The following demonstration will implement a secure environment using various MAC modules with properly configured policies. This is only a
test and should not be considered the complete answer to everyone's security woes. Just
implementing a policy and ignoring it never works and could be disastrous in a production
environment.
Before beginning this process, the multilabel option must be
set on each file system as stated at the beginning of this chapter. Not doing so will
result in errors. While at it, ensure that the net-mngt/nagios-plugins, net-mngt/nagios, and www/apache13 ports are all installed, configured, and working
correctly.
Begin the procedure by adding the following user class to the /etc/login.conf file:
insecure:\
:copyright=/etc/COPYRIGHT:\
:welcome=/etc/motd:\
:setenv=MAIL=/var/mail/$,BLOCKSIZE=K:\
:path=~/bin:/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin
:manpath=/usr/share/man /usr/local/man:\
:nologin=/usr/sbin/nologin:\
:cputime=1h30m:\
:datasize=8M:\
:vmemoryuse=100M:\
:stacksize=2M:\
:memorylocked=4M:\
:memoryuse=8M:\
:filesize=8M:\
:coredumpsize=8M:\
:openfiles=24:\
:maxproc=32:\
:priority=0:\
:requirehome:\
:passwordtime=91d:\
:umask=022:\
:ignoretime@:\
:label=biba/10(10-10):
And adding the following line to the default user class:
:label=biba/high:
Once this is completed, the following command must be issued to rebuild the
database:
# cap_mkdb /etc/login.conf
Do not reboot yet, just add the following lines to /boot/loader.conf so the required modules will load during system
initialization:
mac_biba_load="YES"
mac_seeotheruids_load="YES"
Set the root user to the default class using:
# pw usermod root -L default
All user accounts that are not root or system users will now
require a login class. The login class is required otherwise users will be refused access
to common commands such as vi(1). The following
sh script should do the trick:
# for x in `awk -F: '($3 >= 1001) && ($3 != 65534) { print $1 }' \
/etc/passwd`; do pw usermod $x -L default; done;
Drop the nagios and www users into
the insecure class:
# pw usermod nagios -L insecure
# pw usermod www -L insecure
A contexts file should now be created; the following example file should be placed in
/etc/policy.contexts.
# This is the default BIBA policy for this system.
# System:
/var/run biba/equal
/var/run/* biba/equal
/dev biba/equal
/dev/* biba/equal
/var biba/equal
/var/spool biba/equal
/var/spool/* biba/equal
/var/log biba/equal
/var/log/* biba/equal
/tmp biba/equal
/tmp/* biba/equal
/var/tmp biba/equal
/var/tmp/* biba/equal
/var/spool/mqueue biba/equal
/var/spool/clientmqueue biba/equal
# For Nagios:
/usr/local/etc/nagios
/usr/local/etc/nagios/* biba/10
/var/spool/nagios biba/10
/var/spool/nagios/* biba/10
# For apache
/usr/local/etc/apache biba/10
/usr/local/etc/apache/* biba/10
This policy will enforce security by setting restrictions on the flow of information.
In this specific configuration, users, root and others, should
never be allowed to access Nagios. Configuration files and
processes that are a part of Nagios will be completely self
contained or jailed.
This file may now be read into our system by issuing the following command:
# setfsmac -ef /etc/policy.contexts /
# setfsmac -ef /etc/policy.contexts /
Note: The above file system layout may be different depending on environment;
however, it must be run on every single file system.
The /etc/mac.conf file requires the following modifications
in the main section:
default_labels file ?biba
default_labels ifnet ?biba
default_labels process ?biba
default_labels socket ?biba
Add the following line to /boot/loader.conf:
security.mac.biba.trust_all_interfaces=1
And the following to the network card configuration stored in rc.conf. If the primary Internet configuration is done via DHCP, this may need to be configured manually after every
system boot:
maclabel biba/equal
Ensure that the web server and Nagios will not be started
on system initialization, and reboot. Ensure the root user
cannot access any of the files in the Nagios configuration
directory. If root can issue an ls(1) command on /var/spool/nagios, then something is wrong. Otherwise a
“permission denied” error should be returned.
If all seems well, Nagios, Apache, and Sendmail can now be
started in a way fitting of the security policy. The following commands will make this
happen:
# cd /etc/mail && make stop && \
setpmac biba/equal make start && setpmac biba/10\(10-10\) apachectl start && \
setpmac biba/10\(10-10\) /usr/local/etc/rc.d/nagios.sh forcestart
Double check to ensure that everything is working properly. If not, check the log
files or error messages. Use the sysctl(8) utility to
disable the mac_biba(4) security
policy module enforcement and try starting everything again, like normal.
Note: The root user can change the security
enforcement and edit the configuration files without fear. The following command will
permit the degradation of the security policy to a lower grade for a newly spawned
shell:
# setpmac biba/10 csh
To block this from happening, force the user into a range via login.conf(5). If setpmac(8) attempts to
run a command outside of the compartment's range, an error will be returned and the
command will not be executed. In this case, setting root to biba/high(high-high).
