[rsbac] script for initial RC policy to use with learning mode

Jens Kasten jens.kasten at kasten-edv.de
Wed Jan 13 22:24:28 CET 2016 

Am 2016-01-13 17:43, schrieb Javier Juan Martínez Cabezón:
> On 07/01/16 16:56, Jens Kasten wrote:
>> Hi Juan,
>> 
>> Today I would never use shell scipts for such tasks anymore. There
>> are good for testing but then it should be enough after the
>> experimental phase. Python is for me the better shell :)
>> 
>> When thinking of RC roles then there have to be a good
>> configsetup. For me e.g. an user install nginx server. Therefor
>> must a modern configfile format exist that ship all information.
>> Hardcoded rc types would be produce a conflict in the future
>> because an independ developer could not write policies.
>> 
>> Jens
>> 
>> 
>> Am 06.01.2016 17:36 schrieb Javier Juan Martínez Cabezón
>> <tazok at rsbac.org>:
>>> 
> 
> Nah, I agree at some grade with you, but generally no.. The main
> problem is that I will restrict in the script the use of python and
> perl xDD. If you surely would not grant me the use of perl or python
> in your critical_and_very_secret_cubietruck_server I would neither do
> it for others (Remember that accidentally I defaced time ago the main
> rsbac page, imagine what could I do to your raspberry pi with python,
> accessing to your GPIO ports)....

Haha, yes I like it to put on every machine which I can controll it to 
put a RSBAC.
Next when I do replace my smartphone then it will be the next machine.


> Perl and Python are too powerfull to even write exploits :-S. Bash
> it's more standarized and faster (take note that this version of
> script uses arrays and in python would be deadly in slowness (even
> rsbac*menu admin dialog tools are written in bash, (message to Amon:
> to put in todo list: just prior to building cloning machine rsbac_menu
> tools written in sdl with pygame (in pygame because Jens would get fun
> hacking it and could be used with a framebuffer in text mode, and
> well, if you like we could add a pacman somewhere in the screen
> feeding from your files).
> 

Nice joke but when I choose python then I would use wxpython.

> NOTE: I have the main screen written, only left everything else, kang
> I think has the lonely existing backup of the sources in a mail from
> me, I sent him it time ago, and maybe this one is the lonely copy that
> exists in the world right now.
> 
> 
>> For me e.g. an user install nginx server. Therefor must a modern
>> configfile format exist that ship all information. Hardcoded rc
>> types would be produce a conflict in the future because an
>> independ developer could not write policies.
> 
> 
> The main problem with that is that in rsbac "config files" are in
> kerneland not in userland, or are you suggesting something like
> iptables? Too slow to be loading policies in each reboot don't you
> think and incompatible with some B grade in orange book |_:S.
> 

I have to loading on every boot the script for protecting /proc 
directory. Even a rpi can handle such task easily. To load the firewall 
would take much longer.

When the other policies are set they are persitens over reboot until 
next update or some harddrive crash or some admin mistake.

So the howto setup is important.
Discussion about the prefer language or coding style is secondary but is 
always welcome for amusement.

For me the main point is still missing to cut the problem into small 
problems.
For example:
    What have to be protected after the boot process is finnish on a 
minimal linux system.
    How can setup and howto backup and howto test policies.
    This have to exclude all services like ssh because I dont count them 
to a minimal linux system.
    But include different bootsystems like openrc or systemd and they 
need different policies.

So far good night.

> I have solved (I think) the hack of hardcoded types, now the script
> appears to be a real script and not a text written by a (something
> like) drunken_amateur_programmer_after_a_bad_day from the point of
> view of a real programmer...
> 
> Roles, types and names are allocated automagically to avoid collisions
> and overwritting.... However it could be broken in too many places and
> surely mine it's not the better way to do things.
> 
> I have planned to add to many checks as in if [ -z blablabla ] with
> binaries and maybe use and abuse and even missuse of $(whereis
> blablabla).
> 
> for now I think it could be added as functions:
> 
> rc_dummyroot(): copy root role to a new one copy from general user and
> assigned to root account (in progress)
> 
> cap_rc_create_forensic_role() an req_reauth authenticated forced role
> that can read anything even ram memory and can access at raw to any
> devices
> (in progress, a lot of copy-paste from prior code with some tuning)
> 
> cap_rc_package_system(): other forced re_authenticated role that could
> read write anything not in /home /admin /root directories and can 
> change
> anything, assign rights everywhere under their "owned" types and with
> individual_fd_create_type everywhere too.
> 
> rc_mark_devices():assign each(group?) devices their own dev and fd 
> type.
> 
> rc_mark_proc_sys():assign /proc/kcore or /proc/config.gz... or anything
> else it's own fd_type.
> 
> rc_restrict_perl_python()
> 
> rc_forbid_send_to_terminals(): tiocsti kill.
> rc_forbid_scd_kmem_to_allnotforensic()
> rc_mozilla_isolation_to_protect_user_files_against_ransomware()
> 
> One of this days I will do it. I think I'm going to sleep now. Get fun
> 
> function cap_reset_caps()
> {
> for file in /usr/local/bin/* /usr/local/sbin/* /sbin/* /usr/bin/* 
> /bin/*
> /usr/sbin/* /etc/init.d/* /etc/cron.daily/* /etc/cron.weekly/*
> /etc/cron.hourly/* /etc/cron.monthly/* /etc/cron.weekly/* /etc/cron.d/*
> /usr/libexec/**/*; do attr_set_file_dir FD "$file" max_caps UA; done
> }
> 
> 
> function rc_bootscriptsrc()
> {
> declare -a list_used_roles=$(rc_get_item list_role_nr)
> declare -a list_used_fd_types=$(rc_get_item list_fd_type_nr)
> declare -a list_used_dev_types=$(rc_get_item list_dev_type_nr)
> declare -a list_used_ipc_types=$(rc_get_item list_ipc_type_nr)
> declare -a list_used_user_types=$(rc_get_item list_user_type_nr)
> declare -a list_used_process_types=$(rc_get_item list_process_type_nr)
> declare -a list_used_group_types=$(rc_get_item list_group_types |awk
> '{print $1}')
> 
> TYPE=100
> ROLE=100
> for NAME in /etc/init.d/* /etc/cron.daily/* /etc/cron.weekly/*
> /etc/cron.hourly/* /etc/cron.monthly/* /etc/cron.weekly/*;
> do
> NAMESPROV="$(basename $(echo $NAME))"
> NAMESROL="$(echo $NAMESPROV |cut -c-11)"
> NAMESTYPE="$(echo $NAMESPROV |cut -c -7)"
> # create role
> while [[ ${list_used_roles[*]} =~ $ROLE ]]
> do
> ((ROLE++))
> done
> rc_set_item ROLE ${ROLE} name ${NAMESROL}
> 
> # set netobj_types
> while [[ ${list_used_roles[*]} =~ $ROLE ]]
> do
> ((ROLE++))
> done
> rc_set_item TYPE ${TYPE} type_netobj_name "${NAMESTYPE}_NOBJ"
> 
> 
> #set user type
> while [[ ${list_used_user_types[*]} =~ $TYPE ]]
> do
> ((TYPE++))
> done
> rc_set_item TYPE ${TYPE} type_user_name "${NAMESTYPE}_USR"
> 
> 
> #set group type
> while [[ ${list_used_user_types[*]} =~ $TYPE ]]
> do
> ((TYPE++))
> done
> rc_set_item TYPE ${TYPE} type_group_name "${NAMESTYPE}_GRP"
> rc_set_item ROLE ${ROLE} def_user_create_type ${TYPE}
> rc_set_item ROLE ${ROLE} def_group_create_type ${TYPE}
> 
> #set ipc type
> while [[ ${list_used_ipc_types[*]} =~ $TYPE ]]
> do
> ((TYPE++))
> done
> rc_set_item TYPE ${TYPE} type_ipc_name "${NAMESTYPE}_IPC"
> rc_set_item ROLE ${ROLE} def_ipc_create_type ${TYPE}
> 
> while [[ ${list_used_proc_types[*]} =~ $TYPE ]]
> do
> ((TYPE++))
> done
> rc_set_item TYPE ${TYPE} type_process_name "${NAMESTYPE}_PRC"
> rc_set_item ROLE ${ROLE} def_process_create_type ${TYPE}
> rc_set_item ROLE ${ROLE} def_process_chown_type 4294967291
> rc_set_item ROLE ${ROLE} def_process_execute_type 4294967294
> 
> while [[ ${list_used_fd_types[*]} =~ $TYPE ]]
> do
> ((TYPE++))
> done
> 
> rc_set_item TYPE ${TYPE} type_fd_name "${NAMESTYPE}_FD"
> rc_set_item ROLE ${ROLE} def_fd_create_type ${TYPE}
> rc_set_item ROLE ${ROLE} def_fd_ind_create_type ${TYPE} 4294967294
> rc_set_item ROLE ${ROLE} def_fd_ind_create_type /run ${TYPE}
> rc_set_item ROLE ${ROLE} def_fd_ind_create_type /tmp ${TYPE}
> rc_set_item ROLE ${ROLE} def_unixsock_create_type ${TYPE}
> attr_set_file_dir FD ${NAME} rc_initial_role ${ROLE}
> attr_set_file_dir FD ${NAME} rc_force_role ${ROLE}
> done
> }
> 
> function rc_markrootdir()
> {
> BASE_NUM=100
> declare -a list_used_fd_types=$(rc_get_item list_fd_type_nr)
> for dir in /*; do
> while [[ ${list_used_fd_types[*]} =~ $BASE_NUM ]]
> do
> ((BASE_NUM++))
> done
> NAME="$(echo $dir)"
> 
> rc_set_item TYPE ${BASE_NUM} type_fd_name ${NAME}
> attr_set_file_dir FD ${dir} rc_type_fd ${BASE_NUM}
> done
> }
> 
> function rc_markothertypesfiles()
> {
> BASE_NUM=100
> declare -a list_used_fd_types=$(rc_get_item list_fd_type_nr)
> for file in /etc/conf.d /etc/default /etc/lilo.conf  /etc/fwknop
> /etc/openvpn /etc/shadow /etc/gshadow /etc/dovecot /etc/grub.d
> /etc/hiawatha /etc/openvpn /etc/pam.d /etc/privoxy /etc/tripwire /var/*
> do
> 
> while [[ ${list_used_fd_types[*]} =~ $BASE_NUM ]]
> do
> ((BASE_NUM++))
> done
> NAME="$(basename $(echo $(echo $file)'cfg'))"
> rc_set_item TYPE ${BASE_NUM} type_fd_name ${NAME}
> attr_set_file_dir FD ${dir} rc_type_fd ${BASE_NUM}
> done
> }
> 
> function rc_markbinaries_roles_types()
> {
> TYPE=100
> ROLE=100
> declare -a list_used_roles=$(rc_get_item list_role_nr)
> declare -a list_used_fd_types=$(rc_get_item list_fd_type_nr)
> declare -a list_used_dev_types=$(rc_get_item list_dev_type_nr)
> declare -a list_used_ipc_types=$(rc_get_item list_ipc_type_nr)
> declare -a list_used_user_types=$(rc_get_item list_user_type_nr)
> declare -a list_used_process_types=$(rc_get_item list_process_type_nr)
> declare -a list_used_group_types=$(rc_get_item list_group_types |awk
> '{print $1}')
> for NAME in /sbin/agetty /bin/login /sbin/init /bin/su /sbin/lilo
> /usr/bin/sudo
> do
> 
> NAMESPROV="$(basename $(echo $NAME))"
> NAMESROL="$(echo $NAMESPROV |cut -c-11)"
> NAMESTYPE="$(echo $NAMESPROV |cut -c -7)"
> # create role
> while [[ ${list_used_roles[*]} =~ $ROLE ]]
> do
> ((ROLE++))
> done
> rc_set_item ROLE ${ROLE} name ${NAMESROL}
> 
> # set netobj_types
> while [[ ${list_used_roles[*]} =~ $ROLE ]]
> do
> ((ROLE++))
> done
> rc_set_item TYPE ${TYPE} type_netobj_name "${NAMESTYPE}_NOBJ"
> 
> 
> #set user type
> while [[ ${list_used_user_types[*]} =~ $TYPE ]]
> do
> ((TYPE++))
> done
> rc_set_item TYPE ${TYPE} type_user_name "${NAMESTYPE}_USR"
> 
> 
> #set group type
> while [[ ${list_used_user_types[*]} =~ $TYPE ]]
> do
> ((TYPE++))
> done
> rc_set_item TYPE ${TYPE} type_group_name "${NAMESTYPE}_GRP"
> rc_set_item ROLE ${ROLE} def_user_create_type ${TYPE}
> rc_set_item ROLE ${ROLE} def_group_create_type ${TYPE}
> 
> #set ipc type
> while [[ ${list_used_ipc_types[*]} =~ $TYPE ]]
> do
> ((TYPE++))
> done
> rc_set_item TYPE ${TYPE} type_ipc_name "${NAMESTYPE}_IPC"
> rc_set_item ROLE ${ROLE} def_ipc_create_type ${TYPE}
> 
> while [[ ${list_used_proc_types[*]} =~ $TYPE ]]
> do
> ((TYPE++))
> done
> rc_set_item TYPE ${TYPE} type_process_name "${NAMESTYPE}_PRC"
> rc_set_item ROLE ${ROLE} def_process_create_type ${TYPE}
> rc_set_item ROLE ${ROLE} def_process_chown_type 4294967291
> rc_set_item ROLE ${ROLE} def_process_execute_type 4294967294
> 
> while [[ ${list_used_fd_types[*]} =~ $TYPE ]]
> do
> ((TYPE++))
> done
> 
> rc_set_item TYPE ${TYPE} type_fd_name "${NAMESTYPE}_FD"
> rc_set_item ROLE ${ROLE} def_fd_create_type ${TYPE}
> rc_set_item ROLE ${ROLE} def_fd_ind_create_type ${TYPE} 4294967294
> rc_set_item ROLE ${ROLE} def_fd_ind_create_type /run ${TYPE}
> rc_set_item ROLE ${ROLE} def_fd_ind_create_type /tmp ${TYPE}
> rc_set_item ROLE ${ROLE} def_unixsock_create_type ${TYPE}
> attr_set_file_dir FD ${NAME} rc_initial_role ${ROLE}
> attr_set_file_dir FD ${NAME} rc_force_role ${ROLE}
> done
> 
> }
> 
> function rc_trusted_path_execution()
> {
> declare -a list_used_roles=$(rc_get_item list_role_nr)
> declare -a list_used_fd_types=$(rc_get_item list_fd_type_nr)
> 
> for all_roles in "${list_used_roles[@]}"
> do
> for all_types in "${list_used_fd_types[@]}"
> do
> rc_set_item -k ROLE "${all_roles}" type_comp_fd "${all_types}" MAP_EXEC
> EXECUTE
> done
> done
> 
> for all_roles in "${list_used_roles[@]}"
> do
> for dir in /usr/local/bin /usr/local/sbin /sbin /usr/bin /bin /usr/sbin
> /usr/libexec;
> do
> rc_set_item -a ROLE "${all_roles}" type_comp_fd $(attr_get_file_dir RC
> FD "${dir}" rc_type_fd) MAP_EXEC EXECUTE
> echo "incomplete function, what's happen with cron scripts and init.d
> ones, can you tell me?"
> done
> done
> 
> }
> cap_reset_caps
> rc_bootscriptsrc
> rc_markothertypesfiles
> rc_markrootdir
> rc_markbinaries_roles_types
> rc_trusted_path_execution
> 
> 
> 
> 
> 
> _______________________________________________
> rsbac mailing list
> rsbac at rsbac.org
> http://www.rsbac.org/mailman/listinfo/rsbac

More information about the rsbac mailing list