[rsbac] Shall we put this initial script on handbook????

Javier Juan Martinez Cabezon tazok.id0 at gmail.com
Wed Mar 22 19:21:57 CET 2017 



Hi, what do you think about putting this on the handbook or it's to
hackish/ugly to consider?




rc_dummyroot(): copy root role to a new one copy from general user and
assigned to root account (in progress)

cap_rc_create_forensic_role() an req_reauth authenticated forced role
that can read anything even ram memory and can access at raw to any
devices
(in progress, a lot of copy-paste from prior code with some tuning)

cap_rc_package_system(): other forced re_authenticated role that could
read write anything not in /home /admin /root directories and can change
anything, assign rights everywhere under their "owned" types and with
individual_fd_create_type everywhere too.

rc_mark_devices():assign each(group?) devices their own dev and fd type.

rc_mark_proc_sys():assign /proc/kcore or /proc/config.gz... or anything
else it's own fd_type.

rc_restrict_perl_python()

rc_forbid_send_to_terminals(): tiocsti kill.
rc_forbid_scd_kmem_to_allnotforensic()
rc_mozilla_isolation_to_protect_user_files_against_ransomware()

One of this days I will do it. I think I'm going to sleep now. Get fun

function cap_reset_caps()
{
for file in /usr/local/bin/* /usr/local/sbin/* /sbin/* /usr/bin/* /bin/*
/usr/sbin/* /etc/init.d/* /etc/cron.daily/* /etc/cron.weekly/*
/etc/cron.hourly/* /etc/cron.monthly/* /etc/cron.weekly/* /etc/cron.d/*
/usr/libexec/**/*; do attr_set_file_dir FD "$file" max_caps UA; done
}


function rc_bootscriptsrc()
{
declare -a list_used_roles=$(rc_get_item list_role_nr)
declare -a list_used_fd_types=$(rc_get_item list_fd_type_nr)
declare -a list_used_dev_types=$(rc_get_item list_dev_type_nr)
declare -a list_used_ipc_types=$(rc_get_item list_ipc_type_nr)
declare -a list_used_user_types=$(rc_get_item list_user_type_nr)
declare -a list_used_process_types=$(rc_get_item list_process_type_nr)
declare -a list_used_group_types=$(rc_get_item list_group_types |awk
'{print $1}')

TYPE=100
ROLE=100
for NAME in /etc/init.d/* /etc/cron.daily/* /etc/cron.weekly/*
/etc/cron.hourly/* /etc/cron.monthly/* /etc/cron.weekly/*;
do
NAMESPROV="$(basename $(echo $NAME))"
NAMESROL="$(echo $NAMESPROV |cut -c-11)"
NAMESTYPE="$(echo $NAMESPROV |cut -c -7)"
# create role
while [[ ${list_used_roles[*]} =~ $ROLE ]]
do
((ROLE++))
done
rc_set_item ROLE ${ROLE} name ${NAMESROL}

# set netobj_types
while [[ ${list_used_roles[*]} =~ $ROLE ]]
do
((ROLE++))
done
rc_set_item TYPE ${TYPE} type_netobj_name "${NAMESTYPE}_NOBJ"


#set user type
while [[ ${list_used_user_types[*]} =~ $TYPE ]]
do
((TYPE++))
done
rc_set_item TYPE ${TYPE} type_user_name "${NAMESTYPE}_USR"


#set group type
while [[ ${list_used_user_types[*]} =~ $TYPE ]]
do
((TYPE++))
done
rc_set_item TYPE ${TYPE} type_group_name "${NAMESTYPE}_GRP"
rc_set_item ROLE ${ROLE} def_user_create_type ${TYPE}
rc_set_item ROLE ${ROLE} def_group_create_type ${TYPE}

#set ipc type
while [[ ${list_used_ipc_types[*]} =~ $TYPE ]]
do
((TYPE++))
done
rc_set_item TYPE ${TYPE} type_ipc_name "${NAMESTYPE}_IPC"
rc_set_item ROLE ${ROLE} def_ipc_create_type ${TYPE}

while [[ ${list_used_proc_types[*]} =~ $TYPE ]]
do
((TYPE++))
done
rc_set_item TYPE ${TYPE} type_process_name "${NAMESTYPE}_PRC"
rc_set_item ROLE ${ROLE} def_process_create_type ${TYPE}
rc_set_item ROLE ${ROLE} def_process_chown_type 4294967291
rc_set_item ROLE ${ROLE} def_process_execute_type 4294967294

while [[ ${list_used_fd_types[*]} =~ $TYPE ]]
do
((TYPE++))
done

rc_set_item TYPE ${TYPE} type_fd_name "${NAMESTYPE}_FD"
rc_set_item ROLE ${ROLE} def_fd_create_type ${TYPE}
rc_set_item ROLE ${ROLE} def_fd_ind_create_type ${TYPE} 4294967294
rc_set_item ROLE ${ROLE} def_fd_ind_create_type /run ${TYPE}
rc_set_item ROLE ${ROLE} def_fd_ind_create_type /tmp ${TYPE}
rc_set_item ROLE ${ROLE} def_unixsock_create_type ${TYPE}
attr_set_file_dir FD ${NAME} rc_initial_role ${ROLE}
attr_set_file_dir FD ${NAME} rc_force_role ${ROLE}
done
}

function rc_markrootdir()
{
BASE_NUM=100
declare -a list_used_fd_types=$(rc_get_item list_fd_type_nr)
for dir in /*; do
while [[ ${list_used_fd_types[*]} =~ $BASE_NUM ]]
do
((BASE_NUM++))
done
NAME="$(echo $dir)"

rc_set_item TYPE ${BASE_NUM} type_fd_name ${NAME}
attr_set_file_dir FD ${dir} rc_type_fd ${BASE_NUM}
done
}

function rc_markothertypesfiles()
{
BASE_NUM=100
declare -a list_used_fd_types=$(rc_get_item list_fd_type_nr)
for file in /etc/conf.d /etc/default /etc/lilo.conf  /etc/fwknop
/etc/openvpn /etc/shadow /etc/gshadow /etc/dovecot /etc/grub.d
/etc/hiawatha /etc/openvpn /etc/pam.d /etc/privoxy /etc/tripwire /var/*
do

while [[ ${list_used_fd_types[*]} =~ $BASE_NUM ]]
do
((BASE_NUM++))
done
NAME="$(basename $(echo $(echo $file)'cfg'))"
rc_set_item TYPE ${BASE_NUM} type_fd_name ${NAME}
attr_set_file_dir FD ${dir} rc_type_fd ${BASE_NUM}
done
}

function rc_markbinaries_roles_types()
{
TYPE=100
ROLE=100
declare -a list_used_roles=$(rc_get_item list_role_nr)
declare -a list_used_fd_types=$(rc_get_item list_fd_type_nr)
declare -a list_used_dev_types=$(rc_get_item list_dev_type_nr)
declare -a list_used_ipc_types=$(rc_get_item list_ipc_type_nr)
declare -a list_used_user_types=$(rc_get_item list_user_type_nr)
declare -a list_used_process_types=$(rc_get_item list_process_type_nr)
declare -a list_used_group_types=$(rc_get_item list_group_types |awk
'{print $1}')
for NAME in /sbin/agetty /bin/login /sbin/init /bin/su /sbin/lilo
/usr/bin/sudo
do

NAMESPROV="$(basename $(echo $NAME))"
NAMESROL="$(echo $NAMESPROV |cut -c-11)"
NAMESTYPE="$(echo $NAMESPROV |cut -c -7)"
# create role
while [[ ${list_used_roles[*]} =~ $ROLE ]]
do
((ROLE++))
done
rc_set_item ROLE ${ROLE} name ${NAMESROL}

# set netobj_types
while [[ ${list_used_roles[*]} =~ $ROLE ]]
do
((ROLE++))
done
rc_set_item TYPE ${TYPE} type_netobj_name "${NAMESTYPE}_NOBJ"


#set user type
while [[ ${list_used_user_types[*]} =~ $TYPE ]]
do
((TYPE++))
done
rc_set_item TYPE ${TYPE} type_user_name "${NAMESTYPE}_USR"


#set group type
while [[ ${list_used_user_types[*]} =~ $TYPE ]]
do
((TYPE++))
done
rc_set_item TYPE ${TYPE} type_group_name "${NAMESTYPE}_GRP"
rc_set_item ROLE ${ROLE} def_user_create_type ${TYPE}
rc_set_item ROLE ${ROLE} def_group_create_type ${TYPE}

#set ipc type
while [[ ${list_used_ipc_types[*]} =~ $TYPE ]]
do
((TYPE++))
done
rc_set_item TYPE ${TYPE} type_ipc_name "${NAMESTYPE}_IPC"
rc_set_item ROLE ${ROLE} def_ipc_create_type ${TYPE}

while [[ ${list_used_proc_types[*]} =~ $TYPE ]]
do
((TYPE++))
done
rc_set_item TYPE ${TYPE} type_process_name "${NAMESTYPE}_PRC"
rc_set_item ROLE ${ROLE} def_process_create_type ${TYPE}
rc_set_item ROLE ${ROLE} def_process_chown_type 4294967291
rc_set_item ROLE ${ROLE} def_process_execute_type 4294967294

while [[ ${list_used_fd_types[*]} =~ $TYPE ]]
do
((TYPE++))
done

rc_set_item TYPE ${TYPE} type_fd_name "${NAMESTYPE}_FD"
rc_set_item ROLE ${ROLE} def_fd_create_type ${TYPE}
rc_set_item ROLE ${ROLE} def_fd_ind_create_type ${TYPE} 4294967294
rc_set_item ROLE ${ROLE} def_fd_ind_create_type /run ${TYPE}
rc_set_item ROLE ${ROLE} def_fd_ind_create_type /tmp ${TYPE}
rc_set_item ROLE ${ROLE} def_unixsock_create_type ${TYPE}
attr_set_file_dir FD ${NAME} rc_initial_role ${ROLE}
attr_set_file_dir FD ${NAME} rc_force_role ${ROLE}
done

}

function rc_trusted_path_execution()
{
declare -a list_used_roles=$(rc_get_item list_role_nr)
declare -a list_used_fd_types=$(rc_get_item list_fd_type_nr)

for all_roles in "${list_used_roles[@]}"
do
for all_types in "${list_used_fd_types[@]}"
do
rc_set_item -k ROLE "${all_roles}" type_comp_fd "${all_types}" MAP_EXEC
EXECUTE
done
done

for all_roles in "${list_used_roles[@]}"
do
for dir in /usr/local/bin /usr/local/sbin /sbin /usr/bin /bin /usr/sbin
/usr/libexec;
do
rc_set_item -a ROLE "${all_roles}" type_comp_fd $(attr_get_file_dir RC
FD "${dir}" rc_type_fd) MAP_EXEC EXECUTE
echo "incomplete function, what's happen with cron scripts and init.d
ones, can you tell me?"
done
done

}
cap_reset_caps
rc_bootscriptsrc
rc_markothertypesfiles
rc_markrootdir
rc_markbinaries_roles_types
rc_trusted_path_execution

More information about the rsbac mailing list