svn commit: r44398 - head/en_US.ISO8859-1/books/handbook/mac
Dru Lavigne
dru at FreeBSD.org
Mon Mar 31 16:36:58 UTC 2014
Author: dru
Date: Mon Mar 31 16:36:57 2014
New Revision: 44398
URL: http://svnweb.freebsd.org/changeset/doc/44398
Log:
Finish editorial review of MAC chapter.
Switch examples to put the easiest one first.
Sponsored by: iXsystems
Modified:
head/en_US.ISO8859-1/books/handbook/mac/chapter.xml
Modified: head/en_US.ISO8859-1/books/handbook/mac/chapter.xml
==============================================================================
--- head/en_US.ISO8859-1/books/handbook/mac/chapter.xml Mon Mar 31 15:03:21 2014 (r44397)
+++ head/en_US.ISO8859-1/books/handbook/mac/chapter.xml Mon Mar 31 16:36:57 2014 (r44398)
@@ -45,8 +45,8 @@
<itemizedlist>
<listitem>
- <para>Which <acronym>MAC</acronym> security policy modules
- are included in &os; and their associated mechanisms.</para>
+ <para>The terminology associated with the
+ <acronym>MAC</acronym> framework.</para>
</listitem>
<listitem>
@@ -56,13 +56,13 @@
</listitem>
<listitem>
- <para>How to efficiently configure a system to use the
+ <para>The considerations to take into account before
+ configuring a system to use the
<acronym>MAC</acronym> framework.</para>
</listitem>
-
<listitem>
- <para>How to configure the different security policy modules
- included with the <acronym>MAC</acronym> framework.</para>
+ <para>Which <acronym>MAC</acronym> security policy modules
+ are included in &os; and how to configure them.</para>
</listitem>
<listitem>
@@ -1355,6 +1355,56 @@ test: biba/low</screen>
</sect2>
</sect1>
+ <sect1 xml:id="mac-userlocked">
+ <title>User Lock Down</title>
+
+ <para>This example considers a relatively small storage system
+ with fewer than fifty users. Users will have login
+ capabilities and are permitted to store data and access
+ resources.</para>
+
+ <para>For this scenario, the &man.mac.bsdextended.4; and
+ &man.mac.seeotheruids.4; policy modules could co-exist and block
+ access to system objects while hiding user processes.</para>
+
+ <para>Begin by adding the following line to
+ <filename>/boot/loader.conf</filename>:</para>
+
+ <programlisting>mac_seeotheruids_load="YES"</programlisting>
+
+ <para>The &man.mac.bsdextended.4; security policy module may be
+ activated by adding this line to
+ <filename>/etc/rc.conf</filename>:</para>
+
+ <programlisting>ugidfw_enable="YES"</programlisting>
+
+ <para>Default rules stored in
+ <filename>/etc/rc.bsdextended</filename> will be loaded at
+ system initialization. However, the default entries may need
+ modification. Since this machine is expected only to service
+ users, everything may be left commented out except the last
+ two lines in order to force the loading of user owned system
+ objects by default.</para>
+
+ <para>Add the required users to this machine and reboot. For
+ testing purposes, try logging in as a different user across
+ two consoles. Run <command>ps aux</command> to see if processes
+ of other users are visible. Verify that running &man.ls.1; on
+ another user's home directory fails.</para>
+
+ <para>Do not try to test with the <systemitem
+ class="username">root</systemitem> user unless the specific
+ <command>sysctl</command>s have been modified to block super
+ user access.</para>
+
+ <note>
+ <para>When a new user is added, their &man.mac.bsdextended.4;
+ rule will not be in the ruleset list. To update the ruleset
+ quickly, unload the security policy module and reload it again
+ using &man.kldunload.8; and &man.kldload.8;.</para>
+ </note>
+ </sect1>
+
<sect1 xml:id="mac-implementing">
<title>Nagios in a MAC Jail</title>
@@ -1362,19 +1412,22 @@ test: biba/low</screen>
<primary>Nagios in a MAC Jail</primary>
</indexterm>
- <para>The following demonstration implements a secure
- environment using various <acronym>MAC</acronym> modules
- with properly configured policies. This is only a test as
- implementing a policy and ignoring it could be disastrous in a
+ <para>This section demonstrates the steps that are needed to
+ implement the <application>Nagios</application> network
+ monitoring system in a <acronym>MAC</acronym> environment.
+ This is meant as an example which still requires the administrator
+ to test that the implemented policy meets the security
+ requirements of the network before using in a
production environment.</para>
- <para>Before beginning this process, <option>multilabel</option>
- must be set on each file system as not doing so will result in
- errors. This example assumes that
+ <para>This example requires <option>multilabel</option>
+ to be set on each file system. It also
+ assumes that
<package>net-mgmt/nagios-plugins</package>,
<package>net-mgmt/nagios</package>, and
<package>www/apache22</package> are all installed, configured,
- and working correctly.</para>
+ and working correctly before attempting the integration into the
+ <acronym>MAC</acronym> framework.</para>
<sect2>
<title>Create an Insecure User Class</title>
@@ -1406,27 +1459,17 @@ test: biba/low</screen>
:ignoretime@:\
:label=biba/10(10-10):</programlisting>
- <para>Add the following line to the default user class:</para>
+ <para>Then, add the following line to the default user class section:</para>
<programlisting>:label=biba/high:</programlisting>
- <para>Next, issue the following command to rebuild the
+ <para>Save the edits and issue the following command to rebuild the
database:</para>
<screen>&prompt.root; <userinput>cap_mkdb /etc/login.conf</userinput></screen>
</sect2>
<sect2>
- <title>Boot Configuration</title>
-
- <para>Add the following lines to
- <filename>/boot/loader.conf</filename>:</para>
-
- <programlisting>mac_biba_load="YES"
-mac_seeotheruids_load="YES"</programlisting>
- </sect2>
-
- <sect2>
<title>Configure Users</title>
<para>Set the <systemitem class="username">root</systemitem>
@@ -1435,22 +1478,21 @@ mac_seeotheruids_load="YES"</programlist
<screen>&prompt.root; <userinput>pw usermod root -L default</userinput></screen>
<para>All user accounts that are not <systemitem
- class="username">root</systemitem> or system users will now
- require a login class. The login class is required otherwise
- users will be refused access to common commands such as
- &man.vi.1;. The following <command>sh</command> script should
+ class="username">root</systemitem> will now
+ require a login class. The login class is required, otherwise
+ users will be refused access to common commands.
+ The following <command>sh</command> script should
do the trick:</para>
<screen>&prompt.root; <userinput>for x in `awk -F: '($3 >= 1001) && ($3 != 65534) { print $1 }' \</userinput>
<userinput>/etc/passwd`; do pw usermod $x -L default; done;</userinput></screen>
- <para>Drop the <systemitem class="username">nagios</systemitem>
- and <systemitem class="username">www</systemitem> users into
+ <para>Next, drop the <systemitem class="username">nagios</systemitem>
+ and <systemitem class="username">www</systemitem> accounts into
the insecure class:</para>
- <screen>&prompt.root; <userinput>pw usermod nagios -L insecure</userinput></screen>
-
- <screen>&prompt.root; <userinput>pw usermod www -L insecure</userinput></screen>
+ <screen>&prompt.root; <userinput>pw usermod nagios -L insecure</userinput>
+&prompt.root; <userinput>pw usermod www -L insecure</userinput></screen>
</sect2>
@@ -1458,7 +1500,7 @@ mac_seeotheruids_load="YES"</programlist
<title>Create the Contexts File</title>
<para>A contexts file should now be created as
- <filename>/etc/policy.contexts</filename>.</para>
+ <filename>/etc/policy.contexts</filename>:</para>
<programlisting># This is the default BIBA policy for this system.
@@ -1495,20 +1537,14 @@ mac_seeotheruids_load="YES"</programlist
<application>Nagios</application> will be completely self
contained or jailed.</para>
- <para>This file will be read by the system by issuing the
- following command:</para>
-
- <screen>&prompt.root; <userinput>setfsmac -ef /etc/policy.contexts /</userinput>
-&prompt.root; <userinput>setfsmac -ef /etc/policy.contexts /</userinput></screen>
+ <para>This file will be read after running
+ <command>setfsmac</command> on every file system. This
+ example sets the policy on the root file system:</para>
- <note>
- <para>The above file system layout will differ depending
- upon the environment and must be run on every file
- system.</para>
- </note>
+ <screen>&prompt.root; <userinput>setfsmac -ef /etc/policy.contexts /</userinput></screen>
- <para><filename>/etc/mac.conf</filename> requires the following
- modifications in the main section:</para>
+ <para>Next, add these edits
+ to the main section of <filename>/etc/mac.conf</filename>:</para>
<programlisting>default_labels file ?biba
default_labels ifnet ?biba
@@ -1517,15 +1553,17 @@ default_labels socket ?biba</programlist
</sect2>
<sect2>
- <title>Enable Networking</title>
+ <title>Loader Configuration</title>
- <para>Add the following line to
+ <para>To finish the configuration, add the following lines to
<filename>/boot/loader.conf</filename>:</para>
+
+ <programlisting>mac_biba_load="YES"
+mac_seeotheruids_load="YES"
+security.mac.biba.trust_all_interfaces=1</programlisting>
- <programlisting>security.mac.biba.trust_all_interfaces=1</programlisting>
-
- <para>And the following to the network card configuration stored
- in <filename>rc.conf</filename>. If the primary Internet
+ <para>And the following line to the network card configuration stored
+ in <filename>/etc/rc.conf</filename>. If the primary network
configuration is done via <acronym>DHCP</acronym>, this may
need to be configured manually after every system boot:</para>
@@ -1539,15 +1577,15 @@ default_labels socket ?biba</programlist
<primary>MAC Configuration Testing</primary>
</indexterm>
- <para>Ensure that the web server and
+ <para>First, ensure that the web server and
<application>Nagios</application> will not be started on
- system initialization and reboot. Ensure the <systemitem
- class="username">root</systemitem> user cannot access any of
+ system initialization and reboot. Ensure that <systemitem
+ class="username">root</systemitem> cannot access any of
the files in the <application>Nagios</application>
configuration directory. If <systemitem
- class="username">root</systemitem> can issue an &man.ls.1;
- command on <filename>/var/spool/nagios</filename>, something
- is wrong. Otherwise a <quote>permission denied</quote> error
+ class="username">root</systemitem> can list the contents of
+ <filename>/var/spool/nagios</filename>, something
+ is wrong. Instead, a <quote>permission denied</quote> error
should be returned.</para>
<para>If all seems well, <application>Nagios</application>,
@@ -1560,8 +1598,8 @@ setpmac biba/10\(10-10\) /usr/local/etc/
<para>Double check to ensure that everything is working
properly. If not, check the log files for error messages.
- Use &man.sysctl.8; to disable the &man.mac.biba.4; security
- policy module enforcement and try starting everything again as
+ If needed, use &man.sysctl.8; to disable the &man.mac.biba.4; security
+ policy module and try starting everything again as
usual.</para>
<note>
@@ -1583,56 +1621,6 @@ setpmac biba/10\(10-10\) /usr/local/etc/
</sect2>
</sect1>
- <sect1 xml:id="mac-userlocked">
- <title>User Lock Down</title>
-
- <para>This example considers a relatively small storage system
- with fewer than fifty users. Users will have login
- capabilities, and be permitted to store data and access
- resources.</para>
-
- <para>For this scenario, the &man.mac.bsdextended.4; and
- &man.mac.seeotheruids.4; policy modules could co-exist and block
- access to system objects while hiding user processes.</para>
-
- <para>Begin by adding the following line to
- <filename>/boot/loader.conf</filename>:</para>
-
- <programlisting>mac_seeotheruids_load="YES"</programlisting>
-
- <para>The &man.mac.bsdextended.4; security policy module may be
- activated by adding this line to
- <filename>/etc/rc.conf</filename>:</para>
-
- <programlisting>ugidfw_enable="YES"</programlisting>
-
- <para>Default rules stored in
- <filename>/etc/rc.bsdextended</filename> will be loaded at
- system initialization. However, the default entries may need
- modification. Since this machine is expected only to service
- users, everything may be left commented out except the last
- two lines in order to force the loading of user owned system
- objects by default.</para>
-
- <para>Add the required users to this machine and reboot. For
- testing purposes, try logging in as a different user across
- two consoles. Run <command>ps aux</command> to see if processes
- of other users are visible. Verify that running &man.ls.1; on
- another user's home directory fails.</para>
-
- <para>Do not try to test with the <systemitem
- class="username">root</systemitem> user unless the specific
- <command>sysctl</command>s have been modified to block super
- user access.</para>
-
- <note>
- <para>When a new user is added, their &man.mac.bsdextended.4;
- rule will not be in the ruleset list. To update the ruleset
- quickly, unload the security policy module and reload it again
- using &man.kldunload.8; and &man.kldload.8;.</para>
- </note>
- </sect1>
-
<sect1 xml:id="mac-troubleshoot">
<title>Troubleshooting the MAC Framework</title>
@@ -1640,14 +1628,16 @@ setpmac biba/10\(10-10\) /usr/local/etc/
<primary>MAC Troubleshooting</primary>
</indexterm>
- <para>This section discusses common configuration issues.</para>
+ <para>This section discusses common configuration errors and how
+ to resolve them.</para>
- <itemizedlist>
- <listitem>
- <para>The <option>multilabel</option> flag does not stay
- enabled on my root (<filename>/</filename>)
- partition!</para>
+ <variablelist>
+ <varlistentry>
+ <term>The <option>multilabel</option> flag does not stay
+ enabled on the root (<filename>/</filename>)
+ partition:</term>
+ <listitem>
<para>The following steps may resolve this transient
error:</para>
@@ -1687,12 +1677,13 @@ setpmac biba/10\(10-10\) /usr/local/etc/
</step>
</procedure>
</listitem>
+ </varlistentry>
- <listitem>
- <para>After establishing a secure environment with
- <acronym>MAC</acronym>, I am no longer able to start
- Xorg!</para>
-
+ <varlistentry>
+ <term>After establishing a secure environment with
+ <acronym>MAC</acronym>,
+ <application>Xorg</application> no longer starts:</term>
+ <listitem>
<para>This could be caused by the <acronym>MAC</acronym>
<literal>partition</literal> policy or by a mislabeling in
one of the <acronym>MAC</acronym> labeling policies. To
@@ -1700,7 +1691,7 @@ setpmac biba/10\(10-10\) /usr/local/etc/
<procedure>
<step>
- <para>Check the error message; if the user is in the
+ <para>Check the error message. If the user is in the
<literal>insecure</literal> class, the
<literal>partition</literal> policy may be the culprit.
Try setting the user's class back to the
@@ -1710,36 +1701,35 @@ setpmac biba/10\(10-10\) /usr/local/etc/
</step>
<step>
- <para>Double-check the label policies. Ensure that the
- policies are set correctly for the user, the Xorg
- application, and the <filename>/dev</filename>
+ <para>Double-check that the label policies
+ are set correctly for the user, <application>Xorg</application>,
+ and the <filename>/dev</filename>
entries.</para>
</step>
<step>
<para>If neither of these resolve the problem, send the
error message and a description of the environment to
- the &a.questions; mailing list.</para>
+ the &a.questions;.</para>
</step>
</procedure>
</listitem>
+ </varlistentry>
- <listitem>
- <para>The error: <errorname>_secure_path: unable to stat
- .login_conf</errorname> shows up.</para>
-
- <para>When a user attempts to switch from the <systemitem
+ <varlistentry>
+ <term>The <errorname>_secure_path: unable to stat
+ .login_conf</errorname> error appears:</term>
+ <listitem>
+ <para>This error can appear when a user attempts to switch from the <systemitem
class="username">root</systemitem> user to another user in
- the system, the error message <errorname>_secure_path:
- unable to stat .login_conf</errorname> appears.</para>
-
- <para>This message is usually shown when the user has a higher
+ the system. This message usually occurs when the user has a higher
label setting than that of the user they are attempting to
- become. For instance, <systemitem
+ become. For instance, if <systemitem
class="username">joe</systemitem> has a default label of
- <option>biba/low</option>. The <systemitem
- class="username">root</systemitem> user, who has a label
- of <option>biba/high</option>, cannot view <systemitem
+ <option>biba/low</option> and <systemitem
+ class="username">root</systemitem> has a label
+ of <option>biba/high</option>, <systemitem
+ class="username">root</systemitem> cannot view <systemitem
class="username">joe</systemitem>'s home directory. This
will happen whether or not <systemitem
class="username">root</systemitem> has used
@@ -1749,23 +1739,22 @@ setpmac biba/10\(10-10\) /usr/local/etc/
class="username">root</systemitem> to view objects set at
a lower integrity level.</para>
</listitem>
+ </varlistentry>
- <listitem>
- <para>The system no longer recognizes the <systemitem
- class="username">root</systemitem> user.</para>
-
- <para>In normal or even single user mode, the <systemitem
- class="username">root</systemitem> is not recognized,
- <command>whoami</command> returns 0 (zero), and
+ <varlistentry>
+ <term>The system no longer recognizes <systemitem
+ class="username">root</systemitem>:</term>
+ <listitem>
+ <para>When this occurs,
+ <command>whoami</command> returns <literal>0</literal> and
<command>su</command> returns <errorname>who are
you?</errorname>.</para>
- <para>This can happen if a labeling policy has been disabled,
- either by a &man.sysctl.8; or the policy module was
+ <para>This can happen if a labeling policy has been disabled
+ by &man.sysctl.8; or the policy module was
unloaded. If the policy is disabled, the login capabilities
- database needs to be reconfigured with
- <option>label</option> removed. Double check
- <filename>login.conf</filename> to ensure that all
+ database needs to be reconfigured. Double check
+ <filename>/etc/login.conf</filename> to ensure that all
<option>label</option> options have been removed and rebuild
the database with <command>cap_mkdb</command>.</para>
@@ -1778,6 +1767,7 @@ setpmac biba/10\(10-10\) /usr/local/etc/
the new label. Disable the policy using &man.sysctl.8; and
everything should return to normal.</para>
</listitem>
- </itemizedlist>
+ </varlistentry>
+ </variablelist>
</sect1>
</chapter>
More information about the svn-doc-all
mailing list