[rsbac] Shall we put this initial script on handbook????

Jens Kasten jens.kasten at kasten-edv.de
Wed Mar 22 20:56:32 CET 2017 

Hi list,

I would not use bash scripts anymore.
First I would build categories then the range those categories and then 
numbers.
Also build groups for install, remove, backup. The must interact with 
the different categories.
The configuration should then in simple config files. All other must in 
an application to get it better in a work in progress cycle.


Am 22.03.2017 19:21, schrieb Javier Juan Martinez Cabezon:
> Hi, what do you think about putting this on the handbook or it's to
> hackish/ugly to consider?
> 
> 
> 
> 
> rc_dummyroot(): copy root role to a new one copy from general user and
> assigned to root account (in progress)
> 
> cap_rc_create_forensic_role() an req_reauth authenticated forced role
> that can read anything even ram memory and can access at raw to any
> devices
> (in progress, a lot of copy-paste from prior code with some tuning)
> 
> cap_rc_package_system(): other forced re_authenticated role that could
> read write anything not in /home /admin /root directories and can 
> change
> anything, assign rights everywhere under their "owned" types and with
> individual_fd_create_type everywhere too.
> 
> rc_mark_devices():assign each(group?) devices their own dev and fd 
> type.
> 
> rc_mark_proc_sys():assign /proc/kcore or /proc/config.gz... or anything
> else it's own fd_type.
> 
> rc_restrict_perl_python()
> 
> rc_forbid_send_to_terminals(): tiocsti kill.
> rc_forbid_scd_kmem_to_allnotforensic()
> rc_mozilla_isolation_to_protect_user_files_against_ransomware()
> 
> One of this days I will do it. I think I'm going to sleep now. Get fun
> 
> function cap_reset_caps()
> {
> for file in /usr/local/bin/* /usr/local/sbin/* /sbin/* /usr/bin/* 
> /bin/*
> /usr/sbin/* /etc/init.d/* /etc/cron.daily/* /etc/cron.weekly/*
> /etc/cron.hourly/* /etc/cron.monthly/* /etc/cron.weekly/* /etc/cron.d/*
> /usr/libexec/**/*; do attr_set_file_dir FD "$file" max_caps UA; done
> }
> 
> 
> function rc_bootscriptsrc()
> {
> declare -a list_used_roles=$(rc_get_item list_role_nr)
> declare -a list_used_fd_types=$(rc_get_item list_fd_type_nr)
> declare -a list_used_dev_types=$(rc_get_item list_dev_type_nr)
> declare -a list_used_ipc_types=$(rc_get_item list_ipc_type_nr)
> declare -a list_used_user_types=$(rc_get_item list_user_type_nr)
> declare -a list_used_process_types=$(rc_get_item list_process_type_nr)
> declare -a list_used_group_types=$(rc_get_item list_group_types |awk
> '{print $1}')
> 
> TYPE=100
> ROLE=100
> for NAME in /etc/init.d/* /etc/cron.daily/* /etc/cron.weekly/*
> /etc/cron.hourly/* /etc/cron.monthly/* /etc/cron.weekly/*;
> do
> NAMESPROV="$(basename $(echo $NAME))"
> NAMESROL="$(echo $NAMESPROV |cut -c-11)"
> NAMESTYPE="$(echo $NAMESPROV |cut -c -7)"
> # create role
> while [[ ${list_used_roles[*]} =~ $ROLE ]]
> do
> ((ROLE++))
> done
> rc_set_item ROLE ${ROLE} name ${NAMESROL}
> 
> # set netobj_types
> while [[ ${list_used_roles[*]} =~ $ROLE ]]
> do
> ((ROLE++))
> done
> rc_set_item TYPE ${TYPE} type_netobj_name "${NAMESTYPE}_NOBJ"
> 
> 
> #set user type
> while [[ ${list_used_user_types[*]} =~ $TYPE ]]
> do
> ((TYPE++))
> done
> rc_set_item TYPE ${TYPE} type_user_name "${NAMESTYPE}_USR"
> 
> 
> #set group type
> while [[ ${list_used_user_types[*]} =~ $TYPE ]]
> do
> ((TYPE++))
> done
> rc_set_item TYPE ${TYPE} type_group_name "${NAMESTYPE}_GRP"
> rc_set_item ROLE ${ROLE} def_user_create_type ${TYPE}
> rc_set_item ROLE ${ROLE} def_group_create_type ${TYPE}
> 
> #set ipc type
> while [[ ${list_used_ipc_types[*]} =~ $TYPE ]]
> do
> ((TYPE++))
> done
> rc_set_item TYPE ${TYPE} type_ipc_name "${NAMESTYPE}_IPC"
> rc_set_item ROLE ${ROLE} def_ipc_create_type ${TYPE}
> 
> while [[ ${list_used_proc_types[*]} =~ $TYPE ]]
> do
> ((TYPE++))
> done
> rc_set_item TYPE ${TYPE} type_process_name "${NAMESTYPE}_PRC"
> rc_set_item ROLE ${ROLE} def_process_create_type ${TYPE}
> rc_set_item ROLE ${ROLE} def_process_chown_type 4294967291
> rc_set_item ROLE ${ROLE} def_process_execute_type 4294967294
> 
> while [[ ${list_used_fd_types[*]} =~ $TYPE ]]
> do
> ((TYPE++))
> done
> 
> rc_set_item TYPE ${TYPE} type_fd_name "${NAMESTYPE}_FD"
> rc_set_item ROLE ${ROLE} def_fd_create_type ${TYPE}
> rc_set_item ROLE ${ROLE} def_fd_ind_create_type ${TYPE} 4294967294
> rc_set_item ROLE ${ROLE} def_fd_ind_create_type /run ${TYPE}
> rc_set_item ROLE ${ROLE} def_fd_ind_create_type /tmp ${TYPE}
> rc_set_item ROLE ${ROLE} def_unixsock_create_type ${TYPE}
> attr_set_file_dir FD ${NAME} rc_initial_role ${ROLE}
> attr_set_file_dir FD ${NAME} rc_force_role ${ROLE}
> done
> }
> 
> function rc_markrootdir()
> {
> BASE_NUM=100
> declare -a list_used_fd_types=$(rc_get_item list_fd_type_nr)
> for dir in /*; do
> while [[ ${list_used_fd_types[*]} =~ $BASE_NUM ]]
> do
> ((BASE_NUM++))
> done
> NAME="$(echo $dir)"
> 
> rc_set_item TYPE ${BASE_NUM} type_fd_name ${NAME}
> attr_set_file_dir FD ${dir} rc_type_fd ${BASE_NUM}
> done
> }
> 
> function rc_markothertypesfiles()
> {
> BASE_NUM=100
> declare -a list_used_fd_types=$(rc_get_item list_fd_type_nr)
> for file in /etc/conf.d /etc/default /etc/lilo.conf  /etc/fwknop
> /etc/openvpn /etc/shadow /etc/gshadow /etc/dovecot /etc/grub.d
> /etc/hiawatha /etc/openvpn /etc/pam.d /etc/privoxy /etc/tripwire /var/*
> do
> 
> while [[ ${list_used_fd_types[*]} =~ $BASE_NUM ]]
> do
> ((BASE_NUM++))
> done
> NAME="$(basename $(echo $(echo $file)'cfg'))"
> rc_set_item TYPE ${BASE_NUM} type_fd_name ${NAME}
> attr_set_file_dir FD ${dir} rc_type_fd ${BASE_NUM}
> done
> }
> 
> function rc_markbinaries_roles_types()
> {
> TYPE=100
> ROLE=100
> declare -a list_used_roles=$(rc_get_item list_role_nr)
> declare -a list_used_fd_types=$(rc_get_item list_fd_type_nr)
> declare -a list_used_dev_types=$(rc_get_item list_dev_type_nr)
> declare -a list_used_ipc_types=$(rc_get_item list_ipc_type_nr)
> declare -a list_used_user_types=$(rc_get_item list_user_type_nr)
> declare -a list_used_process_types=$(rc_get_item list_process_type_nr)
> declare -a list_used_group_types=$(rc_get_item list_group_types |awk
> '{print $1}')
> for NAME in /sbin/agetty /bin/login /sbin/init /bin/su /sbin/lilo
> /usr/bin/sudo
> do
> 
> NAMESPROV="$(basename $(echo $NAME))"
> NAMESROL="$(echo $NAMESPROV |cut -c-11)"
> NAMESTYPE="$(echo $NAMESPROV |cut -c -7)"
> # create role
> while [[ ${list_used_roles[*]} =~ $ROLE ]]
> do
> ((ROLE++))
> done
> rc_set_item ROLE ${ROLE} name ${NAMESROL}
> 
> # set netobj_types
> while [[ ${list_used_roles[*]} =~ $ROLE ]]
> do
> ((ROLE++))
> done
> rc_set_item TYPE ${TYPE} type_netobj_name "${NAMESTYPE}_NOBJ"
> 
> 
> #set user type
> while [[ ${list_used_user_types[*]} =~ $TYPE ]]
> do
> ((TYPE++))
> done
> rc_set_item TYPE ${TYPE} type_user_name "${NAMESTYPE}_USR"
> 
> 
> #set group type
> while [[ ${list_used_user_types[*]} =~ $TYPE ]]
> do
> ((TYPE++))
> done
> rc_set_item TYPE ${TYPE} type_group_name "${NAMESTYPE}_GRP"
> rc_set_item ROLE ${ROLE} def_user_create_type ${TYPE}
> rc_set_item ROLE ${ROLE} def_group_create_type ${TYPE}
> 
> #set ipc type
> while [[ ${list_used_ipc_types[*]} =~ $TYPE ]]
> do
> ((TYPE++))
> done
> rc_set_item TYPE ${TYPE} type_ipc_name "${NAMESTYPE}_IPC"
> rc_set_item ROLE ${ROLE} def_ipc_create_type ${TYPE}
> 
> while [[ ${list_used_proc_types[*]} =~ $TYPE ]]
> do
> ((TYPE++))
> done
> rc_set_item TYPE ${TYPE} type_process_name "${NAMESTYPE}_PRC"
> rc_set_item ROLE ${ROLE} def_process_create_type ${TYPE}
> rc_set_item ROLE ${ROLE} def_process_chown_type 4294967291
> rc_set_item ROLE ${ROLE} def_process_execute_type 4294967294
> 
> while [[ ${list_used_fd_types[*]} =~ $TYPE ]]
> do
> ((TYPE++))
> done
> 
> rc_set_item TYPE ${TYPE} type_fd_name "${NAMESTYPE}_FD"
> rc_set_item ROLE ${ROLE} def_fd_create_type ${TYPE}
> rc_set_item ROLE ${ROLE} def_fd_ind_create_type ${TYPE} 4294967294
> rc_set_item ROLE ${ROLE} def_fd_ind_create_type /run ${TYPE}
> rc_set_item ROLE ${ROLE} def_fd_ind_create_type /tmp ${TYPE}
> rc_set_item ROLE ${ROLE} def_unixsock_create_type ${TYPE}
> attr_set_file_dir FD ${NAME} rc_initial_role ${ROLE}
> attr_set_file_dir FD ${NAME} rc_force_role ${ROLE}
> done
> 
> }
> 
> function rc_trusted_path_execution()
> {
> declare -a list_used_roles=$(rc_get_item list_role_nr)
> declare -a list_used_fd_types=$(rc_get_item list_fd_type_nr)
> 
> for all_roles in "${list_used_roles[@]}"
> do
> for all_types in "${list_used_fd_types[@]}"
> do
> rc_set_item -k ROLE "${all_roles}" type_comp_fd "${all_types}" MAP_EXEC
> EXECUTE
> done
> done
> 
> for all_roles in "${list_used_roles[@]}"
> do
> for dir in /usr/local/bin /usr/local/sbin /sbin /usr/bin /bin /usr/sbin
> /usr/libexec;
> do
> rc_set_item -a ROLE "${all_roles}" type_comp_fd $(attr_get_file_dir RC
> FD "${dir}" rc_type_fd) MAP_EXEC EXECUTE
> echo "incomplete function, what's happen with cron scripts and init.d
> ones, can you tell me?"
> done
> done
> 
> }
> cap_reset_caps
> rc_bootscriptsrc
> rc_markothertypesfiles
> rc_markrootdir
> rc_markbinaries_roles_types
> rc_trusted_path_execution
> 
> _______________________________________________
> rsbac mailing list
> rsbac at rsbac.org
> http://www.rsbac.org/mailman/listinfo/rsbac

More information about the rsbac mailing list