diff options
Diffstat (limited to 'pl_PL.ISO8859-2/books/handbook/mac/chapter.xml')
| -rw-r--r-- | pl_PL.ISO8859-2/books/handbook/mac/chapter.xml | 137 |
1 files changed, 66 insertions, 71 deletions
diff --git a/pl_PL.ISO8859-2/books/handbook/mac/chapter.xml b/pl_PL.ISO8859-2/books/handbook/mac/chapter.xml index d3f4e3c17c..771840b8f5 100644 --- a/pl_PL.ISO8859-2/books/handbook/mac/chapter.xml +++ b/pl_PL.ISO8859-2/books/handbook/mac/chapter.xml @@ -3,21 +3,16 @@ The FreeBSD Documentation Project $FreeBSD$ --> - -<chapter id="mac"> - <chapterinfo> +<chapter xmlns="http://docbook.org/ns/docbook" xmlns:xlink="http://www.w3.org/1999/xlink" version="5.0" xml:id="mac"> + <info><title>Mandatory Access Control</title> <authorgroup> - <author> - <firstname>Tom</firstname> - <surname>Rhodes</surname> - <contrib>Written by </contrib> - </author> + <author><personname><firstname>Tom</firstname><surname>Rhodes</surname></personname><contrib>Written by </contrib></author> </authorgroup> - </chapterinfo> + </info> - <title>Mandatory Access Control</title> + - <sect1 id="mac-synopsis"> + <sect1 xml:id="mac-synopsis"> <title>Synopsis</title> <indexterm><primary>MAC</primary></indexterm> @@ -140,7 +135,7 @@ </sect2> </sect1> - <sect1 id="mac-inline-glossary"> + <sect1 xml:id="mac-inline-glossary"> <title>Key Terms in this Chapter</title> <para>Before reading this chapter, a few key terms must be @@ -268,7 +263,7 @@ </itemizedlist> </sect1> - <sect1 id="mac-initial"> + <sect1 xml:id="mac-initial"> <title>Explanation of MAC</title> <para>With all of these new terms in mind, consider how the @@ -366,7 +361,7 @@ </caution> </sect1> - <sect1 id="mac-understandlabel"> + <sect1 xml:id="mac-understandlabel"> <title>Understanding MAC Labels</title> <para>A <acronym>MAC</acronym> label is a security attribute @@ -423,12 +418,12 @@ <para><emphasis>Hey wait, this is similar to <acronym>DAC</acronym>! I thought <acronym>MAC</acronym> gave control strictly to the administrator.</emphasis> That statement still holds true, to some - extent as <username>root</username> is the one in control and who + extent as <systemitem class="username">root</systemitem> is the one in control and who configures the policies so that users are placed in the appropriate categories/access levels. Alas, many policy modules can - restrict the <username>root</username> user as well. Basic + restrict the <systemitem class="username">root</systemitem> user as well. Basic control over objects will then be released to the group, but - <username>root</username> may revoke or modify the settings + <systemitem class="username">root</systemitem> may revoke or modify the settings at any time. This is the hierarchal/clearance model covered by policies such as Biba and <acronym>MLS</acronym>.</para> @@ -853,7 +848,7 @@ test: biba/high</screen> </sect2> </sect1> - <sect1 id="mac-planning"> + <sect1 xml:id="mac-planning"> <title>Planning the Security Configuration</title> <para>Whenever a new technology is implemented, a planning phase is @@ -915,7 +910,7 @@ test: biba/high</screen> be a good choice.</para> </sect1> - <sect1 id="mac-modules"> + <sect1 xml:id="mac-modules"> <title>Module Configuration</title> <para>Every module included with the <acronym>MAC</acronym> @@ -941,7 +936,7 @@ test: biba/high</screen> across the system, that is why the <command>tunefs</command> option is called <option>multilabel</option>.</para> - <sect2 id="mac-seeotheruids"> + <sect2 xml:id="mac-seeotheruids"> <title>The MAC seeotheruids Module</title> <indexterm> @@ -980,7 +975,7 @@ test: biba/high</screen> <literal>security.mac.seeotheruids.specificgid_enabled</literal> will allow a certain group to be exempt from this policy. To exempt specific groups from this policy, use the - <literal>security.mac.seeotheruids.specificgid=<replaceable>XXX</replaceable></literal> + <literal>security.mac.seeotheruids.specificgid=XXX</literal> <command>sysctl</command> tunable. In the above example, the <replaceable>XXX</replaceable> should be replaced with the numeric group ID to be exempted.</para> @@ -998,7 +993,7 @@ test: biba/high</screen> </sect2> </sect1> - <sect1 id="mac-bsdextended"> + <sect1 xml:id="mac-bsdextended"> <title>The MAC bsdextended Module</title> <indexterm> @@ -1049,7 +1044,7 @@ test: biba/high</screen> <para>As expected, there are no rules defined. This means that everything is still completely accessible. To create a rule which will block all access by users but leave - <username>root</username> unaffected, simply run the + <systemitem class="username">root</systemitem> unaffected, simply run the following command:</para> <screen>&prompt.root; <userinput>ugidfw add subject not uid root new object not uid root mode n</userinput></screen> @@ -1065,20 +1060,20 @@ test: biba/high</screen> <command>ls</command>. A more patriotic list of rules might be:</para> - <screen>&prompt.root; <userinput>ugidfw set 2 subject uid <replaceable>user1</replaceable> object uid <replaceable>user2</replaceable> mode n</userinput> -&prompt.root; <userinput>ugidfw set 3 subject uid <replaceable>user1</replaceable> object gid <replaceable>user2</replaceable> mode n</userinput></screen> + <screen>&prompt.root; <userinput>ugidfw set 2 subject uid user1 object uid user2 mode n</userinput> +&prompt.root; <userinput>ugidfw set 3 subject uid user1 object gid user2 mode n</userinput></screen> <para>This will block any and all access, including directory - listings, to <username><replaceable>user2</replaceable></username>'s home - directory from the username <username>user1</username>.</para> + listings, to <systemitem class="username"><replaceable>user2</replaceable></systemitem>'s home + directory from the username <systemitem class="username">user1</systemitem>.</para> - <para>In place of <username>user1</username>, the + <para>In place of <systemitem class="username">user1</systemitem>, the <option>not uid <replaceable>user2</replaceable></option> could be passed. This will enforce the same access restrictions above for all users in place of just one user.</para> <note> - <para>The <username>root</username> user will be unaffected + <para>The <systemitem class="username">root</systemitem> user will be unaffected by these changes.</para> </note> @@ -1090,7 +1085,7 @@ test: biba/high</screen> </sect2> </sect1> - <sect1 id="mac-ifoff"> + <sect1 xml:id="mac-ifoff"> <title>The MAC ifoff Module</title> <indexterm> @@ -1135,12 +1130,12 @@ test: biba/high</screen> monitoring in an environment where network traffic should not be permitted during the boot sequence. Another suggested use would be to write a script which uses - <filename role="package">security/aide</filename> to automatically + <package>security/aide</package> to automatically block network traffic if it finds new or altered files in protected directories.</para> </sect1> - <sect1 id="mac-portacl"> + <sect1 xml:id="mac-portacl"> <title>The MAC portacl Module</title> <indexterm> @@ -1157,7 +1152,7 @@ test: biba/high</screen> local <acronym>TCP</acronym> and <acronym>UDP</acronym> ports using a variety of <command>sysctl</command> variables. In essence &man.mac.portacl.4; makes it possible to allow - non-<username>root</username> users to bind to specified + non-<systemitem class="username">root</systemitem> users to bind to specified privileged ports, i.e. ports fewer than 1024.</para> <para>Once loaded, this module will enable the @@ -1182,7 +1177,7 @@ test: biba/high</screen> <listitem> <para><literal>security.mac.portacl.suser_exempt</literal> will, when set to a non-zero value, exempt the - <username>root</username> user from this policy.</para> + <systemitem class="username">root</systemitem> user from this policy.</para> </listitem> <listitem> @@ -1217,7 +1212,7 @@ test: biba/high</screen> <para>By default, on &unix;-like systems, ports fewer than 1024 can only be used by/bound to privileged processes, - i.e. those run as <username>root</username>. For + i.e. those run as <systemitem class="username">root</systemitem>. For &man.mac.portacl.4; to allow non-privileged processes to bind to ports below 1024 this standard &unix; restriction has to be disabled. This can be accomplished by setting the &man.sysctl.8; @@ -1243,7 +1238,7 @@ test: biba/high</screen> <screen>&prompt.root; <userinput>sysctl security.mac.portacl.suser_exempt=1</userinput></screen> - <para>The <username>root</username> user should not be crippled + <para>The <systemitem class="username">root</systemitem> user should not be crippled by this policy, thus set the <literal>security.mac.portacl.suser_exempt</literal> to a non-zero value. The &man.mac.portacl.4; module @@ -1253,10 +1248,10 @@ test: biba/high</screen> <screen>&prompt.root; <userinput>sysctl security.mac.portacl.rules=uid:80:tcp:80</userinput></screen> <para>Allow the user with <acronym>UID</acronym> 80 (normally - the <username>www</username> user) to bind to port 80. - This can be used to allow the <username>www</username> + the <systemitem class="username">www</systemitem> user) to bind to port 80. + This can be used to allow the <systemitem class="username">www</systemitem> user to run a web server without ever having - <username>root</username> privilege.</para> + <systemitem class="username">root</systemitem> privilege.</para> <screen>&prompt.root; <userinput>sysctl security.mac.portacl.rules=uid:1001:tcp:110,uid:1001:tcp:995</userinput></screen> @@ -1268,7 +1263,7 @@ test: biba/high</screen> </sect2> </sect1> - <sect1 id="mac-partition"> + <sect1 xml:id="mac-partition"> <title>The MAC partition Module</title> <indexterm> @@ -1339,7 +1334,7 @@ test: biba/high</screen> <screen>&prompt.root; <userinput>ps -ZU trhodes</userinput></screen> <note> - <para>Users can see processes in <username>root</username>'s + <para>Users can see processes in <systemitem class="username">root</systemitem>'s label unless the &man.mac.seeotheruids.4; policy is loaded.</para> </note> @@ -1358,7 +1353,7 @@ test: biba/high</screen> </sect2> </sect1> - <sect1 id="mac-mls"> + <sect1 xml:id="mac-mls"> <title>The MAC Multi-Level Security Module</title> <indexterm> @@ -1485,7 +1480,7 @@ test: biba/high</screen> <para>This is a summary of the <acronym>MLS</acronym> policy's features. Another approach is to create a master policy - file in <filename class="directory">/etc</filename> which + file in <filename>/etc</filename> which specifies the <acronym>MLS</acronym> policy information and to feed that file into the <command>setfmac</command> command. This method will be explained after all policies are covered.</para> @@ -1520,7 +1515,7 @@ test: biba/high</screen> </sect2> </sect1> - <sect1 id="mac-biba"> + <sect1 xml:id="mac-biba"> <title>The MAC Biba Module</title> <indexterm> @@ -1675,7 +1670,7 @@ test: biba/low</screen> </sect2> </sect1> - <sect1 id="mac-lomac"> + <sect1 xml:id="mac-lomac"> <title>The MAC LOMAC Module</title> <indexterm> @@ -1726,7 +1721,7 @@ test: biba/low</screen> </sect2> </sect1> - <sect1 id="mac-implementing"> + <sect1 xml:id="mac-implementing"> <title>Nagios in a MAC Jail</title> <indexterm> @@ -1745,9 +1740,9 @@ test: biba/low</screen> <literal>multilabel</literal> option must be set on each file system as stated at the beginning of this chapter. Not doing so will result in errors. While at it, ensure that the - <filename role="port">net-mngt/nagios-plugins</filename>, - <filename role="port">net-mngt/nagios</filename>, and - <filename role="port">www/apache13</filename> ports are all + <package role="port">net-mngt/nagios-plugins</package>, + <package role="port">net-mngt/nagios</package>, and + <package role="port">www/apache13</package> ports are all installed, configured, and working correctly.</para> <sect2> @@ -1805,12 +1800,12 @@ mac_seeotheruids_load="YES"</programlisting> <sect2> <title>Configure Users</title> - <para>Set the <username>root</username> user to the default + <para>Set the <systemitem class="username">root</systemitem> user to the default class using:</para> <screen>&prompt.root; <userinput>pw usermod root -L default</userinput></screen> - <para>All user accounts that are not <username>root</username> + <para>All user accounts that are not <systemitem class="username">root</systemitem> or system users will now require a login class. The login class is required otherwise users will be refused access to common commands such as &man.vi.1;. @@ -1820,8 +1815,8 @@ mac_seeotheruids_load="YES"</programlisting> <screen>&prompt.root; <userinput>for x in `awk -F: '($3 >= 1001) && ($3 != 65534) { print $1 }' \</userinput> <userinput>/etc/passwd`; do pw usermod $x -L default; done;</userinput></screen> - <para>Drop the <username>nagios</username> and - <username>www</username> users into the insecure class:</para> + <para>Drop the <systemitem class="username">nagios</systemitem> and + <systemitem class="username">www</systemitem> users into the insecure class:</para> <screen>&prompt.root; <userinput>pw usermod nagios -L insecure</userinput></screen> <screen>&prompt.root; <userinput>pw usermod www -L insecure</userinput></screen> @@ -1871,7 +1866,7 @@ mac_seeotheruids_load="YES"</programlisting> <para>This policy will enforce security by setting restrictions on the flow of information. In this specific configuration, - users, <username>root</username> and others, should never be + users, <systemitem class="username">root</systemitem> and others, should never be allowed to access <application>Nagios</application>. Configuration files and processes that are a part of <application>Nagios</application> will be completely self @@ -1924,9 +1919,9 @@ default_labels socket ?biba</programlisting> <para>Ensure that the web server and <application>Nagios</application> will not be started on system initialization, and reboot. Ensure the - <username>root</username> user cannot access any of the files + <systemitem class="username">root</systemitem> user cannot access any of the files in the <application>Nagios</application> configuration - directory. If <username>root</username> can issue an &man.ls.1; + directory. If <systemitem class="username">root</systemitem> can issue an &man.ls.1; command on <filename>/var/spool/nagios</filename>, then something is wrong. Otherwise a <quote>permission denied</quote> error should be returned.</para> @@ -1948,7 +1943,7 @@ setpmac biba/10\(10-10\) /usr/local/etc/rc.d/nagios.sh forcestart</userinput></s again, like normal.</para> <note> - <para>The <username>root</username> user can change the security + <para>The <systemitem class="username">root</systemitem> user can change the security enforcement and edit the configuration files without fear. The following command will permit the degradation of the security policy to a lower grade for a newly spawned @@ -1966,7 +1961,7 @@ setpmac biba/10\(10-10\) /usr/local/etc/rc.d/nagios.sh forcestart</userinput></s </sect2> </sect1> - <sect1 id="mac-userlocked"> + <sect1 xml:id="mac-userlocked"> <title>User Lock Down</title> <para>This example considers a relatively small, fewer than fifty @@ -2003,7 +1998,7 @@ setpmac biba/10\(10-10\) /usr/local/etc/rc.d/nagios.sh forcestart</userinput></s processes of other users are visible. Try to run &man.ls.1; on another users home directory, it should fail.</para> - <para>Do not try to test with the <username>root</username> user + <para>Do not try to test with the <systemitem class="username">root</systemitem> user unless the specific <command>sysctl</command>s have been modified to block super user access.</para> @@ -2016,7 +2011,7 @@ setpmac biba/10\(10-10\) /usr/local/etc/rc.d/nagios.sh forcestart</userinput></s </note> </sect1> - <sect1 id="mac-troubleshoot"> + <sect1 xml:id="mac-troubleshoot"> <title>Troubleshooting the MAC Framework</title> <indexterm> @@ -2105,7 +2100,7 @@ setpmac biba/10\(10-10\) /usr/local/etc/rc.d/nagios.sh forcestart</userinput></s <para>Double-check the label policies. Ensure that the policies are set correctly for the user in question, the X11 application, and - the <filename class="directory">/dev</filename> + the <filename>/dev</filename> entries.</para> </step> @@ -2113,7 +2108,7 @@ setpmac biba/10\(10-10\) /usr/local/etc/rc.d/nagios.sh forcestart</userinput></s <para>If neither of these resolve the problem, send the error message and a description of your environment to the TrustedBSD discussion lists located at the - <ulink url="http://www.TrustedBSD.org">TrustedBSD</ulink> + <link xlink:href="http://www.TrustedBSD.org">TrustedBSD</link> website or to the &a.questions; mailing list.</para> </step> @@ -2123,29 +2118,29 @@ setpmac biba/10\(10-10\) /usr/local/etc/rc.d/nagios.sh forcestart</userinput></s <sect2> <title>Error: &man..secure.path.3; cannot stat <filename>.login_conf</filename></title> - <para>When I attempt to switch from the <username>root</username> + <para>When I attempt to switch from the <systemitem class="username">root</systemitem> to another user in the system, the error message <errorname>_secure_path: unable to state .login_conf</errorname>.</para> <para>This message is usually shown when the user has a higher label setting then that of the user whom they are attempting to become. For instance a user on the system, - <username>joe</username>, has a default label of - <option>biba/low</option>. The <username>root</username> user, + <systemitem class="username">joe</systemitem>, has a default label of + <option>biba/low</option>. The <systemitem class="username">root</systemitem> user, who has a label of <option>biba/high</option>, cannot view - <username>joe</username>'s home directory. This will happen - regardless if <username>root</username> has used the - <command>su</command> command to become <username>joe</username>, + <systemitem class="username">joe</systemitem>'s home directory. This will happen + regardless if <systemitem class="username">root</systemitem> has used the + <command>su</command> command to become <systemitem class="username">joe</systemitem>, or not. In this scenario, the Biba integrity model will not - permit <username>root</username> to view objects set at a lower + permit <systemitem class="username">root</systemitem> to view objects set at a lower integrity level.</para> </sect2> <sect2> - <title>The <username>root</username> username is broken!</title> + <title>The <systemitem class="username">root</systemitem> username is broken!</title> <para>In normal or even single user mode, the - <username>root</username> is not recognized. The + <systemitem class="username">root</systemitem> is not recognized. The <command>whoami</command> command returns 0 (zero) and <command>su</command> returns <errorname>who are you?</errorname>. What could be going on?</para> |