[rsbac] Boot Role (RC module)

Javier Juan Martínez Cabezón tazok.id0 at gmail.com
Tue Aug 16 23:48:25 CEST 2011 

I would do this (it's a beginning):

First you shall (always with an "at least") identify persistent binaries in
your system (those that when you do a "top" are always in memory and
waiting, second, I would create at least new roles for this persistents
binaries (from rsbac_menu you can access rc setup).

It's a good idea that this programs (at least) get their own
type_fd_creation/socket, fd_type, ipc_type creation, and process creation
type after execution.

After that, I would create enough fd_types for filesystem targets (for
example to /boot their own type) and assign to it. As suggestion assign
their own fd_type to binaries with minimum Capabilities (if you use CAP) and
with their own running role.

Change in rsbac_fd_menu initial_rol to the binary own role and in force_rol
set mixed inherit user/proc one. With this you can do things like this that
follows:

sshd execution, with their own role set under initial role, when sshd drops
privs changing from 0 (root) to 22 (user "sshd"), it uses value from
rc_force role, as it's is set in "mixed user/proc",  after chown (0-->22)
rc_def_role from user 22 is taken getting unprivilege created role to sshd.

A lot of binaries work at this way (tipically those that appears in
/etc/passwd).

When everything is set without softmode add parameter rsbac_rc_learn to boot
parameters every role will learn everithing they need.

Suggestions:

Use UM and forbid setuid to unautorithed users (for example with a bug in
sshd without this you could change to secoff uid, if setting authorithed
only can to change if authenticated against UM.

Assign  block devices their own particular dev type to avoid raw access.

Remove maximum capabilities to all software, and grant minimum capabilities
to /sbin/ required ones (as getty, init...). cap_learning global switch is
your friend, althought you should change after that maximum caps learned to
minimum ones (don't include as minimum caps software like kill, cd, ls, and
things alike it's a security bug). I'm thinking seriously for example if
it's better get fsck/mkfs their own role and min capabilities or instead
create a user with this min caps (SYS_RAWIO, DAC_OVERRIDE at least) that his
role could execute the unprivilege fsck and access the devices.

Remove SEND right to all roles to all characters devices (as tty) to avoid
TIOCSTI security concerns.

After learning backup all with -p flag (right names) and look for things to
improve and rights to remove.



Enjoy :-)




2011/8/16 ali valizadeh <valizadeh82 en yahoo.com>

>
>
> Hi everyone,
>
> I have installed the rsbac 1.4.3 version on Fedora 12 (kernel version
> 2.6.32-8). In my compilation AUTH and RC is enabled.
>
> Yes, I boot system with rsbac_softmode to configure the system at first
> boot. I could set policy for AUTH to remove the "NOT_GRANTED by AUTH
> (softmode)" but I couldn't set correct policy for RC to remove "NOT_GRANTED
> by RC (softmode)" messages.
> I want to set policy for RC module in softmode then I want to boot system
> in enforcement mode without the softmode parameter.
> Please help me to use boot role or other roles (if boot role is insecure)
> to boot system in enforcement mode. Please help me how to set roles (initial
> or force roles) for init, dbus-daemon, avahi-daemon, hal-daemon and other
> processes to boot system correctly.
>
> Many thanks to all.
>
> Regards,
> Ali
>
>
>
>
> ________________________________
> From: "rsbac-request en rsbac.org" <rsbac-request en rsbac.org>
> To: rsbac en rsbac.org
> Sent: Tuesday, August 16, 2011 9:31 PM
> Subject: rsbac Digest, Vol 61, Issue 1
>
>
> >Hello all,
>
> >I have compiled RSBAC kernel with RC and AUTH modules enabled. I could set
> AUTH policy to boot system with it (RC is in >softmode). However I couldn't
> boot system with RC. I have checked that at boot time /sbin/init contains
> the Boot Role (999999) as >initial_role but the system couldn't boot with
> the role. There are many "NOT_GRANTED by RC" in processes such as
> dbus-daemon, >avahi-daemon, hal-daemon and others. If init process is the
> parent of other processes, and RSBAC system support inheritance, why the >
> other processes can't get Boot Role (in my test the role of other processes
> is General user (0) and I expect it to be Boot Role!)?
>
> > Please help me to boot system with the Boot Role (999999). Thanks in
> advance for your help.
>
>
> > Regards,
> > Ali
>
> ------------------------------
>
> Message: 6
> Date: Mon, 15 Aug 2011 23:11:23 +0200
> From: Javier Juan Mart?nez Cabez?n <tazok.id0 en gmail.com>
> To: RSBAC Discussion and Announcements <rsbac en rsbac.org>
> Subject: Re: [rsbac] Boot Role
> Message-ID:
>     <CAD98N_GfDjaw=fu0Pj6Q=yRZW-36hw=9bHRTm5u3xNu=wSV2kA en mail.gmail.com>
> Content-Type: text/plain; charset=ISO-8859-1
>
> If the message is exactly this (NOT GRANTED by RC), RC is not in softmode,
> secure mode instead (in global softmode you would see NOT GRANTED
> (softmode)
> by RC. Add boot parameter rsbac_softmode/ rsbac_softmode_rc to your
> grub/lilo to switch in softmode.
>
> I don't remember default values of init, but you could check the default
> values of the binaries and the /sbin/init it self together with the boot
> role parameters definition to check what's up, the reason of the change you
> will found in there.
>
> This is at this way because security concerns, nobody (no daemons, no
> initrd
> scripts etc) should run with boot role, maybe you should create their own
> roles to this binaries and make them running under them isolating all you
> can.
>
> By default in RC there is inheritance in until a setuid or exec is done if
> it's happened then could exist triggers to change the new rol. Check above.
>
> You should check this too, take a look:
> http://www.rsbac.org/documentation/rsbac_handbook/
>
> Furthermore you should add some more information, as which distribution do
> you use, version of rsbac and things like this because between others this
> parameters by default may change between versions.
>
> 2011/8/15 ali valizadeh <valizadeh82 en yahoo.com>
>
> > Hello all,
> >
> > I have compiled RSBAC kernel with RC and AUTH modules enabled. I could
> set
> > AUTH policy to boot system with it (RC is in softmode). However I
> couldn't
> > boot system with RC. I have checked that at boot time /sbin/init contains
> > the Boot Role (999999) as initial_role but the system couldn't boot with
> the
> > role. There are many "NOT_GRANTED by RC" in processes such as
> dbus-daemon,
> > avahi-daemon, hal-daemon and others. If init process is the parent of
> other
> > processes, and RSBAC system support inheritance, why the other processes
> > can't get Boot Role (in my test the role of other processes is General
> user
> > (0) and I expect it to be Boot Role!)?
> >
> > Please help me to boot system with the Boot Role (999999). Thanks in
> > advance for your help.
> >
> >
> > Regards,
> > Ali
> > _______________________________________________
> > rsbac mailing list
> > rsbac en rsbac.org
> > http://www.rsbac.org/mailman/listinfo/rsbac
> >
>
>
> ------------------------------
>
> Message: 7
> Date: Mon, 15 Aug 2011 23:25:03 +0200
> From: Jens Kasten <jens en kasten-edv.de>
> To: RSBAC Discussion and Announcements <rsbac en rsbac.org>
> Subject: Re: [rsbac] Boot Role
> Message-ID: <1313443503.13473.14.camel en jaschtschik-malo>
> Content-Type: text/plain; charset="UTF-8"
>
> Hi Ali,
>
> your info about RC looks that is not running in softmode.
> Only boot a kernel with softmode enabled in the configuration not
> automatic boot in softmode.
> There is a kernel boot paramter rsbac_softmode.
> If you already set it then maybe check the kernel configuration for
> rsbac twice.
> More information about which kernel- and rsbac version would helpfull
> but not lead automatic to success in this case ;)
>
> In my case i would avoid to use the Boot Role and General Role for all
> services.
>
> Gr??e
> Jens
>
>
> Am Montag, den 15.08.2011, 12:10 -0700 schrieb ali valizadeh:
> > Hello all,
> >
> > I have compiled RSBAC kernel with RC and AUTH modules enabled. I could
> set AUTH policy to boot system with it (RC is in softmode). However I
> couldn't boot system with RC. I have checked that at boot time /sbin/init
> contains the Boot Role (999999) as initial_role but the system couldn't boot
> with the role. There are many "NOT_GRANTED by RC" in processes such as
> dbus-daemon, avahi-daemon, hal-daemon and others. If init process is the
> parent of other processes, and RSBAC system support inheritance, why the
> other processes can't get Boot Role (in my test the role of other processes
> is General user (0) and I expect it to be Boot Role!)?
> >
> > Please help me to boot system with the Boot Role (999999). Thanks in
> advance for your help.
> >
> >
> > Regards,
> > Ali
> > _______________________________________________
> > rsbac mailing list
> > rsbac en rsbac.org
> > http://www.rsbac.org/mailman/listinfo/rsbac
>
>
>
>
> ------------------------------
>
> Message: 8
> Date: Tue, 16 Aug 2011 00:12:20 +0200
> From: Javier Juan Mart?nez Cabez?n <tazok.id0 en gmail.com>
> To: RSBAC Discussion and Announcements <rsbac en rsbac.org>
> Subject: Re: [rsbac] Boot Role
> Message-ID:
>     <CAD98N_Hbvgx83GcTRKAiNLX+fKp1tUdZSnQdyVaSn2jY-AwMjA en mail.gmail.com>
> Content-Type: text/plain; charset=ISO-8859-1
>
> I think it's the key of this question because if I'm not wrong inherited
> mixed proc/user parameter is not the switch by default now.
>
> 2011/8/15 Jens Kasten <jens en kasten-edv.de>
>
> >
> > More information about which kernel- and rsbac version would helpfull
> > but not lead automatic to success in this case ;)
> >
> > In my case i would avoid to use the Boot Role and General Role for all
> > services.
> >
> > Gr??e
> > Jens
> >
> >
> > Am Montag, den 15.08.2011, 12:10 -0700 schrieb ali valizadeh:
> > > Hello all,
> > >
> > > I have compiled RSBAC kernel with RC and AUTH modules enabled. I could
> > set AUTH policy to boot system with it (RC is in softmode). However I
> > couldn't boot system with RC. I have checked that at boot time /sbin/init
> > contains the Boot Role (999999) as initial_role but the system couldn't
> boot
> > with the role. There are many "NOT_GRANTED by RC" in processes such as
> > dbus-daemon, avahi-daemon, hal-daemon and others. If init process is the
> > parent of other processes, and RSBAC system support inheritance, why the
> > other processes can't get Boot Role (in my test the role of other
> processes
> > is General user (0) and I expect it to be Boot Role!)?
> > >
> > > Please help me to boot system with the Boot Role (999999). Thanks in
> > advance for your help.
> > >
> > >
> > > Regards,
> > > Ali
> > > _______________________________________________
> > > rsbac mailing list
> > > rsbac en rsbac.org
> > > http://www.rsbac.org/mailman/listinfo/rsbac
> >
> >
> > _______________________________________________
> > rsbac mailing list
> > rsbac en rsbac.org
> > http://www.rsbac.org/mailman/listinfo/rsbac
> >
>
>
> ------------------------------
>
> Message: 9
> Date: Tue, 16 Aug 2011 09:54:33 -0700
> From: "Gergely =?UTF-8?Q?L=C3=B3nyai?=" <aleph en mandriva.org>
> To: rsbac en rsbac.org
> Subject: [rsbac] kernel-3.0.y
> Message-ID:
>     <
> 20110816095433.9b05b4e5e48d18b6dc565714b379f9f0.a8cd6efa9e.wbe en email10.secureserver.net
> >
>
> Content-Type: text/plain; charset="utf-8"
>
> Hi
>
> The Mandriva 20011 is RSBAC ready now. I submit the kernel-rsbac-3.0.1
> and will maintain all the Mandriva 2011 lifetime.
>
> 1. Install Mandriva 2011 (now Mandriva 2011 RC2)
> 2. open a konsole and run "urpmi rsbac"
> 3.
> http://www.rsbac.org/documentation/rsbac_handbook/installation/first_boot
>
> Gergely Lonyai, Aleph
>
>
>
> ------------------------------
>
> _______________________________________________
> rsbac mailing list
> rsbac en rsbac.org
> https://www.rsbac.org/mailman/listinfo/rsbac
>
> End of rsbac Digest, Vol 61, Issue 1
> ************************************
> _______________________________________________
> rsbac mailing list
> rsbac en rsbac.org
> http://www.rsbac.org/mailman/listinfo/rsbac
>

More information about the rsbac mailing list