[rsbac] RSBAC usage questions

Wed Mar 3 12:55:23 CET 2004

On Freitag, 27. Februar 2004 06:14, Markus Weber wrote:
> For the most part, I can see how to harden a system, but I can't 
reconcile
> this with the mandates of remote maintenance. My main areas of concern 
are:
> 
> - How to handle software and configuration updates
> 
> These have to be pulled from a central server and installed without 
manual
> intervention. I could conceivably take away the required privileges from
> root and give them to a dedicated maintenance account. Of course, I then
> have to solve the next problem:
> 
> - How to prevent root from compromising secoff and other accounts
> 
> For an on-premise server, I would simply lock out secoff completely and 
do
> all maintenance while booted into a softmode kernel. However, this is not 
an
> option for the remotely deployed servers. The question is, how many
> loopholes do I have to plug to prevent root from gaining access to secoff
> and other privileged accounts?

There are only few loopholes, because only few programs can setuid to 
secoff. You mostly have to make sure that the one service used for secoff 
login is not compromized by root. E.g. with sshd:

- Remove root's TRACE right, e.g. by removing CAP_TRACE from root's 
max_caps
- Protect /etc/init.d/sshd, /usr/sbin/sshd, /etc/sshd/* and ~secoff from 
tampering, including mount into these places
- Make sure that only /etc/init.d/sshd can start /usr/sbin/sshd and only 
with the correct parameters
- Optional: Ensure that only /usr/sbin/sshd can bind to port 22
- After secoff login, ensure that secoff's terminal is not hijacked by 
root, e.g. set a separate DEV type for it, and that all secoff processes 
are only accessible by secoff (e.g. use RC model's 
def_process_create_type)

> It is of course entirely possible that I try to do more than I really 
need
> to. In particular, if I can run the few services (if any) that the 
firewalls
> expose as non-root users in a tightly locked jail, I'm probably where I 
want
> to be.

In most cases this is quite sufficient - what you really want to do is 
avoid someone else from remote to exercise root privileges. If all 
available services may never setuid to root or have very restricted 
rights, secoff is always safe from tampering.

> In summary, do any of you use RSBAC on remotely deployed servers and
> firewalls? If so, how do you configure RSBAC?

I do run several such servers, even firewalls, mostly with ssh access. In 
some cases, even sshd cannot setuid to secoff, unless allowed to do so by 
a separate non-root account. The initial setup is usually done in 
softmode, until everything runs smoothly. Package updates (at least in the 
newer systems) are through a privileged menu with very limited abilities.

Amon.
-- 
http://www.rsbac.org - GnuPG: 2048g/5DEAAA30 2002-10-22