diff options
Diffstat (limited to 'documentation/content/en/books/handbook/mac/_index.adoc')
| -rw-r--r-- | documentation/content/en/books/handbook/mac/_index.adoc | 50 |
1 files changed, 25 insertions, 25 deletions
diff --git a/documentation/content/en/books/handbook/mac/_index.adoc b/documentation/content/en/books/handbook/mac/_index.adoc index 60c1d46c07..3f613574f9 100644 --- a/documentation/content/en/books/handbook/mac/_index.adoc +++ b/documentation/content/en/books/handbook/mac/_index.adoc @@ -109,7 +109,7 @@ Using a multi label policy on a partition and establishing a multi label securit The following command will set `multilabel` on the specified UFS file system. This may only be done in single-user mode and is not a requirement for the swap file system: -[source,bash] +[source,shell] .... # tunefs -l enable / .... @@ -127,7 +127,7 @@ Virtually all aspects of label policy module configuration will be performed usi All configuration may be done using `setfmac`, which is used to set MAC labels on system objects, and `setpmac`, which is used to set the labels on system subjects. For example, to set the `biba` MAC label to `high` on [.filename]#test#: -[source,bash] +[source,shell] .... # setfmac biba/high test .... @@ -136,7 +136,7 @@ If the configuration is successful, the prompt will be returned without error. A The system administrator may use `setpmac` to override the policy module's settings by assigning a different label to the invoked process: -[source,bash] +[source,shell] .... # setfmac biba/high test Permission denied @@ -219,7 +219,7 @@ Labels may be set on network interfaces to help control the flow of data across When setting the MAC label on network interfaces, `maclabel` may be passed to `ifconfig`: -[source,bash] +[source,shell] .... # ifconfig bge0 maclabel biba/equal .... @@ -298,7 +298,7 @@ The rule list may be entered using man:ugidfw[8] which has a syntax similar to m After the man:mac_bsdextended[4] module has been loaded, the following command may be used to list the current rule configuration: -[source,bash] +[source,shell] .... # ugidfw list 0 slots, 0 rules @@ -306,14 +306,14 @@ After the man:mac_bsdextended[4] module has been loaded, the following command m By default, no rules are defined and everything is completely accessible. To create a rule which blocks all access by users but leaves `root` unaffected: -[source,bash] +[source,shell] .... # ugidfw add subject not uid root new object not uid root mode n .... While this rule is simple to implement, it is a very bad idea as it blocks all users from issuing any commands. A more realistic example blocks `user1` all access, including directory listings, to ``_user2_``'s home directory: -[source,bash] +[source,shell] .... # ugidfw set 2 subject uid user1 object uid user2 mode n # ugidfw set 3 subject uid user1 object gid user2 mode n @@ -365,7 +365,7 @@ Once loaded, this module enables the MAC policy on all sockets. The following tu By default, ports below 1024 can only be used by privileged processes which run as `root`. For man:mac_portacl[4] to allow non-privileged processes to bind to ports below 1024, set the following tunables as follows: -[source,bash] +[source,shell] .... # sysctl security.mac.portacl.port_high=1023 # sysctl net.inet.ip.portrange.reservedlow=0 @@ -374,21 +374,21 @@ By default, ports below 1024 can only be used by privileged processes which run To prevent the `root` user from being affected by this policy, set `security.mac.portacl.suser_exempt` to a non-zero value. -[source,bash] +[source,shell] .... # sysctl security.mac.portacl.suser_exempt=1 .... To allow the `www` user with UID 80 to bind to port 80 without ever needing `root` privilege: -[source,bash] +[source,shell] .... # sysctl security.mac.portacl.rules=uid:80:tcp:80 .... This next example permits the user with the UID of 1001 to bind to TCP ports 110 (POP3) and 995 (POP3s): -[source,bash] +[source,shell] .... # sysctl security.mac.portacl.rules=uid:1001:tcp:110,uid:1001:tcp:995 .... @@ -410,21 +410,21 @@ When this policy is enabled, users will only be permitted to see their processes This example adds `top` to the label set on users in the `insecure` class. All processes spawned by users in the `insecure` class will stay in the `partition/13` label. -[source,bash] +[source,shell] .... # setpmac partition/13 top .... This command displays the partition label and the process list: -[source,bash] +[source,shell] .... # ps Zax .... This command displays another user's process partition label and that user's currently running processes: -[source,bash] +[source,shell] .... # ps -ZU trhodes .... @@ -467,14 +467,14 @@ The following `sysctl` tunables are available: To manipulate MLS labels, use man:setfmac[8]. To assign a label to an object: -[source,bash] +[source,shell] .... # setfmac mls/5 test .... To get the MLS label for the file [.filename]#test#: -[source,bash] +[source,shell] .... # getfmac test .... @@ -521,7 +521,7 @@ The following tunables can be used to manipulate the Biba policy: To access the Biba policy setting on system objects, use `setfmac` and `getfmac`: -[source,bash] +[source,shell] .... # setfmac biba/low test # getfmac test @@ -551,7 +551,7 @@ This policy relies on the ubiquitous labeling of all system objects with integri Like the Biba and MLS policies, `setfmac` and `setpmac` are used to place labels on system objects: -[source,bash] +[source,shell] .... # setfmac /usr/home/trhodes lomac/high[low] # getfmac /usr/home/trhodes lomac/high[low] @@ -638,7 +638,7 @@ Then, add the following line to the default user class section: Save the edits and issue the following command to rebuild the database: -[source,bash] +[source,shell] .... # cap_mkdb /etc/login.conf .... @@ -647,14 +647,14 @@ Save the edits and issue the following command to rebuild the database: Set the `root` user to the default class using: -[source,bash] +[source,shell] .... # pw usermod root -L default .... All user accounts that are not `root` will now require a login class. The login class is required, otherwise users will be refused access to common commands. The following `sh` script should do the trick: -[source,bash] +[source,shell] .... # for x in `awk -F: '($3 >= 1001) && ($3 != 65534) { print $1 }' \ /etc/passwd`; do pw usermod $x -L default; done; @@ -662,7 +662,7 @@ All user accounts that are not `root` will now require a login class. The login Next, drop the `nagios` and `www` accounts into the insecure class: -[source,bash] +[source,shell] .... # pw usermod nagios -L insecure # pw usermod www -L insecure @@ -705,7 +705,7 @@ This policy enforces security by setting restrictions on the flow of information This file will be read after running `setfsmac` on every file system. This example sets the policy on the root file system: -[source,bash] +[source,shell] .... # setfsmac -ef /etc/policy.contexts / .... @@ -744,7 +744,7 @@ First, ensure that the web server and Nagios will not be started on system initi If all seems well, Nagios, Apache, and Sendmail can now be started: -[source,bash] +[source,shell] .... # cd /etc/mail && make stop && \ setpmac biba/equal make start && setpmac biba/10\(10-10\) apachectl start && \ @@ -757,7 +757,7 @@ Double check to ensure that everything is working properly. If not, check the lo ==== The `root` user can still change the security enforcement and edit its configuration files. The following command will permit the degradation of the security policy to a lower grade for a newly spawned shell: -[source,bash] +[source,shell] .... # setpmac biba/10 csh .... |