The following demonstration implements a secure environment using various MAC modules with properly configured policies. This is only a test as implementing a policy and ignoring it could be disastrous in a production environment.
Before beginning this process, multilabel
must be set on each file system as not doing so will result in
errors. This example assumes that net-mngt/nagios-plugins
,
net-mngt/nagios
, and
www/apache22
are all
installed, configured, and working correctly.
Begin the procedure by adding the following user class
to /etc/login.conf
:
Add the following line to the default user class:
Next, issue the following command to rebuild the database:
#
cap_mkdb /etc/login.conf
Add the following lines to
/boot/loader.conf
:
Set the root
user to the default
class using:
#
pw usermod root -L default
All user accounts that are not root
or system users will now require a login class. The login
class is required otherwise users will be refused access
to common commands such as vi(1). The following
sh
script should do the trick:
#
for x in `awk -F: '($3 >= 1001) && ($3 != 65534) { print $1 }' \
/etc/passwd`; do pw usermod $x -L default; done;
Drop the nagios
and
www
users into the insecure class:
#
pw usermod nagios -L insecure
#
pw usermod www -L insecure
A contexts file should now be created as
/etc/policy.contexts
.
This policy enforces security by setting restrictions
on the flow of information. In this specific configuration,
users, including root
, should never be
allowed to access Nagios.
Configuration files and processes that are a part of
Nagios will be completely self
contained or jailed.
This file will be read by the system by issuing the following command:
#
setfsmac -ef /etc/policy.contexts /
#
setfsmac -ef /etc/policy.contexts /
The above file system layout will differ depending upon the environment and must be run on every file system.
/etc/mac.conf
requires the following
modifications in the main section:
Add the following line to
/boot/loader.conf
:
And the following to the network card configuration stored
in rc.conf
. If the primary Internet
configuration is done via DHCP, this may
need to be configured manually after every system boot:
Ensure that the web server and
Nagios will not be started on
system initialization and reboot. Ensure the
root
user cannot access any of the files
in the Nagios configuration
directory. If root
can issue an
ls(1) command on /var/spool/nagios
,
something is wrong. Otherwise a “permission
denied” error should be returned.
If all seems well, Nagios, Apache, and Sendmail can now be started:
#
cd /etc/mail && make stop && \
setpmac biba/equal make start && setpmac biba/10\(10-10\) apachectl start && \
setpmac biba/10\(10-10\) /usr/local/etc/rc.d/nagios.sh forcestart
Double check to ensure that everything is working properly. If not, check the log files for error messages. Use sysctl(8) to disable the mac_biba(4) security policy module enforcement and try starting everything again as usual.
The root
user can still change the
security enforcement and edit its configuration files. The
following command will permit the degradation of the
security policy to a lower grade for a newly spawned
shell:
#
setpmac biba/10 csh
To block this from happening, force the user into a
range using login.conf(5). If setpmac(8) attempts
to run a command outside of the compartment's range, an
error will be returned and the command will not be executed.
In this case, set root to
biba/high(high-high)
.
All FreeBSD documents are available for download at http://ftp.FreeBSD.org/pub/FreeBSD/doc/
Questions that are not answered by the
documentation may be
sent to <freebsd-questions@FreeBSD.org>.
Send questions about this document to <freebsd-doc@FreeBSD.org>.