mac-implementing.html

FreeBSD操作系统的详细使用手册

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta name="generator" content="HTML Tidy, see www.w3.org" />
<title>Implementing a Secure Environment with MAC</title>
<meta name="GENERATOR" content="Modular DocBook HTML Stylesheet Version 1.7" />
<link rel="HOME" title="FreeBSD Handbook" href="index.html" />
<link rel="UP" title="Mandatory Access Control" href="mac.html" />
<link rel="PREVIOUS" title="The MAC LOMAC Module" href="mac-lomac.html" />
<link rel="NEXT" title="Another Example: Using MAC to Constrain a Web Server"
href="mac-examplehttpd.html" />
<link rel="STYLESHEET" type="text/css" href="docbook.css" />
</head>
<body class="SECT1" bgcolor="#FFFFFF" text="#000000" link="#0000FF" vlink="#840084"
alink="#0000FF">
<div class="NAVHEADER">
<table summary="Header navigation table" width="100%" border="0" cellpadding="0"
cellspacing="0">
<tr>
<th colspan="3" align="center">FreeBSD Handbook</th>
</tr>

<tr>
<td width="10%" align="left" valign="bottom"><a href="mac-lomac.html"
accesskey="P">Prev</a></td>
<td width="80%" align="center" valign="bottom">Chapter 15 Mandatory Access Control</td>
<td width="10%" align="right" valign="bottom"><a href="mac-examplehttpd.html"
accesskey="N">Next</a></td>
</tr>
</table>

<hr align="LEFT" width="100%" />
</div>

<div class="SECT1">
<h1 class="SECT1"><a id="MAC-IMPLEMENTING" name="MAC-IMPLEMENTING">15.14 Implementing a
Secure Environment with MAC</a></h1>

<p>The following demonstration will implement a secure environment using various <acronym
class="ACRONYM">MAC</acronym> modules with properly configured policies. This is only a
test and should not be considered the complete answer to everyone's security woes. Just
implementing a policy and ignoring it never works and could be disastrous in a production
environment.</p>

<p>Before beginning this process, the <var class="LITERAL">multilabel</var> option must
be set on each file system as stated at the beginning of this chapter. Not doing so will
result in errors.</p>

<div class="SECT2">
<h2 class="SECT2"><a id="AEN22881" name="AEN22881">15.14.1 Create an insecure User
Class</a></h2>

<p>Begin the procedure by adding the following user class to the <tt
class="FILENAME">/etc/login.conf</tt> file:</p>

<pre class="PROGRAMLISTING">
insecure:\
:copyright=/etc/COPYRIGHT:\
:welcome=/etc/motd:\
:setenv=MAIL=/var/mail/$,BLOCKSIZE=K:\
:path=~/bin:/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin
:manpath=/usr/share/man /usr/local/man:\
:nologin=/usr/sbin/nologin:\
:cputime=1h30m:\
:datasize=8M:\
:vmemoryuse=100M:\
:stacksize=2M:\
:memorylocked=4M:\
:memoryuse=8M:\
:filesize=8M:\
:coredumpsize=8M:\
:openfiles=24:\
:maxproc=32:\
:priority=0:\
:requirehome:\
:passwordtime=91d:\
:umask=022:\
:ignoretime@:\
:label=partition/13,mls/5:
</pre>

<p>And adding the following line to the default user class:</p>

<pre class="PROGRAMLISTING">
:label=mls/equal,biba/equal,partition/equal:
</pre>

<p>Once this is completed, the following command must be issued to rebuild the
database:</p>

<pre class="SCREEN">
<samp class="PROMPT">#</samp> <kbd class="USERINPUT">cap_mkdb /etc/login.conf</kbd>
</pre>
</div>

<div class="SECT2">
<h2 class="SECT2"><a id="AEN22892" name="AEN22892">15.14.2 Boot with the Correct
Modules</a></h2>

<p>Add the following lines to <tt class="FILENAME">/boot/loader.conf</tt> so the required
modules will load during system initialization:</p>

<pre class="PROGRAMLISTING">
mac_biba_load="YES"
mac_mls_load="YES"
mac_seeotheruids_load="YES"
mac_partition_load="YES"
</pre>
</div>

<div class="SECT2">
<h2 class="SECT2"><a id="AEN22897" name="AEN22897">15.14.3 Set All Users to
Insecure</a></h2>

<p>All user accounts that are not <tt class="USERNAME">root</tt> or system users will now
require a login class. The login class is required otherwise users will be refused access
to common commands such as <a
href="http://www.FreeBSD.org/cgi/man.cgi?query=vi&sektion=1"><span
class="CITEREFENTRY"><span class="REFENTRYTITLE">vi</span>(1)</span></a>. The following
<tt class="COMMAND">sh</tt> script should do the trick:</p>

<pre class="SCREEN">
<samp class="PROMPT">#</samp> <kbd
class="USERINPUT">for x in `awk -F: '($3 &#62;= 1001) &#38;&#38; ($3 != 65534) { print $1 }' \</kbd>
    <kbd class="USERINPUT">/etc/passwd`; do pw usermod $x -L insecure; done;</kbd>
</pre>

<p>The <tt class="COMMAND">cap_mkdb</tt> command will need to be run on <tt
class="FILENAME">/etc/master.passwd</tt> after this change.</p>
</div>

<div class="SECT2">
<h2 class="SECT2"><a id="AEN22912" name="AEN22912">15.14.4 Complete the
Configuration</a></h2>

<p>A contexts file should now be created; the following example was taken from Robert
Watson's example policy and should be placed in <tt
class="FILENAME">/etc/policy.contexts</tt>.</p>

<pre class="PROGRAMLISTING">
# This is the default BIBA/MLS policy for this system.

.*                              biba/high,mls/high
/sbin/dhclient                  biba/high(low),mls/high(low)
/dev(/.*)?                      biba/equal,mls/equal
# This is not an exhaustive list of all "privileged" devices.
/dev/mdctl                      biba/high,mls/high
/dev/pci                        biba/high,mls/high
/dev/k?mem                      biba/high,mls/high
/dev/io                         biba/high,mls/high
/dev/agp.*                      biba/high,mls/high
(/var)?/tmp(/.*)?               biba/equal,mls/equal
/tmp/\.X11-unix                 biba/high(equal),mls/high(equal)
/tmp/\.X11-unix/.*              biba/equal,mls/equal
/proc(/.*)?                     biba/equal,mls/equal
/mnt.*                          biba/low,mls/low
(/usr)?/home                    biba/high(low),mls/high(low)
(/usr)?/home/.*                 biba/low,mls/low
/var/mail(/.*)?                 biba/low,mls/low
/var/spool/mqueue(/.*)?         biba/low,mls/low
(/mnt)?/cdrom(/.*)?             biba/high,mls/high
(/usr)?/home/(ftp|samba)(/.*)?  biba/high,mls/high
/var/log/sendmail\.st           biba/low,mls/low
/var/run/utmp                   biba/equal,mls/equal
/var/log/(lastlog|wtmp)         biba/equal,mls/equal
</pre>

<p>This policy will enforce security by setting restrictions on both the downward and
upward flow of information with regards to the directories and utilities listed on the
left.</p>

<p>This can now be read into our system by issuing the following command:</p>

<pre class="SCREEN">
<samp class="PROMPT">#</samp> <kbd
class="USERINPUT">setfsmac -ef /etc/policy.contexts /</kbd>
<samp class="PROMPT">#</samp> <kbd
class="USERINPUT">setfsmac -ef /etc/policy.contexts /usr</kbd>
</pre>

<div class="NOTE">
<blockquote class="NOTE">
<p><b>Note:</b> The above file system layout may be different depending on
environment.</p>
</blockquote>
</div>

<p>The <tt class="FILENAME">/etc/mac.conf</tt> file requires the following modifications
in the main section:</p>

<pre class="PROGRAMLISTING">
default_labels file ?biba,?mls
default_labels ifnet ?biba,?mls
default_labels process ?biba,?mls,?partition
default_labels socket ?biba,?mls
</pre>
</div>

<div class="SECT2">
<h2 class="SECT2"><a id="AEN22929" name="AEN22929">15.14.5 Testing the
Configuration</a></h2>

<p>Add a user with the <tt class="COMMAND">adduser</tt> command and place that user in
the <var class="LITERAL">insecure</var> class for these tests.</p>

<p>The examples below will show a mix of <tt class="USERNAME">root</tt> and regular user
tests; use the prompt to distinguish between the two.</p>

<div class="SECT3">
<h3 class="SECT3"><a id="AEN22938" name="AEN22938">15.14.5.1 Basic Labeling
Tests</a></h3>