Date: Mon, 31 Mar 2014 17:01:17 +0000 (UTC) From: Dru Lavigne <dru@FreeBSD.org> To: doc-committers@freebsd.org, svn-doc-all@freebsd.org, svn-doc-head@freebsd.org Subject: svn commit: r44399 - head/en_US.ISO8859-1/books/handbook/mac Message-ID: <201403311701.s2VH1HcW083816@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: dru Date: Mon Mar 31 17:01:17 2014 New Revision: 44399 URL: http://svnweb.freebsd.org/changeset/doc/44399 Log: White space fix only. Translators can ignore. Sponsored by: iXsystems Modified: head/en_US.ISO8859-1/books/handbook/mac/chapter.xml Modified: head/en_US.ISO8859-1/books/handbook/mac/chapter.xml ============================================================================== --- head/en_US.ISO8859-1/books/handbook/mac/chapter.xml Mon Mar 31 16:36:57 2014 (r44398) +++ head/en_US.ISO8859-1/books/handbook/mac/chapter.xml Mon Mar 31 17:01:17 2014 (r44399) @@ -1414,15 +1414,13 @@ test: biba/low</screen> <para>This section demonstrates the steps that are needed to implement the <application>Nagios</application> network - monitoring system in a <acronym>MAC</acronym> environment. - This is meant as an example which still requires the administrator - to test that the implemented policy meets the security - requirements of the network before using in a - production environment.</para> - - <para>This example requires <option>multilabel</option> - to be set on each file system. It also - assumes that + monitoring system in a <acronym>MAC</acronym> environment. This + is meant as an example which still requires the administrator to + test that the implemented policy meets the security requirements + of the network before using in a production environment.</para> + + <para>This example requires <option>multilabel</option> to be set + on each file system. It also assumes that <package>net-mgmt/nagios-plugins</package>, <package>net-mgmt/nagios</package>, and <package>www/apache22</package> are all installed, configured, @@ -1459,12 +1457,13 @@ test: biba/low</screen> :ignoretime@:\ :label=biba/10(10-10):</programlisting> - <para>Then, add the following line to the default user class section:</para> + <para>Then, add the following line to the default user class + section:</para> <programlisting>:label=biba/high:</programlisting> - <para>Save the edits and issue the following command to rebuild the - database:</para> + <para>Save the edits and issue the following command to rebuild + the database:</para> <screen>&prompt.root; <userinput>cap_mkdb /etc/login.conf</userinput></screen> </sect2> @@ -1478,22 +1477,21 @@ test: biba/low</screen> <screen>&prompt.root; <userinput>pw usermod root -L default</userinput></screen> <para>All user accounts that are not <systemitem - class="username">root</systemitem> will now - require a login class. The login class is required, otherwise - users will be refused access to common commands. - The following <command>sh</command> script should - do the trick:</para> + class="username">root</systemitem> will now require a login + class. The login class is required, otherwise users will be + refused access to common commands. The following + <command>sh</command> script should do the trick:</para> <screen>&prompt.root; <userinput>for x in `awk -F: '($3 >= 1001) && ($3 != 65534) { print $1 }' \</userinput> <userinput>/etc/passwd`; do pw usermod $x -L default; done;</userinput></screen> - <para>Next, drop the <systemitem class="username">nagios</systemitem> - and <systemitem class="username">www</systemitem> accounts into - the insecure class:</para> + <para>Next, drop the <systemitem + class="username">nagios</systemitem> and <systemitem + class="username">www</systemitem> accounts into the insecure + class:</para> <screen>&prompt.root; <userinput>pw usermod nagios -L insecure</userinput> &prompt.root; <userinput>pw usermod www -L insecure</userinput></screen> - </sect2> <sect2> @@ -1528,8 +1526,8 @@ test: biba/low</screen> # For apache /usr/local/etc/apache(/.*)? biba/10</programlisting> - <para>This policy enforces security by setting restrictions - on the flow of information. In this specific configuration, + <para>This policy enforces security by setting restrictions on + the flow of information. In this specific configuration, users, including <systemitem class="username">root</systemitem>, should never be allowed to access <application>Nagios</application>. @@ -1537,14 +1535,14 @@ test: biba/low</screen> <application>Nagios</application> will be completely self contained or jailed.</para> - <para>This file will be read after running + <para>This file will be read after running <command>setfsmac</command> on every file system. This example sets the policy on the root file system:</para> <screen>&prompt.root; <userinput>setfsmac -ef /etc/policy.contexts /</userinput></screen> - <para>Next, add these edits - to the main section of <filename>/etc/mac.conf</filename>:</para> + <para>Next, add these edits to the main section of + <filename>/etc/mac.conf</filename>:</para> <programlisting>default_labels file ?biba default_labels ifnet ?biba @@ -1557,15 +1555,16 @@ default_labels socket ?biba</programlist <para>To finish the configuration, add the following lines to <filename>/boot/loader.conf</filename>:</para> - + <programlisting>mac_biba_load="YES" mac_seeotheruids_load="YES" security.mac.biba.trust_all_interfaces=1</programlisting> - <para>And the following line to the network card configuration stored - in <filename>/etc/rc.conf</filename>. If the primary network - configuration is done via <acronym>DHCP</acronym>, this may - need to be configured manually after every system boot:</para> + <para>And the following line to the network card configuration + stored in <filename>/etc/rc.conf</filename>. If the primary + network configuration is done via <acronym>DHCP</acronym>, + this may need to be configured manually after every system + boot:</para> <programlisting>maclabel biba/equal</programlisting> </sect2> @@ -1580,13 +1579,13 @@ security.mac.biba.trust_all_interfaces=1 <para>First, ensure that the web server and <application>Nagios</application> will not be started on system initialization and reboot. Ensure that <systemitem - class="username">root</systemitem> cannot access any of - the files in the <application>Nagios</application> - configuration directory. If <systemitem - class="username">root</systemitem> can list the contents of - <filename>/var/spool/nagios</filename>, something - is wrong. Instead, a <quote>permission denied</quote> error - should be returned.</para> + class="username">root</systemitem> cannot access any of the + files in the <application>Nagios</application> configuration + directory. If <systemitem class="username">root</systemitem> + can list the contents of + <filename>/var/spool/nagios</filename>, something is wrong. + Instead, a <quote>permission denied</quote> error should be + returned.</para> <para>If all seems well, <application>Nagios</application>, <application>Apache</application>, and @@ -1597,9 +1596,9 @@ setpmac biba/equal make start && setpmac biba/10\(10-10\) /usr/local/etc/rc.d/nagios.sh forcestart</userinput></screen> <para>Double check to ensure that everything is working - properly. If not, check the log files for error messages. - If needed, use &man.sysctl.8; to disable the &man.mac.biba.4; security - policy module and try starting everything again as + properly. If not, check the log files for error messages. If + needed, use &man.sysctl.8; to disable the &man.mac.biba.4; + security policy module and try starting everything again as usual.</para> <note> @@ -1633,141 +1632,143 @@ setpmac biba/10\(10-10\) /usr/local/etc/ <variablelist> <varlistentry> - <term>The <option>multilabel</option> flag does not stay + <term>The <option>multilabel</option> flag does not stay enabled on the root (<filename>/</filename>) partition:</term> - <listitem> - <para>The following steps may resolve this transient - error:</para> - - <procedure> - <step> - <para>Edit <filename>/etc/fstab</filename> and set the - root partition to <option>ro</option> for - read-only.</para> - </step> - - <step> - <para>Reboot into single user mode.</para> - </step> - - <step> - <para>Run <command>tunefs</command> <option>-l - enable</option> on <filename>/</filename>.</para> - </step> - - <step> - <para>Reboot the system.</para> - </step> - - <step> - <para>Run <command>mount</command> <option>-urw</option> - <filename>/</filename> and change the - <option>ro</option> back to <option>rw</option> in - <filename>/etc/fstab</filename> and reboot the system - again.</para> - </step> - - <step> - <para>Double-check the output from - <command>mount</command> to ensure that - <option>multilabel</option> has been properly set on the - root file system.</para> - </step> - </procedure> - </listitem> - </varlistentry> + <listitem> + <para>The following steps may resolve this transient + error:</para> + + <procedure> + <step> + <para>Edit <filename>/etc/fstab</filename> and set the + root partition to <option>ro</option> for + read-only.</para> + </step> + + <step> + <para>Reboot into single user mode.</para> + </step> + + <step> + <para>Run <command>tunefs</command> <option>-l + enable</option> on <filename>/</filename>.</para> + </step> + + <step> + <para>Reboot the system.</para> + </step> + + <step> + <para>Run <command>mount</command> <option>-urw</option> + <filename>/</filename> and change the + <option>ro</option> back to <option>rw</option> in + <filename>/etc/fstab</filename> and reboot the system + again.</para> + </step> + + <step> + <para>Double-check the output from + <command>mount</command> to ensure that + <option>multilabel</option> has been properly set on + the root file system.</para> + </step> + </procedure> + </listitem> + </varlistentry> <varlistentry> <term>After establishing a secure environment with - <acronym>MAC</acronym>, - <application>Xorg</application> no longer starts:</term> - <listitem> - <para>This could be caused by the <acronym>MAC</acronym> - <literal>partition</literal> policy or by a mislabeling in - one of the <acronym>MAC</acronym> labeling policies. To - debug, try the following:</para> - - <procedure> - <step> - <para>Check the error message. If the user is in the - <literal>insecure</literal> class, the - <literal>partition</literal> policy may be the culprit. - Try setting the user's class back to the - <literal>default</literal> class and rebuild the - database with <command>cap_mkdb</command>. If this does - not alleviate the problem, go to step two.</para> - </step> - - <step> - <para>Double-check that the label policies - are set correctly for the user, <application>Xorg</application>, - and the <filename>/dev</filename> - entries.</para> - </step> - - <step> - <para>If neither of these resolve the problem, send the - error message and a description of the environment to - the &a.questions;.</para> - </step> - </procedure> - </listitem> - </varlistentry> + <acronym>MAC</acronym>, <application>Xorg</application> no + longer starts:</term> + <listitem> + <para>This could be caused by the <acronym>MAC</acronym> + <literal>partition</literal> policy or by a mislabeling + in one of the <acronym>MAC</acronym> labeling policies. + To debug, try the following:</para> + + <procedure> + <step> + <para>Check the error message. If the user is in the + <literal>insecure</literal> class, the + <literal>partition</literal> policy may be the + culprit. Try setting the user's class back to the + <literal>default</literal> class and rebuild the + database with <command>cap_mkdb</command>. If this + does not alleviate the problem, go to step two.</para> + </step> + + <step> + <para>Double-check that the label policies are set + correctly for the user, + <application>Xorg</application>, and the + <filename>/dev</filename> entries.</para> + </step> + + <step> + <para>If neither of these resolve the problem, send the + error message and a description of the environment to + the &a.questions;.</para> + </step> + </procedure> + </listitem> + </varlistentry> <varlistentry> <term>The <errorname>_secure_path: unable to stat .login_conf</errorname> error appears:</term> - <listitem> - <para>This error can appear when a user attempts to switch from the <systemitem - class="username">root</systemitem> user to another user in - the system. This message usually occurs when the user has a higher - label setting than that of the user they are attempting to - become. For instance, if <systemitem - class="username">joe</systemitem> has a default label of - <option>biba/low</option> and <systemitem - class="username">root</systemitem> has a label - of <option>biba/high</option>, <systemitem - class="username">root</systemitem> cannot view <systemitem - class="username">joe</systemitem>'s home directory. This - will happen whether or not <systemitem - class="username">root</systemitem> has used - <command>su</command> to become <systemitem - class="username">joe</systemitem> as the Biba integrity - model will not permit <systemitem - class="username">root</systemitem> to view objects set at - a lower integrity level.</para> - </listitem> - </varlistentry> + <listitem> + <para>This error can appear when a user attempts to switch + from the <systemitem class="username">root</systemitem> + user to another user in the system. This message + usually occurs when the user has a higher label setting + than that of the user they are attempting to become. + For instance, if <systemitem + class="username">joe</systemitem> has a default label + of <option>biba/low</option> and <systemitem + class="username">root</systemitem> has a label of + <option>biba/high</option>, <systemitem + class="username">root</systemitem> cannot view + <systemitem class="username">joe</systemitem>'s home + directory. This will happen whether or not <systemitem + class="username">root</systemitem> has used + <command>su</command> to become <systemitem + class="username">joe</systemitem> as the Biba + integrity model will not permit <systemitem + class="username">root</systemitem> to view objects set + at a lower integrity level.</para> + </listitem> + </varlistentry> <varlistentry> <term>The system no longer recognizes <systemitem class="username">root</systemitem>:</term> - <listitem> - <para>When this occurs, - <command>whoami</command> returns <literal>0</literal> and - <command>su</command> returns <errorname>who are - you?</errorname>.</para> - - <para>This can happen if a labeling policy has been disabled - by &man.sysctl.8; or the policy module was - unloaded. If the policy is disabled, the login capabilities - database needs to be reconfigured. Double check - <filename>/etc/login.conf</filename> to ensure that all - <option>label</option> options have been removed and rebuild - the database with <command>cap_mkdb</command>.</para> - - <para>This may also happen if a policy restricts access to - <filename>master.passwd</filename>. This is usually caused - by an administrator altering the file under a label which - conflicts with the general policy being used by the system. - In these cases, the user information would be read by the - system and access would be blocked as the file has inherited - the new label. Disable the policy using &man.sysctl.8; and - everything should return to normal.</para> - </listitem> - </varlistentry> - </variablelist> + <listitem> + <para>When this occurs, <command>whoami</command> returns + <literal>0</literal> and <command>su</command> returns + <errorname>who are you?</errorname>.</para> + + <para>This can happen if a labeling policy has been + disabled by &man.sysctl.8; or the policy module was + unloaded. If the policy is disabled, the login + capabilities database needs to be reconfigured. Double + check <filename>/etc/login.conf</filename> to ensure + that all <option>label</option> options have been + removed and rebuild the database with + <command>cap_mkdb</command>.</para> + + <para>This may also happen if a policy restricts access to + <filename>master.passwd</filename>. This is usually + caused by an administrator altering the file under a + label which conflicts with the general policy being used + by the system. In these cases, the user information + would be read by the system and access would be blocked + as the file has inherited the new label. Disable the + policy using &man.sysctl.8; and everything should return + to normal.</para> + </listitem> + </varlistentry> + </variablelist> </sect1> </chapter>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201403311701.s2VH1HcW083816>