[rsbac] script for initial RC policy to use with learning mode
Javier Juan Martínez Cabezón
tazok.id0 at gmail.com
Thu Jan 14 07:50:19 CET 2016
Not a joke (you are not the lonely one who thought it xD),
just my best piece of vaporware in history xDD. I don't know why but I
feel the needings to sleep when I touch python, it doesn't happen me
with bash xDDDD
This can show you the powerfull of pygame with sdl, just export needed
variables as appears in detect_video_driver.
I thought to use scandir() functions to use in a something like file
manager to rsbac.
#!/usr/bin/python
import pygame
import sys
import os
pygame.init()
res_av = pygame.display.list_modes()
screen = pygame.display.set_mode(res_av[0], pygame.FULLSCREEN)
world_exists = 1
white = [255, 255, 255]
while world_exists:
screen.fill((white))
logo_posx = 1
logo_posy = 1
logo = pygame.image.load("rsbac_final.png")
screen.blit(logo, (logo_posx, logo_posy))
for event in pygame.event.get():
if event.type == pygame.QUIT:
world_exists = 0
elif event.type == pygame.KEYDOWN:
if event.key == pygame.K_ESCAPE:
world_exists = 0
pygame.display.flip()
pygame.quit()
def detect_video_driver():
import pygame
import os
disp_no=os.getenv("DISPLAY")
if disp_no:
print ('running under X')
drivers=['fbcon','directfb','svgalib']
found = False
for driver in drivers:
if not os.getenv('SDL_VIDEODRIVER'):
os.environment('SDL_VIDEODRIVER', driver)
try:
pygame.display.init()
except pygame_error:
print 'Driver:{0} failed.'.format(driver)
continue
found = True
break
if not found:
raise Exception('No video driver found!')
On 13/01/16 22:24, Jens Kasten wrote:
> Am 2016-01-13 17:43, schrieb Javier Juan Martínez Cabezón:
>> On 07/01/16 16:56, Jens Kasten wrote:
>>> Hi Juan,
>>>
>>> Today I would never use shell scipts for such tasks anymore.
>>> There are good for testing but then it should be enough after
>>> the experimental phase. Python is for me the better shell :)
>>>
>>> When thinking of RC roles then there have to be a good
>>> configsetup. For me e.g. an user install nginx server.
>>> Therefor must a modern configfile format exist that ship all
>>> information. Hardcoded rc types would be produce a conflict in
>>> the future because an independ developer could not write
>>> policies.
>>>
>>> Jens
>>>
>>>
>>> Am 06.01.2016 17:36 schrieb Javier Juan Martínez Cabezón
>>> <tazok en rsbac.org>:
>>>>
>>
>> Nah, I agree at some grade with you, but generally no.. The main
>> problem is that I will restrict in the script the use of python
>> and perl xDD. If you surely would not grant me the use of perl or
>> python in your critical_and_very_secret_cubietruck_server I would
>> neither do it for others (Remember that accidentally I defaced
>> time ago the main rsbac page, imagine what could I do to your
>> raspberry pi with python, accessing to your GPIO ports)....
>
> Haha, yes I like it to put on every machine which I can controll it
> to put a RSBAC. Next when I do replace my smartphone then it will
> be the next machine.
>
>
>> Perl and Python are too powerfull to even write exploits :-S.
>> Bash it's more standarized and faster (take note that this
>> version of script uses arrays and in python would be deadly in
>> slowness (even rsbac*menu admin dialog tools are written in bash,
>> (message to Amon: to put in todo list: just prior to building
>> cloning machine rsbac_menu tools written in sdl with pygame (in
>> pygame because Jens would get fun hacking it and could be used
>> with a framebuffer in text mode, and well, if you like we could
>> add a pacman somewhere in the screen feeding from your files).
>>
>
> Nice joke but when I choose python then I would use wxpython.
>
>> NOTE: I have the main screen written, only left everything else,
>> kang I think has the lonely existing backup of the sources in a
>> mail from me, I sent him it time ago, and maybe this one is the
>> lonely copy that exists in the world right now.
>>
>>
>>> For me e.g. an user install nginx server. Therefor must a
>>> modern configfile format exist that ship all information.
>>> Hardcoded rc types would be produce a conflict in the future
>>> because an independ developer could not write policies.
>>
>>
>> The main problem with that is that in rsbac "config files" are
>> in kerneland not in userland, or are you suggesting something
>> like iptables? Too slow to be loading policies in each reboot
>> don't you think and incompatible with some B grade in orange book
>> |_:S.
>>
>
> I have to loading on every boot the script for protecting /proc
> directory. Even a rpi can handle such task easily. To load the
> firewall would take much longer.
>
> When the other policies are set they are persitens over reboot
> until next update or some harddrive crash or some admin mistake.
>
> So the howto setup is important. Discussion about the prefer
> language or coding style is secondary but is always welcome for
> amusement.
>
> For me the main point is still missing to cut the problem into
> small problems. For example: What have to be protected after the
> boot process is finnish on a minimal linux system. How can setup
> and howto backup and howto test policies. This have to exclude all
> services like ssh because I dont count them to a minimal linux
> system. But include different bootsystems like openrc or systemd
> and they need different policies.
>
> So far good night.
>
>> I have solved (I think) the hack of hardcoded types, now the
>> script appears to be a real script and not a text written by a
>> (something like) drunken_amateur_programmer_after_a_bad_day from
>> the point of view of a real programmer...
>>
>> Roles, types and names are allocated automagically to avoid
>> collisions and overwritting.... However it could be broken in too
>> many places and surely mine it's not the better way to do
>> things.
>>
>> I have planned to add to many checks as in if [ -z blablabla ]
>> with binaries and maybe use and abuse and even missuse of
>> $(whereis blablabla).
>>
>> for now I think it could be added as functions:
>>
>> rc_dummyroot(): copy root role to a new one copy from general
>> user and assigned to root account (in progress)
>>
>> cap_rc_create_forensic_role() an req_reauth authenticated forced
>> role that can read anything even ram memory and can access at raw
>> to any devices (in progress, a lot of copy-paste from prior code
>> with some tuning)
>>
>> cap_rc_package_system(): other forced re_authenticated role that
>> could read write anything not in /home /admin /root directories
>> and can change anything, assign rights everywhere under their
>> "owned" types and with individual_fd_create_type everywhere too.
>>
>> rc_mark_devices():assign each(group?) devices their own dev and
>> fd type.
>>
>> rc_mark_proc_sys():assign /proc/kcore or /proc/config.gz... or
>> anything else it's own fd_type.
>>
>> rc_restrict_perl_python()
>>
>> rc_forbid_send_to_terminals(): tiocsti kill.
>> rc_forbid_scd_kmem_to_allnotforensic()
>> rc_mozilla_isolation_to_protect_user_files_against_ransomware()
>>
>> One of this days I will do it. I think I'm going to sleep now.
>> Get fun
>>
>> function cap_reset_caps() { for file in /usr/local/bin/*
>> /usr/local/sbin/* /sbin/* /usr/bin/* /bin/* /usr/sbin/*
>> /etc/init.d/* /etc/cron.daily/* /etc/cron.weekly/*
>> /etc/cron.hourly/* /etc/cron.monthly/* /etc/cron.weekly/*
>> /etc/cron.d/* /usr/libexec/**/*; do attr_set_file_dir FD "$file"
>> max_caps UA; done }
>>
>>
>> function rc_bootscriptsrc() { declare -a
>> list_used_roles=$(rc_get_item list_role_nr) declare -a
>> list_used_fd_types=$(rc_get_item list_fd_type_nr) declare -a
>> list_used_dev_types=$(rc_get_item list_dev_type_nr) declare -a
>> list_used_ipc_types=$(rc_get_item list_ipc_type_nr) declare -a
>> list_used_user_types=$(rc_get_item list_user_type_nr) declare -a
>> list_used_process_types=$(rc_get_item list_process_type_nr)
>> declare -a list_used_group_types=$(rc_get_item list_group_types
>> |awk '{print $1}')
>>
>> TYPE=100 ROLE=100 for NAME in /etc/init.d/* /etc/cron.daily/*
>> /etc/cron.weekly/* /etc/cron.hourly/* /etc/cron.monthly/*
>> /etc/cron.weekly/*; do NAMESPROV="$(basename $(echo $NAME))"
>> NAMESROL="$(echo $NAMESPROV |cut -c-11)" NAMESTYPE="$(echo
>> $NAMESPROV |cut -c -7)" # create role while [[
>> ${list_used_roles[*]} =~ $ROLE ]] do ((ROLE++)) done rc_set_item
>> ROLE ${ROLE} name ${NAMESROL}
>>
>> # set netobj_types while [[ ${list_used_roles[*]} =~ $ROLE ]] do
>> ((ROLE++)) done rc_set_item TYPE ${TYPE} type_netobj_name
>> "${NAMESTYPE}_NOBJ"
>>
>>
>> #set user type while [[ ${list_used_user_types[*]} =~ $TYPE ]]
>> do ((TYPE++)) done rc_set_item TYPE ${TYPE} type_user_name
>> "${NAMESTYPE}_USR"
>>
>>
>> #set group type while [[ ${list_used_user_types[*]} =~ $TYPE ]]
>> do ((TYPE++)) done rc_set_item TYPE ${TYPE} type_group_name
>> "${NAMESTYPE}_GRP" rc_set_item ROLE ${ROLE} def_user_create_type
>> ${TYPE} rc_set_item ROLE ${ROLE} def_group_create_type ${TYPE}
>>
>> #set ipc type while [[ ${list_used_ipc_types[*]} =~ $TYPE ]] do
>> ((TYPE++)) done rc_set_item TYPE ${TYPE} type_ipc_name
>> "${NAMESTYPE}_IPC" rc_set_item ROLE ${ROLE} def_ipc_create_type
>> ${TYPE}
>>
>> while [[ ${list_used_proc_types[*]} =~ $TYPE ]] do ((TYPE++))
>> done rc_set_item TYPE ${TYPE} type_process_name
>> "${NAMESTYPE}_PRC" rc_set_item ROLE ${ROLE}
>> def_process_create_type ${TYPE} rc_set_item ROLE ${ROLE}
>> def_process_chown_type 4294967291 rc_set_item ROLE ${ROLE}
>> def_process_execute_type 4294967294
>>
>> while [[ ${list_used_fd_types[*]} =~ $TYPE ]] do ((TYPE++)) done
>>
>> rc_set_item TYPE ${TYPE} type_fd_name "${NAMESTYPE}_FD"
>> rc_set_item ROLE ${ROLE} def_fd_create_type ${TYPE} rc_set_item
>> ROLE ${ROLE} def_fd_ind_create_type ${TYPE} 4294967294
>> rc_set_item ROLE ${ROLE} def_fd_ind_create_type /run ${TYPE}
>> rc_set_item ROLE ${ROLE} def_fd_ind_create_type /tmp ${TYPE}
>> rc_set_item ROLE ${ROLE} def_unixsock_create_type ${TYPE}
>> attr_set_file_dir FD ${NAME} rc_initial_role ${ROLE}
>> attr_set_file_dir FD ${NAME} rc_force_role ${ROLE} done }
>>
>> function rc_markrootdir() { BASE_NUM=100 declare -a
>> list_used_fd_types=$(rc_get_item list_fd_type_nr) for dir in /*;
>> do while [[ ${list_used_fd_types[*]} =~ $BASE_NUM ]] do
>> ((BASE_NUM++)) done NAME="$(echo $dir)"
>>
>> rc_set_item TYPE ${BASE_NUM} type_fd_name ${NAME}
>> attr_set_file_dir FD ${dir} rc_type_fd ${BASE_NUM} done }
>>
>> function rc_markothertypesfiles() { BASE_NUM=100 declare -a
>> list_used_fd_types=$(rc_get_item list_fd_type_nr) for file in
>> /etc/conf.d /etc/default /etc/lilo.conf /etc/fwknop /etc/openvpn
>> /etc/shadow /etc/gshadow /etc/dovecot /etc/grub.d /etc/hiawatha
>> /etc/openvpn /etc/pam.d /etc/privoxy /etc/tripwire /var/* do
>>
>> while [[ ${list_used_fd_types[*]} =~ $BASE_NUM ]] do
>> ((BASE_NUM++)) done NAME="$(basename $(echo $(echo
>> $file)'cfg'))" rc_set_item TYPE ${BASE_NUM} type_fd_name ${NAME}
>> attr_set_file_dir FD ${dir} rc_type_fd ${BASE_NUM} done }
>>
>> function rc_markbinaries_roles_types() { TYPE=100 ROLE=100
>> declare -a list_used_roles=$(rc_get_item list_role_nr) declare -a
>> list_used_fd_types=$(rc_get_item list_fd_type_nr) declare -a
>> list_used_dev_types=$(rc_get_item list_dev_type_nr) declare -a
>> list_used_ipc_types=$(rc_get_item list_ipc_type_nr) declare -a
>> list_used_user_types=$(rc_get_item list_user_type_nr) declare -a
>> list_used_process_types=$(rc_get_item list_process_type_nr)
>> declare -a list_used_group_types=$(rc_get_item list_group_types
>> |awk '{print $1}') for NAME in /sbin/agetty /bin/login /sbin/init
>> /bin/su /sbin/lilo /usr/bin/sudo do
>>
>> NAMESPROV="$(basename $(echo $NAME))" NAMESROL="$(echo $NAMESPROV
>> |cut -c-11)" NAMESTYPE="$(echo $NAMESPROV |cut -c -7)" # create
>> role while [[ ${list_used_roles[*]} =~ $ROLE ]] do ((ROLE++))
>> done rc_set_item ROLE ${ROLE} name ${NAMESROL}
>>
>> # set netobj_types while [[ ${list_used_roles[*]} =~ $ROLE ]] do
>> ((ROLE++)) done rc_set_item TYPE ${TYPE} type_netobj_name
>> "${NAMESTYPE}_NOBJ"
>>
>>
>> #set user type while [[ ${list_used_user_types[*]} =~ $TYPE ]]
>> do ((TYPE++)) done rc_set_item TYPE ${TYPE} type_user_name
>> "${NAMESTYPE}_USR"
>>
>>
>> #set group type while [[ ${list_used_user_types[*]} =~ $TYPE ]]
>> do ((TYPE++)) done rc_set_item TYPE ${TYPE} type_group_name
>> "${NAMESTYPE}_GRP" rc_set_item ROLE ${ROLE} def_user_create_type
>> ${TYPE} rc_set_item ROLE ${ROLE} def_group_create_type ${TYPE}
>>
>> #set ipc type while [[ ${list_used_ipc_types[*]} =~ $TYPE ]] do
>> ((TYPE++)) done rc_set_item TYPE ${TYPE} type_ipc_name
>> "${NAMESTYPE}_IPC" rc_set_item ROLE ${ROLE} def_ipc_create_type
>> ${TYPE}
>>
>> while [[ ${list_used_proc_types[*]} =~ $TYPE ]] do ((TYPE++))
>> done rc_set_item TYPE ${TYPE} type_process_name
>> "${NAMESTYPE}_PRC" rc_set_item ROLE ${ROLE}
>> def_process_create_type ${TYPE} rc_set_item ROLE ${ROLE}
>> def_process_chown_type 4294967291 rc_set_item ROLE ${ROLE}
>> def_process_execute_type 4294967294
>>
>> while [[ ${list_used_fd_types[*]} =~ $TYPE ]] do ((TYPE++)) done
>>
>> rc_set_item TYPE ${TYPE} type_fd_name "${NAMESTYPE}_FD"
>> rc_set_item ROLE ${ROLE} def_fd_create_type ${TYPE} rc_set_item
>> ROLE ${ROLE} def_fd_ind_create_type ${TYPE} 4294967294
>> rc_set_item ROLE ${ROLE} def_fd_ind_create_type /run ${TYPE}
>> rc_set_item ROLE ${ROLE} def_fd_ind_create_type /tmp ${TYPE}
>> rc_set_item ROLE ${ROLE} def_unixsock_create_type ${TYPE}
>> attr_set_file_dir FD ${NAME} rc_initial_role ${ROLE}
>> attr_set_file_dir FD ${NAME} rc_force_role ${ROLE} done
>>
>> }
>>
>> function rc_trusted_path_execution() { declare -a
>> list_used_roles=$(rc_get_item list_role_nr) declare -a
>> list_used_fd_types=$(rc_get_item list_fd_type_nr)
>>
>> for all_roles in "${list_used_roles[@]}" do for all_types in
>> "${list_used_fd_types[@]}" do rc_set_item -k ROLE "${all_roles}"
>> type_comp_fd "${all_types}" MAP_EXEC EXECUTE done done
>>
>> for all_roles in "${list_used_roles[@]}" do for dir in
>> /usr/local/bin /usr/local/sbin /sbin /usr/bin /bin /usr/sbin
>> /usr/libexec; do rc_set_item -a ROLE "${all_roles}" type_comp_fd
>> $(attr_get_file_dir RC FD "${dir}" rc_type_fd) MAP_EXEC EXECUTE
>> echo "incomplete function, what's happen with cron scripts and
>> init.d ones, can you tell me?" done done
>>
>> } cap_reset_caps rc_bootscriptsrc rc_markothertypesfiles
>> rc_markrootdir rc_markbinaries_roles_types
>> rc_trusted_path_execution
>>
>>
>>
>>
>>
>> _______________________________________________ rsbac mailing
>> list rsbac en rsbac.org http://www.rsbac.org/mailman/listinfo/rsbac
>
> _______________________________________________ rsbac mailing list
> rsbac en rsbac.org http://www.rsbac.org/mailman/listinfo/rsbac
More information about the rsbac
mailing list