The following demonstration will implement a secure environment using various MAC modules with properly configured policies. This is only a test and should not be considered the complete answer to everyone's security woes. Just implementing a policy and ignoring it never works and could be disastrous in a production environment.
Before beginning this process, the
multilabel
option must be set on each file
system as stated at the beginning of this chapter. Not doing
so will result in errors.
Begin the procedure by adding the following user class
to the /etc/login.conf
file:
insecure:\ :copyright=/etc/COPYRIGHT:\ :welcome=/etc/motd:\ :setenv=MAIL=/var/mail/$,BLOCKSIZE=K:\ :path=~/bin:/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin :manpath=/usr/share/man /usr/local/man:\ :nologin=/usr/sbin/nologin:\ :cputime=1h30m:\ :datasize=8M:\ :vmemoryuse=100M:\ :stacksize=2M:\ :memorylocked=4M:\ :memoryuse=8M:\ :filesize=8M:\ :coredumpsize=8M:\ :openfiles=24:\ :maxproc=32:\ :priority=0:\ :requirehome:\ :passwordtime=91d:\ :umask=022:\ :ignoretime@:\ :label=partition/13,mls/5:
And adding the following line to the default user class:
:label=mls/equal,biba/equal,partition/15:
Once this is completed, the following command must be issued to rebuild the database:
#
cap_mkdb /etc/login.conf
Add the following lines to
/boot/loader.conf
so the required
modules will load during system initialization:
mac_biba_load="YES" mac_mls_load="YES" mac_seeotheruids_load="YES" mac_partition_load="YES"
All user accounts that are not root
or system users will now require a login class. The login
class is required otherwise users will be refused access
to common commands such as vi(1).
The following sh
script should do the
trick:
#
for x in `awk -F: '($3 >= 1001) && ($3 != 65534) { print $1 }' \
/etc/passwd`; do pw usermod $x -L insecure; done;
The cap_mkdb
command will need to be
run on /etc/master.passwd
after this
change.
A contexts file should now be created; the following
example was taken from Robert Watson's example policy and
should be placed in
/etc/policy.contexts
.
# This is the default BIBA/MLS policy for this system. .* biba/high,mls/high /sbin/dhclient biba/high(low),mls/high(low) /dev(/.*)? biba/equal,mls/equal # This is not an exhaustive list of all "privileged" devices. /dev/mdctl biba/high,mls/high /dev/pci biba/high,mls/high /dev/k?mem biba/high,mls/high /dev/io biba/high,mls/high /dev/agp.* biba/high,mls/high (/var)?/tmp(/.*)? biba/equal,mls/equal /tmp/\.X11-unix biba/high(equal),mls/high(equal) /tmp/\.X11-unix/.* biba/equal,mls/equal /proc(/.*)? biba/equal,mls/equal /mnt.* biba/low,mls/low (/usr)?/home biba/high(low),mls/high(low) (/usr)?/home/.* biba/low,mls/low /var/mail(/.*)? biba/low,mls/low /var/spool/mqueue(/.*)? biba/low,mls/low (/mnt)?/cdrom(/.*)? biba/high,mls/high (/usr)?/home/(ftp|samba)(/.*)? biba/high,mls/high /var/log/sendmail\.st biba/low,mls/low /var/run/utmp biba/equal,mls/equal /var/log/(lastlog|wtmp) biba/equal,mls/equal
This policy will enforce security by setting restrictions on both the downward and upward flow of information with regards to the directories and utilities listed on the left.
This can now be read into our system by issuing the following command:
#
setfsmac -ef /etc/policy.contexts /
#
setfsmac -ef /etc/policy.contexts /usr
The above file system layout may be different depending on environment.
The /etc/mac.conf
file requires
the following modifications in the main section:
default_labels file ?biba,?mls default_labels ifnet ?biba,?mls default_labels process ?biba,?mls,?partition default_labels socket ?biba,?mls
Add a user with the adduser
command
and place that user in the insecure
class for these tests.
The examples below will show a mix of
root
and regular user tests; use the
prompt to distinguish between the two.
%
getpmac
biba/15(15-15),mls/15(15-15),partition/15#
setpmac partition/15,mls/equal top
The top process will be killed before we start another top process.
%
ps Zax
biba/15(15-15),mls/15(15-15),partition/15 1096 #C: S 0:00.03 -su (bash) biba/15(15-15),mls/15(15-15),partition/15 1101 #C: R+ 0:00.01 ps Zax
We should not be permitted to see any processes owned by other users.
Disable the MAC
seeotheruids
policy for the rest of these
tests:
#
sysctl security.mac.seeotheruids.enabled=0
%
ps Zax
LABEL PID TT STAT TIME COMMAND biba/equal(low-high),mls/equal(low-high),partition/15 1122 #C: S+ 0:00.02 top biba/15(15-15),mls/15(15-15),partition/15 1096 #C: S 0:00.05 -su (bash) biba/15(15-15),mls/15(15-15),partition/15 1123 #C: R+ 0:00.01 ps Zax
All users should be permitted to see every process in their partition.
#
setpmac partition/15,mls/equal,biba/high\(high-high\) top
%
ps Zax
LABEL PID TT STAT TIME COMMAND biba/high(high-high),mls/equal(low-high),partition/15 1251 #C: S+ 0:00.02 top biba/15(15-15),mls/15(15-15),partition/15 1096 #C: S 0:00.06 -su (bash) biba/15(15-15),mls/15(15-15),partition/15 1157 #C: R+ 0:00.00 ps Zax
The Biba policy allows us to read higher-labeled objects.
#
setpmac partition/15,mls/equal,biba/low top
%
ps Zax
LABEL PID TT STAT TIME COMMAND biba/15(15-15),mls/15(15-15),partition/15 1096 #C: S 0:00.07 -su (bash) biba/15(15-15),mls/15(15-15),partition/15 1226 #C: R+ 0:00.01 ps Zax
The Biba policy does not allow lower-labeled objects to be read; however, MLS does.
%
ifconfig bge0 | grep maclabel
maclabel biba/low(low-low),mls/low(low-low)%
ping -c 1 192.0.34.166
PING 192.0.34.166 (192.0.34.166): 56 data bytes ping: sendto: Permission denied
Users are unable to ping
example.com
, or any domain
for that matter.
To prevent this error from occurring, run the following command:
#
sysctl security.mac.biba.trust_all_interfaces=1
This sets the default interface label to insecure mode, so the default Biba policy label will not be enforced.
#
ifconfig bge0 maclabel biba/equal\(low-high\),mls/equal\(low-high\)
%
ping -c 1 192.0.34.166
PING 192.0.34.166 (192.0.34.166): 56 data bytes 64 bytes from 192.0.34.166: icmp_seq=0 ttl=50 time=204.455 ms --- 192.0.34.166 ping statistics --- 1 packets transmitted, 1 packets received, 0% packet loss round-trip min/avg/max/stddev = 204.455/204.455/204.455/0.000 ms
By setting a more correct label, we can issue
ping
requests.
Now to create a few files for some read and write testing procedures:
#
touch test1 test2 test3 test4 test5
#
getfmac test1
test1: biba/equal,mls/equal#
setfmac biba/low test1 test2; setfmac biba/high test4 test5; \ setfmac mls/low test1 test3; setfmac mls/high test2 test4
#
setfmac mls/equal,biba/equal test3 && getfmac test?
test1: biba/low,mls/low test2: biba/low,mls/high test3: biba/equal,mls/equal test4: biba/high,mls/high test5: biba/high,mls/equal#
chown testuser:testuser test?
All of these files should now be owned by our
testuser
user. And now for some read
tests:
%
ls
test1 test2 test3 test4 test5%
ls test?
ls: test1: Permission denied ls: test2: Permission denied ls: test4: Permission denied test3 test5
We should not be permitted to observe pairs; e.g.:
(biba/low,mls/low)
,
(biba/low,mls/high)
and
(biba/high,mls/high)
. And of course,
read access should be denied. Now for some write
tests:
%
for i in `echo test*`; do echo 1 > $i; done
-su: test1: Permission denied -su: test4: Permission denied -su: test5: Permission denied
Like with the read tests, write access should not be
permitted to write pairs; e.g.:
(biba/low,mls/high)
and
(biba/equal,mls/equal)
.
%
cat test?
cat: test1: Permission denied cat: test2: Permission denied 1 cat: test4: Permission denied
And now as root
:
#
cat test2
1
All FreeBSD documents are available for download at http://ftp.FreeBSD.org/pub/FreeBSD/doc/
Questions that are not answered by the
documentation may be
sent to <freebsd-questions@FreeBSD.org>.
Send questions about this document to <freebsd-doc@FreeBSD.org>.