From owner-svn-doc-all@FreeBSD.ORG Mon Mar 31 16:36:58 2014 Return-Path: Delivered-To: svn-doc-all@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 609C2B42; Mon, 31 Mar 2014 16:36:58 +0000 (UTC) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 40D85802; Mon, 31 Mar 2014 16:36:58 +0000 (UTC) Received: from svn.freebsd.org ([127.0.1.70]) by svn.freebsd.org (8.14.8/8.14.8) with ESMTP id s2VGawPU074339; Mon, 31 Mar 2014 16:36:58 GMT (envelope-from dru@svn.freebsd.org) Received: (from dru@localhost) by svn.freebsd.org (8.14.8/8.14.8/Submit) id s2VGawMV074338; Mon, 31 Mar 2014 16:36:58 GMT (envelope-from dru@svn.freebsd.org) Message-Id: <201403311636.s2VGawMV074338@svn.freebsd.org> From: Dru Lavigne Date: Mon, 31 Mar 2014 16:36:58 +0000 (UTC) To: doc-committers@freebsd.org, svn-doc-all@freebsd.org, svn-doc-head@freebsd.org Subject: svn commit: r44398 - head/en_US.ISO8859-1/books/handbook/mac X-SVN-Group: doc-head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-doc-all@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "SVN commit messages for the entire doc trees \(except for " user" , " projects" , and " translations" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 31 Mar 2014 16:36:58 -0000 Author: dru Date: Mon Mar 31 16:36:57 2014 New Revision: 44398 URL: http://svnweb.freebsd.org/changeset/doc/44398 Log: Finish editorial review of MAC chapter. Switch examples to put the easiest one first. Sponsored by: iXsystems Modified: head/en_US.ISO8859-1/books/handbook/mac/chapter.xml Modified: head/en_US.ISO8859-1/books/handbook/mac/chapter.xml ============================================================================== --- head/en_US.ISO8859-1/books/handbook/mac/chapter.xml Mon Mar 31 15:03:21 2014 (r44397) +++ head/en_US.ISO8859-1/books/handbook/mac/chapter.xml Mon Mar 31 16:36:57 2014 (r44398) @@ -45,8 +45,8 @@ - Which MAC security policy modules - are included in &os; and their associated mechanisms. + The terminology associated with the + MAC framework. @@ -56,13 +56,13 @@ - How to efficiently configure a system to use the + The considerations to take into account before + configuring a system to use the MAC framework. - - How to configure the different security policy modules - included with the MAC framework. + Which MAC security policy modules + are included in &os; and how to configure them. @@ -1355,6 +1355,56 @@ test: biba/low + + User Lock Down + + This example considers a relatively small storage system + with fewer than fifty users. Users will have login + capabilities and are permitted to store data and access + resources. + + For this scenario, the &man.mac.bsdextended.4; and + &man.mac.seeotheruids.4; policy modules could co-exist and block + access to system objects while hiding user processes. + + Begin by adding the following line to + /boot/loader.conf: + + mac_seeotheruids_load="YES" + + The &man.mac.bsdextended.4; security policy module may be + activated by adding this line to + /etc/rc.conf: + + ugidfw_enable="YES" + + Default rules stored in + /etc/rc.bsdextended will be loaded at + system initialization. However, the default entries may need + modification. Since this machine is expected only to service + users, everything may be left commented out except the last + two lines in order to force the loading of user owned system + objects by default. + + Add the required users to this machine and reboot. For + testing purposes, try logging in as a different user across + two consoles. Run ps aux to see if processes + of other users are visible. Verify that running &man.ls.1; on + another user's home directory fails. + + Do not try to test with the root user unless the specific + sysctls have been modified to block super + user access. + + + When a new user is added, their &man.mac.bsdextended.4; + rule will not be in the ruleset list. To update the ruleset + quickly, unload the security policy module and reload it again + using &man.kldunload.8; and &man.kldload.8;. + + + Nagios in a MAC Jail @@ -1362,19 +1412,22 @@ test: biba/low Nagios in a MAC Jail - The following demonstration implements a secure - environment using various MAC modules - with properly configured policies. This is only a test as - implementing a policy and ignoring it could be disastrous in a + This section demonstrates the steps that are needed to + implement the Nagios network + monitoring system in a MAC environment. + This is meant as an example which still requires the administrator + to test that the implemented policy meets the security + requirements of the network before using in a production environment. - Before beginning this process, - must be set on each file system as not doing so will result in - errors. This example assumes that + This example requires + to be set on each file system. It also + assumes that net-mgmt/nagios-plugins, net-mgmt/nagios, and www/apache22 are all installed, configured, - and working correctly. + and working correctly before attempting the integration into the + MAC framework. Create an Insecure User Class @@ -1406,27 +1459,17 @@ test: biba/low :ignoretime@:\ :label=biba/10(10-10): - Add the following line to the default user class: + Then, add the following line to the default user class section: :label=biba/high: - Next, issue the following command to rebuild the + Save the edits and issue the following command to rebuild the database: &prompt.root; cap_mkdb /etc/login.conf - Boot Configuration - - Add the following lines to - /boot/loader.conf: - - mac_biba_load="YES" -mac_seeotheruids_load="YES" - - - Configure Users Set the root @@ -1435,22 +1478,21 @@ mac_seeotheruids_load="YES"&prompt.root; pw usermod root -L default All user accounts that are not root or system users will now - require a login class. The login class is required otherwise - users will be refused access to common commands such as - &man.vi.1;. The following sh script should + class="username">root will now + require a login class. The login class is required, otherwise + users will be refused access to common commands. + The following sh script should do the trick: &prompt.root; for x in `awk -F: '($3 >= 1001) && ($3 != 65534) { print $1 }' \ /etc/passwd`; do pw usermod $x -L default; done; - Drop the nagios - and www users into + Next, drop the nagios + and www accounts into the insecure class: - &prompt.root; pw usermod nagios -L insecure - - &prompt.root; pw usermod www -L insecure + &prompt.root; pw usermod nagios -L insecure +&prompt.root; pw usermod www -L insecure @@ -1458,7 +1500,7 @@ mac_seeotheruids_load="YES"Create the Contexts File A contexts file should now be created as - /etc/policy.contexts. + /etc/policy.contexts: # This is the default BIBA policy for this system. @@ -1495,20 +1537,14 @@ mac_seeotheruids_load="YES"Nagios will be completely self contained or jailed. - This file will be read by the system by issuing the - following command: - - &prompt.root; setfsmac -ef /etc/policy.contexts / -&prompt.root; setfsmac -ef /etc/policy.contexts / + This file will be read after running + setfsmac on every file system. This + example sets the policy on the root file system: - - The above file system layout will differ depending - upon the environment and must be run on every file - system. - + &prompt.root; setfsmac -ef /etc/policy.contexts / - /etc/mac.conf requires the following - modifications in the main section: + Next, add these edits + to the main section of /etc/mac.conf: default_labels file ?biba default_labels ifnet ?biba @@ -1517,15 +1553,17 @@ default_labels socket ?biba - Enable Networking + Loader Configuration - Add the following line to + To finish the configuration, add the following lines to /boot/loader.conf: + + mac_biba_load="YES" +mac_seeotheruids_load="YES" +security.mac.biba.trust_all_interfaces=1 - security.mac.biba.trust_all_interfaces=1 - - And the following to the network card configuration stored - in rc.conf. If the primary Internet + And the following line to the network card configuration stored + in /etc/rc.conf. If the primary network configuration is done via DHCP, this may need to be configured manually after every system boot: @@ -1539,15 +1577,15 @@ default_labels socket ?bibaMAC Configuration Testing - Ensure that the web server and + First, ensure that the web server and Nagios will not be started on - system initialization and reboot. Ensure the root user cannot access any of + system initialization and reboot. Ensure that root cannot access any of the files in the Nagios configuration directory. If root can issue an &man.ls.1; - command on /var/spool/nagios, something - is wrong. Otherwise a permission denied error + class="username">root can list the contents of + /var/spool/nagios, something + is wrong. Instead, a permission denied error should be returned. If all seems well, Nagios, @@ -1560,8 +1598,8 @@ setpmac biba/10\(10-10\) /usr/local/etc/ Double check to ensure that everything is working properly. If not, check the log files for error messages. - Use &man.sysctl.8; to disable the &man.mac.biba.4; security - policy module enforcement and try starting everything again as + If needed, use &man.sysctl.8; to disable the &man.mac.biba.4; security + policy module and try starting everything again as usual. @@ -1583,56 +1621,6 @@ setpmac biba/10\(10-10\) /usr/local/etc/ - - User Lock Down - - This example considers a relatively small storage system - with fewer than fifty users. Users will have login - capabilities, and be permitted to store data and access - resources. - - For this scenario, the &man.mac.bsdextended.4; and - &man.mac.seeotheruids.4; policy modules could co-exist and block - access to system objects while hiding user processes. - - Begin by adding the following line to - /boot/loader.conf: - - mac_seeotheruids_load="YES" - - The &man.mac.bsdextended.4; security policy module may be - activated by adding this line to - /etc/rc.conf: - - ugidfw_enable="YES" - - Default rules stored in - /etc/rc.bsdextended will be loaded at - system initialization. However, the default entries may need - modification. Since this machine is expected only to service - users, everything may be left commented out except the last - two lines in order to force the loading of user owned system - objects by default. - - Add the required users to this machine and reboot. For - testing purposes, try logging in as a different user across - two consoles. Run ps aux to see if processes - of other users are visible. Verify that running &man.ls.1; on - another user's home directory fails. - - Do not try to test with the root user unless the specific - sysctls have been modified to block super - user access. - - - When a new user is added, their &man.mac.bsdextended.4; - rule will not be in the ruleset list. To update the ruleset - quickly, unload the security policy module and reload it again - using &man.kldunload.8; and &man.kldload.8;. - - - Troubleshooting the MAC Framework @@ -1640,14 +1628,16 @@ setpmac biba/10\(10-10\) /usr/local/etc/ MAC Troubleshooting - This section discusses common configuration issues. + This section discusses common configuration errors and how + to resolve them. - - - The flag does not stay - enabled on my root (/) - partition! + + + The flag does not stay + enabled on the root (/) + partition: + The following steps may resolve this transient error: @@ -1687,12 +1677,13 @@ setpmac biba/10\(10-10\) /usr/local/etc/ + - - After establishing a secure environment with - MAC, I am no longer able to start - Xorg! - + + After establishing a secure environment with + MAC, + Xorg no longer starts: + This could be caused by the MAC partition policy or by a mislabeling in one of the MAC labeling policies. To @@ -1700,7 +1691,7 @@ setpmac biba/10\(10-10\) /usr/local/etc/ - Check the error message; if the user is in the + Check the error message. If the user is in the insecure class, the partition policy may be the culprit. Try setting the user's class back to the @@ -1710,36 +1701,35 @@ setpmac biba/10\(10-10\) /usr/local/etc/ - Double-check the label policies. Ensure that the - policies are set correctly for the user, the Xorg - application, and the /dev + Double-check that the label policies + are set correctly for the user, Xorg, + and the /dev entries. If neither of these resolve the problem, send the error message and a description of the environment to - the &a.questions; mailing list. + the &a.questions;. + - - The error: _secure_path: unable to stat - .login_conf shows up. - - When a user attempts to switch from the + The _secure_path: unable to stat + .login_conf error appears: + + This error can appear when a user attempts to switch from the root user to another user in - the system, the error message _secure_path: - unable to stat .login_conf appears. - - This message is usually shown when the user has a higher + the system. This message usually occurs when the user has a higher label setting than that of the user they are attempting to - become. For instance, joe has a default label of - . The root user, who has a label - of , cannot view biba/low and root has a label + of , root cannot view joe's home directory. This will happen whether or not root has used @@ -1749,23 +1739,22 @@ setpmac biba/10\(10-10\) /usr/local/etc/ class="username">root to view objects set at a lower integrity level. + - - The system no longer recognizes the root user. - - In normal or even single user mode, the root is not recognized, - whoami returns 0 (zero), and + + The system no longer recognizes root: + + When this occurs, + whoami returns 0 and su returns who are you?. - This can happen if a labeling policy has been disabled, - either by a &man.sysctl.8; or the policy module was + This can happen if a labeling policy has been disabled + by &man.sysctl.8; or the policy module was unloaded. If the policy is disabled, the login capabilities - database needs to be reconfigured with - removed. Double check - login.conf to ensure that all + database needs to be reconfigured. Double check + /etc/login.conf to ensure that all options have been removed and rebuild the database with cap_mkdb. @@ -1778,6 +1767,7 @@ setpmac biba/10\(10-10\) /usr/local/etc/ the new label. Disable the policy using &man.sysctl.8; and everything should return to normal. - + +