabled on my root (<filename>/</filename>) - partition!</para> + <variablelist> + <varlistentry> + <term>The <option>multilabel</option> flag does not stay + enabled on the root (<filename>/</filename>) + partition:</term> + <listitem> <para>The following steps may resolve this transient error:</para> @@ -1687,12 +1677,13 @@ setpmac biba/10\(10-10\) /usr/local/etc/ </step> </procedure> </listitem> + </varlistentry> - <listitem> - <para>After establishing a secure environment with - <acronym>MAC</acronym>, I am no longer able to start - Xorg!</para> - + <varlistentry> + <term>After establishing a secure environment with + <acronym>MAC</acronym>, + <application>Xorg</application> no longer starts:</term> + <listitem> <para>This could be caused by the <acronym>MAC</acronym> <literal>partition</literal> policy or by a mislabeling in one of the <acronym>MAC</acronym> labeling policies. To @@ -1700,7 +1691,7 @@ setpmac biba/10\(10-10\) /usr/local/etc/ <procedure> <step> - <para>Check the error message; if the user is in the + <para>Check the error message. If the user is in the <literal>insecure</literal> class, the <literal>partition</literal> policy may be the culprit. Try setting the user's class back to the @@ -1710,36 +1701,35 @@ setpmac biba/10\(10-10\) /usr/local/etc/ </step> <step> - <para>Double-check the label policies. Ensure that the - policies are set correctly for the user, the Xorg - application, and the <filename>/dev</filename> + <para>Double-check that the label policies + are set correctly for the user, <application>Xorg</application>, + and the <filename>/dev</filename> entries.</para> </step> <step> <para>If neither of these resolve the problem, send the error message and a description of the environment to - the &a.questions; mailing list.</para> + the &a.questions;.</para> </step> </procedure> </listitem> + </varlistentry> - <listitem> - <para>The error: <errorname>_secure_path: unable to stat - .login_conf</errorname> shows up.</para> - - <para>When a user attempts to switch from the <systemitem + <varlistentry> + <term>The <errorname>_secure_path: unable to stat + .login_conf</errorname> error appears:</term> + <listitem> + <para>This error can appear when a user attempts to switch from the <systemitem class="username">root</systemitem> user to another user in - the system, the error message <errorname>_secure_path: - unable to stat .login_conf</errorname> appears.</para> - - <para>This message is usually shown when the user has a higher + the system. This message usually occurs when the user has a higher label setting than that of the user they are attempting to - become. For instance, <systemitem + become. For instance, if <systemitem class="username">joe</systemitem> has a default label of - <option>biba/low</option>. The <systemitem - class="username">root</systemitem> user, who has a label - of <option>biba/high</option>, cannot view <systemitem + <option>biba/low</option> and <systemitem + class="username">root</systemitem> has a label + of <option>biba/high</option>, <systemitem + class="username">root</systemitem> cannot view <systemitem class="username">joe</systemitem>'s home directory. This will happen whether or not <systemitem class="username">root</systemitem> has used @@ -1749,23 +1739,22 @@ setpmac biba/10\(10-10\) /usr/local/etc/ class="username">root</systemitem> to view objects set at a lower integrity level.</para> </listitem> + </varlistentry> - <listitem> - <para>The system no longer recognizes the <systemitem - class="username">root</systemitem> user.</para> - - <para>In normal or even single user mode, the <systemitem - class="username">root</systemitem> is not recognized, - <command>whoami</command> returns 0 (zero), and + <varlistentry> + <term>The system no longer recognizes <systemitem + class="username">root</systemitem>:</term> + <listitem> + <para>When this occurs, + <command>whoami</command> returns <literal>0</literal> and <command>su</command> returns <errorname>who are you?</errorname>.</para> - <para>This can happen if a labeling policy has been disabled, - either by a &man.sysctl.8; or the policy module was + <para>This can happen if a labeling policy has been disabled + by &man.sysctl.8; or the policy module was unloaded. If the policy is disabled, the login capabilities - database needs to be reconfigured with - <option>label</option> removed. Double check - <filename>login.conf</filename> to ensure that all + database needs to be reconfigured. Double check + <filename>/etc/login.conf</filename> to ensure that all <option>label</option> options have been removed and rebuild the database with <command>cap_mkdb</command>.</para> @@ -1778,6 +1767,7 @@ setpmac biba/10\(10-10\) /usr/local/etc/ the new label. Disable the policy using &man.sysctl.8; and everything should return to normal.</para> </listitem> - </itemizedlist> + </varlistentry> + </variablelist> </sect1> </chapter>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201403311636.s2VGawMV074338>