[rsbac] script for initial RC policy to use with learning mode

[Javier Juan Martínez Cabezón]

Not a joke (you are not the lonely one who thought it xD),
just my best piece of vaporware in history xDD. I don't know why but I
feel the needings to sleep when I touch python, it doesn't happen me
with bash xDDDD

This can show you the powerfull of pygame with sdl, just export needed
variables as appears in detect_video_driver.

I thought to use scandir() functions to use in a something like file
manager to rsbac.




#!/usr/bin/python

import pygame
import sys
import os


pygame.init()

res_av = pygame.display.list_modes()
screen = pygame.display.set_mode(res_av[0], pygame.FULLSCREEN)

world_exists = 1
white = [255, 255, 255]
while world_exists:
	screen.fill((white))
	logo_posx = 1
	logo_posy = 1	
	logo = pygame.image.load("rsbac_final.png")
	screen.blit(logo, (logo_posx, logo_posy))	
	for event in pygame.event.get():
		if event.type == pygame.QUIT:
			world_exists = 0
		elif event.type == pygame.KEYDOWN:
			if event.key == pygame.K_ESCAPE:
				world_exists = 0	
	pygame.display.flip()
pygame.quit()	


def detect_video_driver():
	import pygame
	import os
	disp_no=os.getenv("DISPLAY")
        if disp_no:
		print ('running under X')
       drivers=['fbcon','directfb','svgalib']
       found = False
       for driver in drivers:
       if not os.getenv('SDL_VIDEODRIVER'):
                os.environment('SDL_VIDEODRIVER', driver)
                 try:
                 pygame.display.init()
                 except pygame_error:
                        print 'Driver:{0} failed.'.format(driver)
                        continue
                 found = True
                 break
                  if not found:
                         raise Exception('No video driver found!')

On 13/01/16 22:24, Jens Kasten wrote:
> Am 2016-01-13 17:43, schrieb Javier Juan Martínez Cabezón:
>> On 07/01/16 16:56, Jens Kasten wrote:
>>> Hi Juan,
>>> 
>>> Today I would never use shell scipts for such tasks anymore.
>>> There are good for testing but then it should be enough after
>>> the experimental phase. Python is for me the better shell :)
>>> 
>>> When thinking of RC roles then there have to be a good 
>>> configsetup. For me e.g. an user install nginx server.
>>> Therefor must a modern configfile format exist that ship all
>>> information. Hardcoded rc types would be produce a conflict in
>>> the future because an independ developer could not write
>>> policies.
>>> 
>>> Jens
>>> 
>>> 
>>> Am 06.01.2016 17:36 schrieb Javier Juan Martínez Cabezón 
>>> <tazok en rsbac.org>:
>>>> 
>> 
>> Nah, I agree at some grade with you, but generally no.. The main 
>> problem is that I will restrict in the script the use of python
>> and perl xDD. If you surely would not grant me the use of perl or
>> python in your critical_and_very_secret_cubietruck_server I would
>> neither do it for others (Remember that accidentally I defaced
>> time ago the main rsbac page, imagine what could I do to your
>> raspberry pi with python, accessing to your GPIO ports)....
> 
> Haha, yes I like it to put on every machine which I can controll it
> to put a RSBAC. Next when I do replace my smartphone then it will
> be the next machine.
> 
> 
>> Perl and Python are too powerfull to even write exploits :-S.
>> Bash it's more standarized and faster (take note that this
>> version of script uses arrays and in python would be deadly in
>> slowness (even rsbac*menu admin dialog tools are written in bash,
>> (message to Amon: to put in todo list: just prior to building
>> cloning machine rsbac_menu tools written in sdl with pygame (in
>> pygame because Jens would get fun hacking it and could be used
>> with a framebuffer in text mode, and well, if you like we could
>> add a pacman somewhere in the screen feeding from your files).
>> 
> 
> Nice joke but when I choose python then I would use wxpython.
> 
>> NOTE: I have the main screen written, only left everything else,
>> kang I think has the lonely existing backup of the sources in a
>> mail from me, I sent him it time ago, and maybe this one is the
>> lonely copy that exists in the world right now.
>> 
>> 
>>> For me e.g. an user install nginx server. Therefor must a
>>> modern configfile format exist that ship all information.
>>> Hardcoded rc types would be produce a conflict in the future
>>> because an independ developer could not write policies.
>> 
>> 
>> The main problem with that is that in rsbac "config files" are
>> in kerneland not in userland, or are you suggesting something
>> like iptables? Too slow to be loading policies in each reboot
>> don't you think and incompatible with some B grade in orange book
>> |_:S.
>> 
> 
> I have to loading on every boot the script for protecting /proc 
> directory. Even a rpi can handle such task easily. To load the
> firewall would take much longer.
> 
> When the other policies are set they are persitens over reboot
> until next update or some harddrive crash or some admin mistake.
> 
> So the howto setup is important. Discussion about the prefer
> language or coding style is secondary but is always welcome for
> amusement.
> 
> For me the main point is still missing to cut the problem into
> small problems. For example: What have to be protected after the
> boot process is finnish on a minimal linux system. How can setup
> and howto backup and howto test policies. This have to exclude all
> services like ssh because I dont count them to a minimal linux
> system. But include different bootsystems like openrc or systemd
> and they need different policies.
> 
> So far good night.
> 
>> I have solved (I think) the hack of hardcoded types, now the
>> script appears to be a real script and not a text written by a
>> (something like) drunken_amateur_programmer_after_a_bad_day from
>> the point of view of a real programmer...
>> 
>> Roles, types and names are allocated automagically to avoid
>> collisions and overwritting.... However it could be broken in too
>> many places and surely mine it's not the better way to do
>> things.
>> 
>> I have planned to add to many checks as in if [ -z blablabla ]
>> with binaries and maybe use and abuse and even missuse of
>> $(whereis blablabla).
>> 
>> for now I think it could be added as functions:
>> 
>> rc_dummyroot(): copy root role to a new one copy from general
>> user and assigned to root account (in progress)
>> 
>> cap_rc_create_forensic_role() an req_reauth authenticated forced
>> role that can read anything even ram memory and can access at raw
>> to any devices (in progress, a lot of copy-paste from prior code
>> with some tuning)
>> 
>> cap_rc_package_system(): other forced re_authenticated role that
>> could read write anything not in /home /admin /root directories
>> and can change anything, assign rights everywhere under their
>> "owned" types and with individual_fd_create_type everywhere too.
>> 
>> rc_mark_devices():assign each(group?) devices their own dev and
>> fd type.
>> 
>> rc_mark_proc_sys():assign /proc/kcore or /proc/config.gz... or
>> anything else it's own fd_type.
>> 
>> rc_restrict_perl_python()
>> 
>> rc_forbid_send_to_terminals(): tiocsti kill. 
>> rc_forbid_scd_kmem_to_allnotforensic() 
>> rc_mozilla_isolation_to_protect_user_files_against_ransomware()
>> 
>> One of this days I will do it. I think I'm going to sleep now.
>> Get fun
>> 
>> function cap_reset_caps() { for file in /usr/local/bin/*
>> /usr/local/sbin/* /sbin/* /usr/bin/* /bin/* /usr/sbin/*
>> /etc/init.d/* /etc/cron.daily/* /etc/cron.weekly/* 
>> /etc/cron.hourly/* /etc/cron.monthly/* /etc/cron.weekly/*
>> /etc/cron.d/* /usr/libexec/**/*; do attr_set_file_dir FD "$file"
>> max_caps UA; done }
>> 
>> 
>> function rc_bootscriptsrc() { declare -a
>> list_used_roles=$(rc_get_item list_role_nr) declare -a
>> list_used_fd_types=$(rc_get_item list_fd_type_nr) declare -a
>> list_used_dev_types=$(rc_get_item list_dev_type_nr) declare -a
>> list_used_ipc_types=$(rc_get_item list_ipc_type_nr) declare -a
>> list_used_user_types=$(rc_get_item list_user_type_nr) declare -a
>> list_used_process_types=$(rc_get_item list_process_type_nr) 
>> declare -a list_used_group_types=$(rc_get_item list_group_types
>> |awk '{print $1}')
>> 
>> TYPE=100 ROLE=100 for NAME in /etc/init.d/* /etc/cron.daily/*
>> /etc/cron.weekly/* /etc/cron.hourly/* /etc/cron.monthly/*
>> /etc/cron.weekly/*; do NAMESPROV="$(basename $(echo $NAME))" 
>> NAMESROL="$(echo $NAMESPROV |cut -c-11)" NAMESTYPE="$(echo
>> $NAMESPROV |cut -c -7)" # create role while [[
>> ${list_used_roles[*]} =~ $ROLE ]] do ((ROLE++)) done rc_set_item
>> ROLE ${ROLE} name ${NAMESROL}
>> 
>> # set netobj_types while [[ ${list_used_roles[*]} =~ $ROLE ]] do 
>> ((ROLE++)) done rc_set_item TYPE ${TYPE} type_netobj_name
>> "${NAMESTYPE}_NOBJ"
>> 
>> 
>> #set user type while [[ ${list_used_user_types[*]} =~ $TYPE ]] 
>> do ((TYPE++)) done rc_set_item TYPE ${TYPE} type_user_name
>> "${NAMESTYPE}_USR"
>> 
>> 
>> #set group type while [[ ${list_used_user_types[*]} =~ $TYPE ]] 
>> do ((TYPE++)) done rc_set_item TYPE ${TYPE} type_group_name
>> "${NAMESTYPE}_GRP" rc_set_item ROLE ${ROLE} def_user_create_type
>> ${TYPE} rc_set_item ROLE ${ROLE} def_group_create_type ${TYPE}
>> 
>> #set ipc type while [[ ${list_used_ipc_types[*]} =~ $TYPE ]] do 
>> ((TYPE++)) done rc_set_item TYPE ${TYPE} type_ipc_name
>> "${NAMESTYPE}_IPC" rc_set_item ROLE ${ROLE} def_ipc_create_type
>> ${TYPE}
>> 
>> while [[ ${list_used_proc_types[*]} =~ $TYPE ]] do ((TYPE++)) 
>> done rc_set_item TYPE ${TYPE} type_process_name
>> "${NAMESTYPE}_PRC" rc_set_item ROLE ${ROLE}
>> def_process_create_type ${TYPE} rc_set_item ROLE ${ROLE}
>> def_process_chown_type 4294967291 rc_set_item ROLE ${ROLE}
>> def_process_execute_type 4294967294
>> 
>> while [[ ${list_used_fd_types[*]} =~ $TYPE ]] do ((TYPE++)) done
>> 
>> rc_set_item TYPE ${TYPE} type_fd_name "${NAMESTYPE}_FD" 
>> rc_set_item ROLE ${ROLE} def_fd_create_type ${TYPE} rc_set_item
>> ROLE ${ROLE} def_fd_ind_create_type ${TYPE} 4294967294 
>> rc_set_item ROLE ${ROLE} def_fd_ind_create_type /run ${TYPE} 
>> rc_set_item ROLE ${ROLE} def_fd_ind_create_type /tmp ${TYPE} 
>> rc_set_item ROLE ${ROLE} def_unixsock_create_type ${TYPE} 
>> attr_set_file_dir FD ${NAME} rc_initial_role ${ROLE} 
>> attr_set_file_dir FD ${NAME} rc_force_role ${ROLE} done }
>> 
>> function rc_markrootdir() { BASE_NUM=100 declare -a
>> list_used_fd_types=$(rc_get_item list_fd_type_nr) for dir in /*;
>> do while [[ ${list_used_fd_types[*]} =~ $BASE_NUM ]] do 
>> ((BASE_NUM++)) done NAME="$(echo $dir)"
>> 
>> rc_set_item TYPE ${BASE_NUM} type_fd_name ${NAME} 
>> attr_set_file_dir FD ${dir} rc_type_fd ${BASE_NUM} done }
>> 
>> function rc_markothertypesfiles() { BASE_NUM=100 declare -a
>> list_used_fd_types=$(rc_get_item list_fd_type_nr) for file in
>> /etc/conf.d /etc/default /etc/lilo.conf  /etc/fwknop /etc/openvpn
>> /etc/shadow /etc/gshadow /etc/dovecot /etc/grub.d /etc/hiawatha
>> /etc/openvpn /etc/pam.d /etc/privoxy /etc/tripwire /var/* do
>> 
>> while [[ ${list_used_fd_types[*]} =~ $BASE_NUM ]] do 
>> ((BASE_NUM++)) done NAME="$(basename $(echo $(echo
>> $file)'cfg'))" rc_set_item TYPE ${BASE_NUM} type_fd_name ${NAME} 
>> attr_set_file_dir FD ${dir} rc_type_fd ${BASE_NUM} done }
>> 
>> function rc_markbinaries_roles_types() { TYPE=100 ROLE=100 
>> declare -a list_used_roles=$(rc_get_item list_role_nr) declare -a
>> list_used_fd_types=$(rc_get_item list_fd_type_nr) declare -a
>> list_used_dev_types=$(rc_get_item list_dev_type_nr) declare -a
>> list_used_ipc_types=$(rc_get_item list_ipc_type_nr) declare -a
>> list_used_user_types=$(rc_get_item list_user_type_nr) declare -a
>> list_used_process_types=$(rc_get_item list_process_type_nr) 
>> declare -a list_used_group_types=$(rc_get_item list_group_types
>> |awk '{print $1}') for NAME in /sbin/agetty /bin/login /sbin/init
>> /bin/su /sbin/lilo /usr/bin/sudo do
>> 
>> NAMESPROV="$(basename $(echo $NAME))" NAMESROL="$(echo $NAMESPROV
>> |cut -c-11)" NAMESTYPE="$(echo $NAMESPROV |cut -c -7)" # create
>> role while [[ ${list_used_roles[*]} =~ $ROLE ]] do ((ROLE++)) 
>> done rc_set_item ROLE ${ROLE} name ${NAMESROL}
>> 
>> # set netobj_types while [[ ${list_used_roles[*]} =~ $ROLE ]] do 
>> ((ROLE++)) done rc_set_item TYPE ${TYPE} type_netobj_name
>> "${NAMESTYPE}_NOBJ"
>> 
>> 
>> #set user type while [[ ${list_used_user_types[*]} =~ $TYPE ]] 
>> do ((TYPE++)) done rc_set_item TYPE ${TYPE} type_user_name
>> "${NAMESTYPE}_USR"
>> 
>> 
>> #set group type while [[ ${list_used_user_types[*]} =~ $TYPE ]] 
>> do ((TYPE++)) done rc_set_item TYPE ${TYPE} type_group_name
>> "${NAMESTYPE}_GRP" rc_set_item ROLE ${ROLE} def_user_create_type
>> ${TYPE} rc_set_item ROLE ${ROLE} def_group_create_type ${TYPE}
>> 
>> #set ipc type while [[ ${list_used_ipc_types[*]} =~ $TYPE ]] do 
>> ((TYPE++)) done rc_set_item TYPE ${TYPE} type_ipc_name
>> "${NAMESTYPE}_IPC" rc_set_item ROLE ${ROLE} def_ipc_create_type
>> ${TYPE}
>> 
>> while [[ ${list_used_proc_types[*]} =~ $TYPE ]] do ((TYPE++)) 
>> done rc_set_item TYPE ${TYPE} type_process_name
>> "${NAMESTYPE}_PRC" rc_set_item ROLE ${ROLE}
>> def_process_create_type ${TYPE} rc_set_item ROLE ${ROLE}
>> def_process_chown_type 4294967291 rc_set_item ROLE ${ROLE}
>> def_process_execute_type 4294967294
>> 
>> while [[ ${list_used_fd_types[*]} =~ $TYPE ]] do ((TYPE++)) done
>> 
>> rc_set_item TYPE ${TYPE} type_fd_name "${NAMESTYPE}_FD" 
>> rc_set_item ROLE ${ROLE} def_fd_create_type ${TYPE} rc_set_item
>> ROLE ${ROLE} def_fd_ind_create_type ${TYPE} 4294967294 
>> rc_set_item ROLE ${ROLE} def_fd_ind_create_type /run ${TYPE} 
>> rc_set_item ROLE ${ROLE} def_fd_ind_create_type /tmp ${TYPE} 
>> rc_set_item ROLE ${ROLE} def_unixsock_create_type ${TYPE} 
>> attr_set_file_dir FD ${NAME} rc_initial_role ${ROLE} 
>> attr_set_file_dir FD ${NAME} rc_force_role ${ROLE} done
>> 
>> }
>> 
>> function rc_trusted_path_execution() { declare -a
>> list_used_roles=$(rc_get_item list_role_nr) declare -a
>> list_used_fd_types=$(rc_get_item list_fd_type_nr)
>> 
>> for all_roles in "${list_used_roles[@]}" do for all_types in
>> "${list_used_fd_types[@]}" do rc_set_item -k ROLE "${all_roles}"
>> type_comp_fd "${all_types}" MAP_EXEC EXECUTE done done
>> 
>> for all_roles in "${list_used_roles[@]}" do for dir in
>> /usr/local/bin /usr/local/sbin /sbin /usr/bin /bin /usr/sbin 
>> /usr/libexec; do rc_set_item -a ROLE "${all_roles}" type_comp_fd
>> $(attr_get_file_dir RC FD "${dir}" rc_type_fd) MAP_EXEC EXECUTE 
>> echo "incomplete function, what's happen with cron scripts and
>> init.d ones, can you tell me?" done done
>> 
>> } cap_reset_caps rc_bootscriptsrc rc_markothertypesfiles 
>> rc_markrootdir rc_markbinaries_roles_types 
>> rc_trusted_path_execution
>> 
>> 
>> 
>> 
>> 
>> _______________________________________________ rsbac mailing
>> list rsbac en rsbac.org http://www.rsbac.org/mailman/listinfo/rsbac
> 
> _______________________________________________ rsbac mailing list 
> rsbac en rsbac.org http://www.rsbac.org/mailman/listinfo/rsbac