[rsbac] Shall we put this initial script on handbook????
Jens Kasten
jens.kasten at kasten-edv.de
Thu Mar 23 08:38:15 CET 2017
Hmm I think the prefix branch name is obsolet and can figure out dynamic
or offer a swith like --OS
Am 23.03.2017 08:34, schrieb Jens Kasten:
> What you think about to use git to offer different branches for
> different setups. All what I do manual I will forget somethink always.
>
> For example:
> rsbac-swich --branch gentoo-rsbac UM
>
> affect
> /etc/pam.d
> [nsswitch.conf is now a symlink to /etc/nsswitch.conf]
> - gentoo-combat
> system-auth [only set sufficient pam_rsbac.so]
> nsswich.conf
> - gentoo-rsbac
> system-auth [only set require pam_rsbac.so, remove pam_unix.so]
> nsswich.conf
>
> Then branch name --gentoo prefix can extend to debian, fedora ...
>
>
> Am 22.03.2017 20:56, schrieb Jens Kasten:
>> Hi list,
>>
>> I would not use bash scripts anymore.
>> First I would build categories then the range those categories and
>> then numbers.
>> Also build groups for install, remove, backup. The must interact with
>> the different categories.
>> The configuration should then in simple config files. All other must
>> in an application to get it better in a work in progress cycle.
>>
>>
>> Am 22.03.2017 19:21, schrieb Javier Juan Martinez Cabezon:
>>> Hi, what do you think about putting this on the handbook or it's to
>>> hackish/ugly to consider?
>>>
>>>
>>>
>>>
>>> rc_dummyroot(): copy root role to a new one copy from general user
>>> and
>>> assigned to root account (in progress)
>>>
>>> cap_rc_create_forensic_role() an req_reauth authenticated forced role
>>> that can read anything even ram memory and can access at raw to any
>>> devices
>>> (in progress, a lot of copy-paste from prior code with some tuning)
>>>
>>> cap_rc_package_system(): other forced re_authenticated role that
>>> could
>>> read write anything not in /home /admin /root directories and can
>>> change
>>> anything, assign rights everywhere under their "owned" types and with
>>> individual_fd_create_type everywhere too.
>>>
>>> rc_mark_devices():assign each(group?) devices their own dev and fd
>>> type.
>>>
>>> rc_mark_proc_sys():assign /proc/kcore or /proc/config.gz... or
>>> anything
>>> else it's own fd_type.
>>>
>>> rc_restrict_perl_python()
>>>
>>> rc_forbid_send_to_terminals(): tiocsti kill.
>>> rc_forbid_scd_kmem_to_allnotforensic()
>>> rc_mozilla_isolation_to_protect_user_files_against_ransomware()
>>>
>>> One of this days I will do it. I think I'm going to sleep now. Get
>>> fun
>>>
>>> function cap_reset_caps()
>>> {
>>> for file in /usr/local/bin/* /usr/local/sbin/* /sbin/* /usr/bin/*
>>> /bin/*
>>> /usr/sbin/* /etc/init.d/* /etc/cron.daily/* /etc/cron.weekly/*
>>> /etc/cron.hourly/* /etc/cron.monthly/* /etc/cron.weekly/*
>>> /etc/cron.d/*
>>> /usr/libexec/**/*; do attr_set_file_dir FD "$file" max_caps UA; done
>>> }
>>>
>>>
>>> function rc_bootscriptsrc()
>>> {
>>> declare -a list_used_roles=$(rc_get_item list_role_nr)
>>> declare -a list_used_fd_types=$(rc_get_item list_fd_type_nr)
>>> declare -a list_used_dev_types=$(rc_get_item list_dev_type_nr)
>>> declare -a list_used_ipc_types=$(rc_get_item list_ipc_type_nr)
>>> declare -a list_used_user_types=$(rc_get_item list_user_type_nr)
>>> declare -a list_used_process_types=$(rc_get_item
>>> list_process_type_nr)
>>> declare -a list_used_group_types=$(rc_get_item list_group_types |awk
>>> '{print $1}')
>>>
>>> TYPE=100
>>> ROLE=100
>>> for NAME in /etc/init.d/* /etc/cron.daily/* /etc/cron.weekly/*
>>> /etc/cron.hourly/* /etc/cron.monthly/* /etc/cron.weekly/*;
>>> do
>>> NAMESPROV="$(basename $(echo $NAME))"
>>> NAMESROL="$(echo $NAMESPROV |cut -c-11)"
>>> NAMESTYPE="$(echo $NAMESPROV |cut -c -7)"
>>> # create role
>>> while [[ ${list_used_roles[*]} =~ $ROLE ]]
>>> do
>>> ((ROLE++))
>>> done
>>> rc_set_item ROLE ${ROLE} name ${NAMESROL}
>>>
>>> # set netobj_types
>>> while [[ ${list_used_roles[*]} =~ $ROLE ]]
>>> do
>>> ((ROLE++))
>>> done
>>> rc_set_item TYPE ${TYPE} type_netobj_name "${NAMESTYPE}_NOBJ"
>>>
>>>
>>> #set user type
>>> while [[ ${list_used_user_types[*]} =~ $TYPE ]]
>>> do
>>> ((TYPE++))
>>> done
>>> rc_set_item TYPE ${TYPE} type_user_name "${NAMESTYPE}_USR"
>>>
>>>
>>> #set group type
>>> while [[ ${list_used_user_types[*]} =~ $TYPE ]]
>>> do
>>> ((TYPE++))
>>> done
>>> rc_set_item TYPE ${TYPE} type_group_name "${NAMESTYPE}_GRP"
>>> rc_set_item ROLE ${ROLE} def_user_create_type ${TYPE}
>>> rc_set_item ROLE ${ROLE} def_group_create_type ${TYPE}
>>>
>>> #set ipc type
>>> while [[ ${list_used_ipc_types[*]} =~ $TYPE ]]
>>> do
>>> ((TYPE++))
>>> done
>>> rc_set_item TYPE ${TYPE} type_ipc_name "${NAMESTYPE}_IPC"
>>> rc_set_item ROLE ${ROLE} def_ipc_create_type ${TYPE}
>>>
>>> while [[ ${list_used_proc_types[*]} =~ $TYPE ]]
>>> do
>>> ((TYPE++))
>>> done
>>> rc_set_item TYPE ${TYPE} type_process_name "${NAMESTYPE}_PRC"
>>> rc_set_item ROLE ${ROLE} def_process_create_type ${TYPE}
>>> rc_set_item ROLE ${ROLE} def_process_chown_type 4294967291
>>> rc_set_item ROLE ${ROLE} def_process_execute_type 4294967294
>>>
>>> while [[ ${list_used_fd_types[*]} =~ $TYPE ]]
>>> do
>>> ((TYPE++))
>>> done
>>>
>>> rc_set_item TYPE ${TYPE} type_fd_name "${NAMESTYPE}_FD"
>>> rc_set_item ROLE ${ROLE} def_fd_create_type ${TYPE}
>>> rc_set_item ROLE ${ROLE} def_fd_ind_create_type ${TYPE} 4294967294
>>> rc_set_item ROLE ${ROLE} def_fd_ind_create_type /run ${TYPE}
>>> rc_set_item ROLE ${ROLE} def_fd_ind_create_type /tmp ${TYPE}
>>> rc_set_item ROLE ${ROLE} def_unixsock_create_type ${TYPE}
>>> attr_set_file_dir FD ${NAME} rc_initial_role ${ROLE}
>>> attr_set_file_dir FD ${NAME} rc_force_role ${ROLE}
>>> done
>>> }
>>>
>>> function rc_markrootdir()
>>> {
>>> BASE_NUM=100
>>> declare -a list_used_fd_types=$(rc_get_item list_fd_type_nr)
>>> for dir in /*; do
>>> while [[ ${list_used_fd_types[*]} =~ $BASE_NUM ]]
>>> do
>>> ((BASE_NUM++))
>>> done
>>> NAME="$(echo $dir)"
>>>
>>> rc_set_item TYPE ${BASE_NUM} type_fd_name ${NAME}
>>> attr_set_file_dir FD ${dir} rc_type_fd ${BASE_NUM}
>>> done
>>> }
>>>
>>> function rc_markothertypesfiles()
>>> {
>>> BASE_NUM=100
>>> declare -a list_used_fd_types=$(rc_get_item list_fd_type_nr)
>>> for file in /etc/conf.d /etc/default /etc/lilo.conf /etc/fwknop
>>> /etc/openvpn /etc/shadow /etc/gshadow /etc/dovecot /etc/grub.d
>>> /etc/hiawatha /etc/openvpn /etc/pam.d /etc/privoxy /etc/tripwire
>>> /var/*
>>> do
>>>
>>> while [[ ${list_used_fd_types[*]} =~ $BASE_NUM ]]
>>> do
>>> ((BASE_NUM++))
>>> done
>>> NAME="$(basename $(echo $(echo $file)'cfg'))"
>>> rc_set_item TYPE ${BASE_NUM} type_fd_name ${NAME}
>>> attr_set_file_dir FD ${dir} rc_type_fd ${BASE_NUM}
>>> done
>>> }
>>>
>>> function rc_markbinaries_roles_types()
>>> {
>>> TYPE=100
>>> ROLE=100
>>> declare -a list_used_roles=$(rc_get_item list_role_nr)
>>> declare -a list_used_fd_types=$(rc_get_item list_fd_type_nr)
>>> declare -a list_used_dev_types=$(rc_get_item list_dev_type_nr)
>>> declare -a list_used_ipc_types=$(rc_get_item list_ipc_type_nr)
>>> declare -a list_used_user_types=$(rc_get_item list_user_type_nr)
>>> declare -a list_used_process_types=$(rc_get_item
>>> list_process_type_nr)
>>> declare -a list_used_group_types=$(rc_get_item list_group_types |awk
>>> '{print $1}')
>>> for NAME in /sbin/agetty /bin/login /sbin/init /bin/su /sbin/lilo
>>> /usr/bin/sudo
>>> do
>>>
>>> NAMESPROV="$(basename $(echo $NAME))"
>>> NAMESROL="$(echo $NAMESPROV |cut -c-11)"
>>> NAMESTYPE="$(echo $NAMESPROV |cut -c -7)"
>>> # create role
>>> while [[ ${list_used_roles[*]} =~ $ROLE ]]
>>> do
>>> ((ROLE++))
>>> done
>>> rc_set_item ROLE ${ROLE} name ${NAMESROL}
>>>
>>> # set netobj_types
>>> while [[ ${list_used_roles[*]} =~ $ROLE ]]
>>> do
>>> ((ROLE++))
>>> done
>>> rc_set_item TYPE ${TYPE} type_netobj_name "${NAMESTYPE}_NOBJ"
>>>
>>>
>>> #set user type
>>> while [[ ${list_used_user_types[*]} =~ $TYPE ]]
>>> do
>>> ((TYPE++))
>>> done
>>> rc_set_item TYPE ${TYPE} type_user_name "${NAMESTYPE}_USR"
>>>
>>>
>>> #set group type
>>> while [[ ${list_used_user_types[*]} =~ $TYPE ]]
>>> do
>>> ((TYPE++))
>>> done
>>> rc_set_item TYPE ${TYPE} type_group_name "${NAMESTYPE}_GRP"
>>> rc_set_item ROLE ${ROLE} def_user_create_type ${TYPE}
>>> rc_set_item ROLE ${ROLE} def_group_create_type ${TYPE}
>>>
>>> #set ipc type
>>> while [[ ${list_used_ipc_types[*]} =~ $TYPE ]]
>>> do
>>> ((TYPE++))
>>> done
>>> rc_set_item TYPE ${TYPE} type_ipc_name "${NAMESTYPE}_IPC"
>>> rc_set_item ROLE ${ROLE} def_ipc_create_type ${TYPE}
>>>
>>> while [[ ${list_used_proc_types[*]} =~ $TYPE ]]
>>> do
>>> ((TYPE++))
>>> done
>>> rc_set_item TYPE ${TYPE} type_process_name "${NAMESTYPE}_PRC"
>>> rc_set_item ROLE ${ROLE} def_process_create_type ${TYPE}
>>> rc_set_item ROLE ${ROLE} def_process_chown_type 4294967291
>>> rc_set_item ROLE ${ROLE} def_process_execute_type 4294967294
>>>
>>> while [[ ${list_used_fd_types[*]} =~ $TYPE ]]
>>> do
>>> ((TYPE++))
>>> done
>>>
>>> rc_set_item TYPE ${TYPE} type_fd_name "${NAMESTYPE}_FD"
>>> rc_set_item ROLE ${ROLE} def_fd_create_type ${TYPE}
>>> rc_set_item ROLE ${ROLE} def_fd_ind_create_type ${TYPE} 4294967294
>>> rc_set_item ROLE ${ROLE} def_fd_ind_create_type /run ${TYPE}
>>> rc_set_item ROLE ${ROLE} def_fd_ind_create_type /tmp ${TYPE}
>>> rc_set_item ROLE ${ROLE} def_unixsock_create_type ${TYPE}
>>> attr_set_file_dir FD ${NAME} rc_initial_role ${ROLE}
>>> attr_set_file_dir FD ${NAME} rc_force_role ${ROLE}
>>> done
>>>
>>> }
>>>
>>> function rc_trusted_path_execution()
>>> {
>>> declare -a list_used_roles=$(rc_get_item list_role_nr)
>>> declare -a list_used_fd_types=$(rc_get_item list_fd_type_nr)
>>>
>>> for all_roles in "${list_used_roles[@]}"
>>> do
>>> for all_types in "${list_used_fd_types[@]}"
>>> do
>>> rc_set_item -k ROLE "${all_roles}" type_comp_fd "${all_types}"
>>> MAP_EXEC
>>> EXECUTE
>>> done
>>> done
>>>
>>> for all_roles in "${list_used_roles[@]}"
>>> do
>>> for dir in /usr/local/bin /usr/local/sbin /sbin /usr/bin /bin
>>> /usr/sbin
>>> /usr/libexec;
>>> do
>>> rc_set_item -a ROLE "${all_roles}" type_comp_fd $(attr_get_file_dir
>>> RC
>>> FD "${dir}" rc_type_fd) MAP_EXEC EXECUTE
>>> echo "incomplete function, what's happen with cron scripts and init.d
>>> ones, can you tell me?"
>>> done
>>> done
>>>
>>> }
>>> cap_reset_caps
>>> rc_bootscriptsrc
>>> rc_markothertypesfiles
>>> rc_markrootdir
>>> rc_markbinaries_roles_types
>>> rc_trusted_path_execution
>>>
>>> _______________________________________________
>>> rsbac mailing list
>>> rsbac at rsbac.org
>>> http://www.rsbac.org/mailman/listinfo/rsbac
>> _______________________________________________
>> rsbac mailing list
>> rsbac at rsbac.org
>> http://www.rsbac.org/mailman/listinfo/rsbac
> _______________________________________________
> rsbac mailing list
> rsbac at rsbac.org
> http://www.rsbac.org/mailman/listinfo/rsbac
More information about the rsbac
mailing list