[rsbac] Shall we put this initial script on handbook????

Jens Kasten jens.kasten at kasten-edv.de
Thu Mar 23 08:34:01 CET 2017 

What you think about to use git to offer different branches for 
different setups. All what I do manual I will forget somethink always.

For example:
rsbac-swich --branch gentoo-rsbac UM

affect
/etc/pam.d
   [nsswitch.conf is now a symlink to /etc/nsswitch.conf]
   - gentoo-combat
      system-auth [only set sufficient pam_rsbac.so]
      nsswich.conf
   - gentoo-rsbac
      system-auth [only set require pam_rsbac.so, remove pam_unix.so]
      nsswich.conf

Then branch name --gentoo prefix can extend to debian, fedora ...


Am 22.03.2017 20:56, schrieb Jens Kasten:
> Hi list,
> 
> I would not use bash scripts anymore.
> First I would build categories then the range those categories and then 
> numbers.
> Also build groups for install, remove, backup. The must interact with
> the different categories.
> The configuration should then in simple config files. All other must
> in an application to get it better in a work in progress cycle.
> 
> 
> Am 22.03.2017 19:21, schrieb Javier Juan Martinez Cabezon:
>> Hi, what do you think about putting this on the handbook or it's to
>> hackish/ugly to consider?
>> 
>> 
>> 
>> 
>> rc_dummyroot(): copy root role to a new one copy from general user and
>> assigned to root account (in progress)
>> 
>> cap_rc_create_forensic_role() an req_reauth authenticated forced role
>> that can read anything even ram memory and can access at raw to any
>> devices
>> (in progress, a lot of copy-paste from prior code with some tuning)
>> 
>> cap_rc_package_system(): other forced re_authenticated role that could
>> read write anything not in /home /admin /root directories and can 
>> change
>> anything, assign rights everywhere under their "owned" types and with
>> individual_fd_create_type everywhere too.
>> 
>> rc_mark_devices():assign each(group?) devices their own dev and fd 
>> type.
>> 
>> rc_mark_proc_sys():assign /proc/kcore or /proc/config.gz... or 
>> anything
>> else it's own fd_type.
>> 
>> rc_restrict_perl_python()
>> 
>> rc_forbid_send_to_terminals(): tiocsti kill.
>> rc_forbid_scd_kmem_to_allnotforensic()
>> rc_mozilla_isolation_to_protect_user_files_against_ransomware()
>> 
>> One of this days I will do it. I think I'm going to sleep now. Get fun
>> 
>> function cap_reset_caps()
>> {
>> for file in /usr/local/bin/* /usr/local/sbin/* /sbin/* /usr/bin/* 
>> /bin/*
>> /usr/sbin/* /etc/init.d/* /etc/cron.daily/* /etc/cron.weekly/*
>> /etc/cron.hourly/* /etc/cron.monthly/* /etc/cron.weekly/* 
>> /etc/cron.d/*
>> /usr/libexec/**/*; do attr_set_file_dir FD "$file" max_caps UA; done
>> }
>> 
>> 
>> function rc_bootscriptsrc()
>> {
>> declare -a list_used_roles=$(rc_get_item list_role_nr)
>> declare -a list_used_fd_types=$(rc_get_item list_fd_type_nr)
>> declare -a list_used_dev_types=$(rc_get_item list_dev_type_nr)
>> declare -a list_used_ipc_types=$(rc_get_item list_ipc_type_nr)
>> declare -a list_used_user_types=$(rc_get_item list_user_type_nr)
>> declare -a list_used_process_types=$(rc_get_item list_process_type_nr)
>> declare -a list_used_group_types=$(rc_get_item list_group_types |awk
>> '{print $1}')
>> 
>> TYPE=100
>> ROLE=100
>> for NAME in /etc/init.d/* /etc/cron.daily/* /etc/cron.weekly/*
>> /etc/cron.hourly/* /etc/cron.monthly/* /etc/cron.weekly/*;
>> do
>> NAMESPROV="$(basename $(echo $NAME))"
>> NAMESROL="$(echo $NAMESPROV |cut -c-11)"
>> NAMESTYPE="$(echo $NAMESPROV |cut -c -7)"
>> # create role
>> while [[ ${list_used_roles[*]} =~ $ROLE ]]
>> do
>> ((ROLE++))
>> done
>> rc_set_item ROLE ${ROLE} name ${NAMESROL}
>> 
>> # set netobj_types
>> while [[ ${list_used_roles[*]} =~ $ROLE ]]
>> do
>> ((ROLE++))
>> done
>> rc_set_item TYPE ${TYPE} type_netobj_name "${NAMESTYPE}_NOBJ"
>> 
>> 
>> #set user type
>> while [[ ${list_used_user_types[*]} =~ $TYPE ]]
>> do
>> ((TYPE++))
>> done
>> rc_set_item TYPE ${TYPE} type_user_name "${NAMESTYPE}_USR"
>> 
>> 
>> #set group type
>> while [[ ${list_used_user_types[*]} =~ $TYPE ]]
>> do
>> ((TYPE++))
>> done
>> rc_set_item TYPE ${TYPE} type_group_name "${NAMESTYPE}_GRP"
>> rc_set_item ROLE ${ROLE} def_user_create_type ${TYPE}
>> rc_set_item ROLE ${ROLE} def_group_create_type ${TYPE}
>> 
>> #set ipc type
>> while [[ ${list_used_ipc_types[*]} =~ $TYPE ]]
>> do
>> ((TYPE++))
>> done
>> rc_set_item TYPE ${TYPE} type_ipc_name "${NAMESTYPE}_IPC"
>> rc_set_item ROLE ${ROLE} def_ipc_create_type ${TYPE}
>> 
>> while [[ ${list_used_proc_types[*]} =~ $TYPE ]]
>> do
>> ((TYPE++))
>> done
>> rc_set_item TYPE ${TYPE} type_process_name "${NAMESTYPE}_PRC"
>> rc_set_item ROLE ${ROLE} def_process_create_type ${TYPE}
>> rc_set_item ROLE ${ROLE} def_process_chown_type 4294967291
>> rc_set_item ROLE ${ROLE} def_process_execute_type 4294967294
>> 
>> while [[ ${list_used_fd_types[*]} =~ $TYPE ]]
>> do
>> ((TYPE++))
>> done
>> 
>> rc_set_item TYPE ${TYPE} type_fd_name "${NAMESTYPE}_FD"
>> rc_set_item ROLE ${ROLE} def_fd_create_type ${TYPE}
>> rc_set_item ROLE ${ROLE} def_fd_ind_create_type ${TYPE} 4294967294
>> rc_set_item ROLE ${ROLE} def_fd_ind_create_type /run ${TYPE}
>> rc_set_item ROLE ${ROLE} def_fd_ind_create_type /tmp ${TYPE}
>> rc_set_item ROLE ${ROLE} def_unixsock_create_type ${TYPE}
>> attr_set_file_dir FD ${NAME} rc_initial_role ${ROLE}
>> attr_set_file_dir FD ${NAME} rc_force_role ${ROLE}
>> done
>> }
>> 
>> function rc_markrootdir()
>> {
>> BASE_NUM=100
>> declare -a list_used_fd_types=$(rc_get_item list_fd_type_nr)
>> for dir in /*; do
>> while [[ ${list_used_fd_types[*]} =~ $BASE_NUM ]]
>> do
>> ((BASE_NUM++))
>> done
>> NAME="$(echo $dir)"
>> 
>> rc_set_item TYPE ${BASE_NUM} type_fd_name ${NAME}
>> attr_set_file_dir FD ${dir} rc_type_fd ${BASE_NUM}
>> done
>> }
>> 
>> function rc_markothertypesfiles()
>> {
>> BASE_NUM=100
>> declare -a list_used_fd_types=$(rc_get_item list_fd_type_nr)
>> for file in /etc/conf.d /etc/default /etc/lilo.conf  /etc/fwknop
>> /etc/openvpn /etc/shadow /etc/gshadow /etc/dovecot /etc/grub.d
>> /etc/hiawatha /etc/openvpn /etc/pam.d /etc/privoxy /etc/tripwire 
>> /var/*
>> do
>> 
>> while [[ ${list_used_fd_types[*]} =~ $BASE_NUM ]]
>> do
>> ((BASE_NUM++))
>> done
>> NAME="$(basename $(echo $(echo $file)'cfg'))"
>> rc_set_item TYPE ${BASE_NUM} type_fd_name ${NAME}
>> attr_set_file_dir FD ${dir} rc_type_fd ${BASE_NUM}
>> done
>> }
>> 
>> function rc_markbinaries_roles_types()
>> {
>> TYPE=100
>> ROLE=100
>> declare -a list_used_roles=$(rc_get_item list_role_nr)
>> declare -a list_used_fd_types=$(rc_get_item list_fd_type_nr)
>> declare -a list_used_dev_types=$(rc_get_item list_dev_type_nr)
>> declare -a list_used_ipc_types=$(rc_get_item list_ipc_type_nr)
>> declare -a list_used_user_types=$(rc_get_item list_user_type_nr)
>> declare -a list_used_process_types=$(rc_get_item list_process_type_nr)
>> declare -a list_used_group_types=$(rc_get_item list_group_types |awk
>> '{print $1}')
>> for NAME in /sbin/agetty /bin/login /sbin/init /bin/su /sbin/lilo
>> /usr/bin/sudo
>> do
>> 
>> NAMESPROV="$(basename $(echo $NAME))"
>> NAMESROL="$(echo $NAMESPROV |cut -c-11)"
>> NAMESTYPE="$(echo $NAMESPROV |cut -c -7)"
>> # create role
>> while [[ ${list_used_roles[*]} =~ $ROLE ]]
>> do
>> ((ROLE++))
>> done
>> rc_set_item ROLE ${ROLE} name ${NAMESROL}
>> 
>> # set netobj_types
>> while [[ ${list_used_roles[*]} =~ $ROLE ]]
>> do
>> ((ROLE++))
>> done
>> rc_set_item TYPE ${TYPE} type_netobj_name "${NAMESTYPE}_NOBJ"
>> 
>> 
>> #set user type
>> while [[ ${list_used_user_types[*]} =~ $TYPE ]]
>> do
>> ((TYPE++))
>> done
>> rc_set_item TYPE ${TYPE} type_user_name "${NAMESTYPE}_USR"
>> 
>> 
>> #set group type
>> while [[ ${list_used_user_types[*]} =~ $TYPE ]]
>> do
>> ((TYPE++))
>> done
>> rc_set_item TYPE ${TYPE} type_group_name "${NAMESTYPE}_GRP"
>> rc_set_item ROLE ${ROLE} def_user_create_type ${TYPE}
>> rc_set_item ROLE ${ROLE} def_group_create_type ${TYPE}
>> 
>> #set ipc type
>> while [[ ${list_used_ipc_types[*]} =~ $TYPE ]]
>> do
>> ((TYPE++))
>> done
>> rc_set_item TYPE ${TYPE} type_ipc_name "${NAMESTYPE}_IPC"
>> rc_set_item ROLE ${ROLE} def_ipc_create_type ${TYPE}
>> 
>> while [[ ${list_used_proc_types[*]} =~ $TYPE ]]
>> do
>> ((TYPE++))
>> done
>> rc_set_item TYPE ${TYPE} type_process_name "${NAMESTYPE}_PRC"
>> rc_set_item ROLE ${ROLE} def_process_create_type ${TYPE}
>> rc_set_item ROLE ${ROLE} def_process_chown_type 4294967291
>> rc_set_item ROLE ${ROLE} def_process_execute_type 4294967294
>> 
>> while [[ ${list_used_fd_types[*]} =~ $TYPE ]]
>> do
>> ((TYPE++))
>> done
>> 
>> rc_set_item TYPE ${TYPE} type_fd_name "${NAMESTYPE}_FD"
>> rc_set_item ROLE ${ROLE} def_fd_create_type ${TYPE}
>> rc_set_item ROLE ${ROLE} def_fd_ind_create_type ${TYPE} 4294967294
>> rc_set_item ROLE ${ROLE} def_fd_ind_create_type /run ${TYPE}
>> rc_set_item ROLE ${ROLE} def_fd_ind_create_type /tmp ${TYPE}
>> rc_set_item ROLE ${ROLE} def_unixsock_create_type ${TYPE}
>> attr_set_file_dir FD ${NAME} rc_initial_role ${ROLE}
>> attr_set_file_dir FD ${NAME} rc_force_role ${ROLE}
>> done
>> 
>> }
>> 
>> function rc_trusted_path_execution()
>> {
>> declare -a list_used_roles=$(rc_get_item list_role_nr)
>> declare -a list_used_fd_types=$(rc_get_item list_fd_type_nr)
>> 
>> for all_roles in "${list_used_roles[@]}"
>> do
>> for all_types in "${list_used_fd_types[@]}"
>> do
>> rc_set_item -k ROLE "${all_roles}" type_comp_fd "${all_types}" 
>> MAP_EXEC
>> EXECUTE
>> done
>> done
>> 
>> for all_roles in "${list_used_roles[@]}"
>> do
>> for dir in /usr/local/bin /usr/local/sbin /sbin /usr/bin /bin 
>> /usr/sbin
>> /usr/libexec;
>> do
>> rc_set_item -a ROLE "${all_roles}" type_comp_fd $(attr_get_file_dir RC
>> FD "${dir}" rc_type_fd) MAP_EXEC EXECUTE
>> echo "incomplete function, what's happen with cron scripts and init.d
>> ones, can you tell me?"
>> done
>> done
>> 
>> }
>> cap_reset_caps
>> rc_bootscriptsrc
>> rc_markothertypesfiles
>> rc_markrootdir
>> rc_markbinaries_roles_types
>> rc_trusted_path_execution
>> 
>> _______________________________________________
>> rsbac mailing list
>> rsbac at rsbac.org
>> http://www.rsbac.org/mailman/listinfo/rsbac
> _______________________________________________
> rsbac mailing list
> rsbac at rsbac.org
> http://www.rsbac.org/mailman/listinfo/rsbac

More information about the rsbac mailing list