[rsbac] Shall we put this initial script on handbook????

Jens Kasten jens.kasten at kasten-edv.de
Thu Mar 23 08:38:15 CET 2017 

Hmm I think the prefix branch name is obsolet and can figure out dynamic 
or offer a swith like --OS

Am 23.03.2017 08:34, schrieb Jens Kasten:
> What you think about to use git to offer different branches for
> different setups. All what I do manual I will forget somethink always.
> 
> For example:
> rsbac-swich --branch gentoo-rsbac UM
> 
> affect
> /etc/pam.d
>   [nsswitch.conf is now a symlink to /etc/nsswitch.conf]
>   - gentoo-combat
>      system-auth [only set sufficient pam_rsbac.so]
>      nsswich.conf
>   - gentoo-rsbac
>      system-auth [only set require pam_rsbac.so, remove pam_unix.so]
>      nsswich.conf
> 
> Then branch name --gentoo prefix can extend to debian, fedora ...
> 
> 
> Am 22.03.2017 20:56, schrieb Jens Kasten:
>> Hi list,
>> 
>> I would not use bash scripts anymore.
>> First I would build categories then the range those categories and 
>> then numbers.
>> Also build groups for install, remove, backup. The must interact with
>> the different categories.
>> The configuration should then in simple config files. All other must
>> in an application to get it better in a work in progress cycle.
>> 
>> 
>> Am 22.03.2017 19:21, schrieb Javier Juan Martinez Cabezon:
>>> Hi, what do you think about putting this on the handbook or it's to
>>> hackish/ugly to consider?
>>> 
>>> 
>>> 
>>> 
>>> rc_dummyroot(): copy root role to a new one copy from general user 
>>> and
>>> assigned to root account (in progress)
>>> 
>>> cap_rc_create_forensic_role() an req_reauth authenticated forced role
>>> that can read anything even ram memory and can access at raw to any
>>> devices
>>> (in progress, a lot of copy-paste from prior code with some tuning)
>>> 
>>> cap_rc_package_system(): other forced re_authenticated role that 
>>> could
>>> read write anything not in /home /admin /root directories and can 
>>> change
>>> anything, assign rights everywhere under their "owned" types and with
>>> individual_fd_create_type everywhere too.
>>> 
>>> rc_mark_devices():assign each(group?) devices their own dev and fd 
>>> type.
>>> 
>>> rc_mark_proc_sys():assign /proc/kcore or /proc/config.gz... or 
>>> anything
>>> else it's own fd_type.
>>> 
>>> rc_restrict_perl_python()
>>> 
>>> rc_forbid_send_to_terminals(): tiocsti kill.
>>> rc_forbid_scd_kmem_to_allnotforensic()
>>> rc_mozilla_isolation_to_protect_user_files_against_ransomware()
>>> 
>>> One of this days I will do it. I think I'm going to sleep now. Get 
>>> fun
>>> 
>>> function cap_reset_caps()
>>> {
>>> for file in /usr/local/bin/* /usr/local/sbin/* /sbin/* /usr/bin/* 
>>> /bin/*
>>> /usr/sbin/* /etc/init.d/* /etc/cron.daily/* /etc/cron.weekly/*
>>> /etc/cron.hourly/* /etc/cron.monthly/* /etc/cron.weekly/* 
>>> /etc/cron.d/*
>>> /usr/libexec/**/*; do attr_set_file_dir FD "$file" max_caps UA; done
>>> }
>>> 
>>> 
>>> function rc_bootscriptsrc()
>>> {
>>> declare -a list_used_roles=$(rc_get_item list_role_nr)
>>> declare -a list_used_fd_types=$(rc_get_item list_fd_type_nr)
>>> declare -a list_used_dev_types=$(rc_get_item list_dev_type_nr)
>>> declare -a list_used_ipc_types=$(rc_get_item list_ipc_type_nr)
>>> declare -a list_used_user_types=$(rc_get_item list_user_type_nr)
>>> declare -a list_used_process_types=$(rc_get_item 
>>> list_process_type_nr)
>>> declare -a list_used_group_types=$(rc_get_item list_group_types |awk
>>> '{print $1}')
>>> 
>>> TYPE=100
>>> ROLE=100
>>> for NAME in /etc/init.d/* /etc/cron.daily/* /etc/cron.weekly/*
>>> /etc/cron.hourly/* /etc/cron.monthly/* /etc/cron.weekly/*;
>>> do
>>> NAMESPROV="$(basename $(echo $NAME))"
>>> NAMESROL="$(echo $NAMESPROV |cut -c-11)"
>>> NAMESTYPE="$(echo $NAMESPROV |cut -c -7)"
>>> # create role
>>> while [[ ${list_used_roles[*]} =~ $ROLE ]]
>>> do
>>> ((ROLE++))
>>> done
>>> rc_set_item ROLE ${ROLE} name ${NAMESROL}
>>> 
>>> # set netobj_types
>>> while [[ ${list_used_roles[*]} =~ $ROLE ]]
>>> do
>>> ((ROLE++))
>>> done
>>> rc_set_item TYPE ${TYPE} type_netobj_name "${NAMESTYPE}_NOBJ"
>>> 
>>> 
>>> #set user type
>>> while [[ ${list_used_user_types[*]} =~ $TYPE ]]
>>> do
>>> ((TYPE++))
>>> done
>>> rc_set_item TYPE ${TYPE} type_user_name "${NAMESTYPE}_USR"
>>> 
>>> 
>>> #set group type
>>> while [[ ${list_used_user_types[*]} =~ $TYPE ]]
>>> do
>>> ((TYPE++))
>>> done
>>> rc_set_item TYPE ${TYPE} type_group_name "${NAMESTYPE}_GRP"
>>> rc_set_item ROLE ${ROLE} def_user_create_type ${TYPE}
>>> rc_set_item ROLE ${ROLE} def_group_create_type ${TYPE}
>>> 
>>> #set ipc type
>>> while [[ ${list_used_ipc_types[*]} =~ $TYPE ]]
>>> do
>>> ((TYPE++))
>>> done
>>> rc_set_item TYPE ${TYPE} type_ipc_name "${NAMESTYPE}_IPC"
>>> rc_set_item ROLE ${ROLE} def_ipc_create_type ${TYPE}
>>> 
>>> while [[ ${list_used_proc_types[*]} =~ $TYPE ]]
>>> do
>>> ((TYPE++))
>>> done
>>> rc_set_item TYPE ${TYPE} type_process_name "${NAMESTYPE}_PRC"
>>> rc_set_item ROLE ${ROLE} def_process_create_type ${TYPE}
>>> rc_set_item ROLE ${ROLE} def_process_chown_type 4294967291
>>> rc_set_item ROLE ${ROLE} def_process_execute_type 4294967294
>>> 
>>> while [[ ${list_used_fd_types[*]} =~ $TYPE ]]
>>> do
>>> ((TYPE++))
>>> done
>>> 
>>> rc_set_item TYPE ${TYPE} type_fd_name "${NAMESTYPE}_FD"
>>> rc_set_item ROLE ${ROLE} def_fd_create_type ${TYPE}
>>> rc_set_item ROLE ${ROLE} def_fd_ind_create_type ${TYPE} 4294967294
>>> rc_set_item ROLE ${ROLE} def_fd_ind_create_type /run ${TYPE}
>>> rc_set_item ROLE ${ROLE} def_fd_ind_create_type /tmp ${TYPE}
>>> rc_set_item ROLE ${ROLE} def_unixsock_create_type ${TYPE}
>>> attr_set_file_dir FD ${NAME} rc_initial_role ${ROLE}
>>> attr_set_file_dir FD ${NAME} rc_force_role ${ROLE}
>>> done
>>> }
>>> 
>>> function rc_markrootdir()
>>> {
>>> BASE_NUM=100
>>> declare -a list_used_fd_types=$(rc_get_item list_fd_type_nr)
>>> for dir in /*; do
>>> while [[ ${list_used_fd_types[*]} =~ $BASE_NUM ]]
>>> do
>>> ((BASE_NUM++))
>>> done
>>> NAME="$(echo $dir)"
>>> 
>>> rc_set_item TYPE ${BASE_NUM} type_fd_name ${NAME}
>>> attr_set_file_dir FD ${dir} rc_type_fd ${BASE_NUM}
>>> done
>>> }
>>> 
>>> function rc_markothertypesfiles()
>>> {
>>> BASE_NUM=100
>>> declare -a list_used_fd_types=$(rc_get_item list_fd_type_nr)
>>> for file in /etc/conf.d /etc/default /etc/lilo.conf  /etc/fwknop
>>> /etc/openvpn /etc/shadow /etc/gshadow /etc/dovecot /etc/grub.d
>>> /etc/hiawatha /etc/openvpn /etc/pam.d /etc/privoxy /etc/tripwire 
>>> /var/*
>>> do
>>> 
>>> while [[ ${list_used_fd_types[*]} =~ $BASE_NUM ]]
>>> do
>>> ((BASE_NUM++))
>>> done
>>> NAME="$(basename $(echo $(echo $file)'cfg'))"
>>> rc_set_item TYPE ${BASE_NUM} type_fd_name ${NAME}
>>> attr_set_file_dir FD ${dir} rc_type_fd ${BASE_NUM}
>>> done
>>> }
>>> 
>>> function rc_markbinaries_roles_types()
>>> {
>>> TYPE=100
>>> ROLE=100
>>> declare -a list_used_roles=$(rc_get_item list_role_nr)
>>> declare -a list_used_fd_types=$(rc_get_item list_fd_type_nr)
>>> declare -a list_used_dev_types=$(rc_get_item list_dev_type_nr)
>>> declare -a list_used_ipc_types=$(rc_get_item list_ipc_type_nr)
>>> declare -a list_used_user_types=$(rc_get_item list_user_type_nr)
>>> declare -a list_used_process_types=$(rc_get_item 
>>> list_process_type_nr)
>>> declare -a list_used_group_types=$(rc_get_item list_group_types |awk
>>> '{print $1}')
>>> for NAME in /sbin/agetty /bin/login /sbin/init /bin/su /sbin/lilo
>>> /usr/bin/sudo
>>> do
>>> 
>>> NAMESPROV="$(basename $(echo $NAME))"
>>> NAMESROL="$(echo $NAMESPROV |cut -c-11)"
>>> NAMESTYPE="$(echo $NAMESPROV |cut -c -7)"
>>> # create role
>>> while [[ ${list_used_roles[*]} =~ $ROLE ]]
>>> do
>>> ((ROLE++))
>>> done
>>> rc_set_item ROLE ${ROLE} name ${NAMESROL}
>>> 
>>> # set netobj_types
>>> while [[ ${list_used_roles[*]} =~ $ROLE ]]
>>> do
>>> ((ROLE++))
>>> done
>>> rc_set_item TYPE ${TYPE} type_netobj_name "${NAMESTYPE}_NOBJ"
>>> 
>>> 
>>> #set user type
>>> while [[ ${list_used_user_types[*]} =~ $TYPE ]]
>>> do
>>> ((TYPE++))
>>> done
>>> rc_set_item TYPE ${TYPE} type_user_name "${NAMESTYPE}_USR"
>>> 
>>> 
>>> #set group type
>>> while [[ ${list_used_user_types[*]} =~ $TYPE ]]
>>> do
>>> ((TYPE++))
>>> done
>>> rc_set_item TYPE ${TYPE} type_group_name "${NAMESTYPE}_GRP"
>>> rc_set_item ROLE ${ROLE} def_user_create_type ${TYPE}
>>> rc_set_item ROLE ${ROLE} def_group_create_type ${TYPE}
>>> 
>>> #set ipc type
>>> while [[ ${list_used_ipc_types[*]} =~ $TYPE ]]
>>> do
>>> ((TYPE++))
>>> done
>>> rc_set_item TYPE ${TYPE} type_ipc_name "${NAMESTYPE}_IPC"
>>> rc_set_item ROLE ${ROLE} def_ipc_create_type ${TYPE}
>>> 
>>> while [[ ${list_used_proc_types[*]} =~ $TYPE ]]
>>> do
>>> ((TYPE++))
>>> done
>>> rc_set_item TYPE ${TYPE} type_process_name "${NAMESTYPE}_PRC"
>>> rc_set_item ROLE ${ROLE} def_process_create_type ${TYPE}
>>> rc_set_item ROLE ${ROLE} def_process_chown_type 4294967291
>>> rc_set_item ROLE ${ROLE} def_process_execute_type 4294967294
>>> 
>>> while [[ ${list_used_fd_types[*]} =~ $TYPE ]]
>>> do
>>> ((TYPE++))
>>> done
>>> 
>>> rc_set_item TYPE ${TYPE} type_fd_name "${NAMESTYPE}_FD"
>>> rc_set_item ROLE ${ROLE} def_fd_create_type ${TYPE}
>>> rc_set_item ROLE ${ROLE} def_fd_ind_create_type ${TYPE} 4294967294
>>> rc_set_item ROLE ${ROLE} def_fd_ind_create_type /run ${TYPE}
>>> rc_set_item ROLE ${ROLE} def_fd_ind_create_type /tmp ${TYPE}
>>> rc_set_item ROLE ${ROLE} def_unixsock_create_type ${TYPE}
>>> attr_set_file_dir FD ${NAME} rc_initial_role ${ROLE}
>>> attr_set_file_dir FD ${NAME} rc_force_role ${ROLE}
>>> done
>>> 
>>> }
>>> 
>>> function rc_trusted_path_execution()
>>> {
>>> declare -a list_used_roles=$(rc_get_item list_role_nr)
>>> declare -a list_used_fd_types=$(rc_get_item list_fd_type_nr)
>>> 
>>> for all_roles in "${list_used_roles[@]}"
>>> do
>>> for all_types in "${list_used_fd_types[@]}"
>>> do
>>> rc_set_item -k ROLE "${all_roles}" type_comp_fd "${all_types}" 
>>> MAP_EXEC
>>> EXECUTE
>>> done
>>> done
>>> 
>>> for all_roles in "${list_used_roles[@]}"
>>> do
>>> for dir in /usr/local/bin /usr/local/sbin /sbin /usr/bin /bin 
>>> /usr/sbin
>>> /usr/libexec;
>>> do
>>> rc_set_item -a ROLE "${all_roles}" type_comp_fd $(attr_get_file_dir 
>>> RC
>>> FD "${dir}" rc_type_fd) MAP_EXEC EXECUTE
>>> echo "incomplete function, what's happen with cron scripts and init.d
>>> ones, can you tell me?"
>>> done
>>> done
>>> 
>>> }
>>> cap_reset_caps
>>> rc_bootscriptsrc
>>> rc_markothertypesfiles
>>> rc_markrootdir
>>> rc_markbinaries_roles_types
>>> rc_trusted_path_execution
>>> 
>>> _______________________________________________
>>> rsbac mailing list
>>> rsbac at rsbac.org
>>> http://www.rsbac.org/mailman/listinfo/rsbac
>> _______________________________________________
>> rsbac mailing list
>> rsbac at rsbac.org
>> http://www.rsbac.org/mailman/listinfo/rsbac
> _______________________________________________
> rsbac mailing list
> rsbac at rsbac.org
> http://www.rsbac.org/mailman/listinfo/rsbac

More information about the rsbac mailing list