1 |
Hi to the mailing list, some time ago I began writting a security |
2 |
policy based on the rsbac framework (based in the RC module between |
3 |
others). Some of the modules of the RSBAC are common with other |
4 |
frameworks as the one based on the linux capabilities, so users of |
5 |
others framewoks (as could be LIDS, SELinux or GrSecurity) could find |
6 |
this useful (even libcap users). I would like to get your opinion |
7 |
about one "beta" policy I wrote time ago. It's only a least privilege |
8 |
policy approach (restrict root rights when they launch binaries, so |
9 |
maximum privileges granted to binaries). The "policy" is this: |
10 |
|
11 |
|
12 |
#!/bin/bash |
13 |
echo "setting CAP MODULE" |
14 |
|
15 |
#set binary (not links) maximum capabilities to 0 |
16 |
for FILE in /bin/* /sbin/* /usr/bin/* /usr/sbin/* |
17 |
do |
18 |
if [ ! -L "$FILE" ] |
19 |
then for CAPABILITY in "CHOWN" "DAC_OVERRIDE" "DAC_READ_SEARCH" |
20 |
"FOWNER" "FSETID" "KILL" "SETGID" "SETUID" "SETPCAP" "LINUX_IMMUTABLE" |
21 |
"NET_BIND_SERVICE" "NET_BROADCAST" "NET_ADMIN" "NET_RAW" "IPC_LOCK" |
22 |
"IPC_OWNER" "SYS_MODULE" "SYS_RAWIO" "SYS_CHROOT" "SYS_PTRACE" |
23 |
"SYS_PACCT" "SYS_ADMIN" "SYS_BOOT" "SYS_NICE" "SYS_RESOURCE" |
24 |
"SYS_TIME" "SYS_TTY_CONFIG" "MKNOD" "LEASE" |
25 |
do attr_set_file_dir -m CAP FILE "$FILE" max_caps "$CAPABILITY" |
26 |
done |
27 |
fi |
28 |
done |
29 |
|
30 |
#/bin |
31 |
attr_set_file_dir -a CAP FILE "/bin/login" max_caps FOWNER CHOWN SETUID SETGID |
32 |
attr_set_file_dir -a CAP FILE "/bin/chroot" max_caps SYS_CHROOT |
33 |
attr_set_file_dir -a CAP FILE "/bin/mount" max_caps SYS_ADMIN DAC_OVERRIDE |
34 |
attr_set_file_dir -a CAP FILE "/bin/netstat" max_caps DAC_READ_SEARCH |
35 |
attr_set_file_dir -a CAP FILE "/bin/nice" max_caps SYS_NICE |
36 |
attr_set_file_dir -a CAP FILE "/bin/passwd" max_caps CHOWN |
37 |
attr_set_file_dir -a CAP FILE "/bin/killall" max_caps KILL SYS_PTRACE |
38 |
attr_set_file_dir -a CAP FILE "/bin/ping" max_caps NET_RAW |
39 |
attr_set_file_dir -a CAP FILE "/bin/su" max_caps SETGID SETUID |
40 |
attr_set_file_dir -a CAP FILE "/bin/umount" max_caps SYS_ADMIN DAC_OVERRIDE |
41 |
attr_set_file_dir -a CAP FILE "/bin/chattr" max_caps LINUX_IMMUTABLE |
42 |
FOWNER DAC_READ_SEARCH |
43 |
attr_set_file_dir -a CAP FILE "/bin/chmod" max_caps FOWNER DAC_READ_SEARCH |
44 |
attr_set_file_dir -a CAP FILE "/bin/chgrp" max_caps CHOWN DAC_READ_SEARCH |
45 |
attr_set_file_dir -a CAP FILE "/bin/cat" max_caps DAC_READ_SEARCH |
46 |
attr_set_file_dir -a CAP FILE "/bin/cp" max_caps DAC_READ_SEARCH |
47 |
attr_set_file_dir -a CAP FILE "/bin/dd" max_caps DAC_READ_SEARCH |
48 |
attr_set_file_dir -a CAP FILE "/bin/ls" max_caps DAC_READ_SEARCH |
49 |
attr_set_file_dir -a CAP FILE "/bin/dir" max_caps DAC_READ_SEARCH |
50 |
attr_set_file_dir -a CAP FILE "/bin/vdir" max_caps DAC_READ_SEARCH |
51 |
attr_set_file_dir -a CAP FILE "/bin/chown" max_caps DAC_READ_SEARCH CHOWN |
52 |
attr_set_file_dir -a CAP FILE "/bin/kill" max_caps KILL |
53 |
attr_set_file_dir -a CAP FILE "/bin/mknod" max_caps MKNOD |
54 |
attr_set_file_dir -a CAP FILE "/bin/hostname" max_caps SYS_ADMIN |
55 |
attr_set_file_dir -a CAP FILE "/bin/gawk-3.1.5" max_caps DAC_READ_SEARCH |
56 |
attr_set_file_dir -a CAP FILE "/bin/grep" max_caps DAC_READ_SEARCH |
57 |
attr_set_file_dir -a CAP FILE "/bin/rm" max_caps DAC_OVERRIDE |
58 |
attr_set_file_dir -a CAP FILE "/bin/rmdir" max_caps DAC_OVERRIDE |
59 |
attr_set_file_dir -a CAP FILE "/bin/stat" max_caps DAC_READ_SEARCH |
60 |
attr_set_file_dir -a CAP FILE "/bin/zless" max_caps DAC_READ_SEARCH |
61 |
attr_set_file_dir -a CAP FILE "/bin/zmore" max_caps DAC_READ_SEARCH |
62 |
attr_set_file_dir -a CAP FILE "/bin/bzmore" max_caps DAC_READ_SEARCH |
63 |
attr_set_file_dir -a CAP FILE "/bin/bzdiff" max_caps DAC_READ_SEARCH |
64 |
attr_set_file_dir -a CAP FILE "/bin/bzgrep" max_caps DAC_READ_SEARCH |
65 |
attr_set_file_dir -a CAP FILE "/bin/bzip2" max_caps DAC_READ_SEARCH |
66 |
attr_set_file_dir -a CAP FILE "/bin/bzip2recover" max_caps DAC_READ_SEARCH |
67 |
attr_set_file_dir -a CAP FILE "/bin/cksum" max_caps DAC_READ_SEARCH |
68 |
attr_set_file_dir -a CAP FILE "/bin/comm" max_caps DAC_READ_SEARCH |
69 |
attr_set_file_dir -a CAP FILE "/bin/cpio" max_caps DAC_READ_SEARCH |
70 |
attr_set_file_dir -a CAP FILE "/bin/du" max_caps DAC_READ_SEARCH |
71 |
attr_set_file_dir -a CAP FILE "/bin/gzip" max_caps DAC_READ_SEARCH |
72 |
attr_set_file_dir -a CAP FILE "/bin/gzexe" max_caps DAC_READ_SEARCH |
73 |
attr_set_file_dir -a CAP FILE "/bin/head" max_caps DAC_READ_SEARCH |
74 |
#attr_set_file_dir -a CAP FILE "/bin/echo" max_caps |
75 |
attr_set_file_dir -a CAP FILE "/bin/install" max_caps DAC_READ_SEARCH |
76 |
attr_set_file_dir -a CAP FILE "/bin/link" max_caps DAC_READ_SEARCH |
77 |
attr_set_file_dir -a CAP FILE "/bin/ln" max_caps DAC_READ_SEARCH |
78 |
attr_set_file_dir -a CAP FILE "/bin/lsattr" max_caps DAC_READ_SEARCH |
79 |
#attr_set_file_dir -a CAP FILE "/bin/lsmod" max_caps SYS_MODULE |
80 |
attr_set_file_dir -a CAP FILE "/bin/mkdir" max_caps DAC_OVERRIDE |
81 |
attr_set_file_dir -a CAP FILE "/bin/more" max_caps DAC_READ_SEARCH |
82 |
attr_set_file_dir -a CAP FILE "/bin/mv" max_caps DAC_READ_SEARCH |
83 |
#DAC_OVERRIDE to directories not owned by root |
84 |
attr_set_file_dir -a CAP FILE "/bin/nano" max_caps DAC_OVERRIDE |
85 |
attr_set_file_dir -a CAP FILE "/bin/readlink" max_caps DAC_READ_SEARCH |
86 |
attr_set_file_dir -a CAP FILE "/bin/ed" max_caps DAC_OVERRIDE |
87 |
attr_set_file_dir -a CAP FILE "/bin/sed" max_caps DAC_OVERRIDE |
88 |
attr_set_file_dir -a CAP FILE "/bin/sort" max_caps DAC_READ_SEARCH |
89 |
attr_set_file_dir -a CAP FILE "/bin/split" max_caps DAC_READ_SEARCH |
90 |
attr_set_file_dir -a CAP FILE "/bin/stty" max_caps DAC_OVERRIDE |
91 |
attr_set_file_dir -a CAP FILE "/bin/tar" max_caps DAC_OVERRIDE |
92 |
attr_set_file_dir -a CAP FILE "/bin/tee" max_caps DAC_OVERRIDE |
93 |
attr_set_file_dir -a CAP FILE "/bin/touch" max_caps DAC_OVERRIDE |
94 |
attr_set_file_dir -a CAP FILE "/bin/uniq" max_caps DAC_READ_SEARCH |
95 |
attr_set_file_dir -a CAP FILE "/bin/unlink" max_caps DAC_OVERRIDE |
96 |
attr_set_file_dir -a CAP FILE "/bin/wc" max_caps DAC_READ_SEARCH |
97 |
|
98 |
#/sbin |
99 |
attr_set_file_dir -a CAP FILE "/sbin/arp" max_caps NET_ADMIN |
100 |
attr_set_file_dir -a CAP FILE "/sbin/arping" max_caps NET_RAW |
101 |
attr_set_file_dir -a CAP FILE "/sbin/badblocks" max_caps DAC_READ_SEARCH |
102 |
attr_set_file_dir -a CAP FILE "/sbin/blockdev" max_caps DAC_READ_SEARCH |
103 |
attr_set_file_dir -a CAP FILE "/sbin/losetup" max_caps SYS_ADMIN IPC_LOCK |
104 |
attr_set_file_dir -a CAP FILE "/sbin/ctrlaltdel" max_caps SYS_BOOT |
105 |
attr_set_file_dir -a CAP FILE "/sbin/lilo" max_caps SYS_RAWIO |
106 |
attr_set_file_dir -a CAP FILE "/sbin/hdparm" max_caps SYS_ADMIN SYS_RAWIO |
107 |
attr_set_file_dir -a CAP FILE "/sbin/hwclock" max_caps SYS_RAWIO |
108 |
attr_set_file_dir -a CAP FILE "/sbin/ifconfig" max_caps NET_ADMIN |
109 |
#attr_set_file_dir -a CAP FILE "/sbin/insmod" max_caps SYS_MODULE |
110 |
attr_set_file_dir -a CAP FILE "/sbin/mii-tool" max_caps NET_ADMIN |
111 |
attr_set_file_dir -a CAP FILE "/sbin/swapon" max_caps SYS_ADMIN |
112 |
attr_set_file_dir -a CAP FILE "/sbin/pivot_root" max_caps SYS_ADMIN |
113 |
#attr_set_file_dir -a CAP FILE "/sbin/rmmod" max_caps SYS_MODULE |
114 |
attr_set_file_dir -a CAP FILE "/sbin/route" max_caps NET_ADMIN |
115 |
attr_set_file_dir -a CAP FILE "/sbin/agetty" max_caps DAC_OVERRIDE |
116 |
attr_set_file_dir -a CAP FILE "/sbin/shutdown" max_caps SYS_BOOT |
117 |
attr_set_file_dir -a CAP FILE "/sbin/halt" max_caps SYS_BOOT |
118 |
|
119 |
Please realized that this "policy" has been done with a probe and |
120 |
error approach on an gentoo hardened system. Most of DAC_READ_SEARCH |
121 |
and DAC_OVERRIDE can be omited to make the DAC a bit more strict. Any |
122 |
comment/suggestion/critic about it would be very appreciated. |
123 |
|
124 |
Thanks for all |
125 |
|
126 |
PD: there is one conduct code in the mailing list that I must read and follow?ż. |
127 |
-- |
128 |
gentoo-hardened@g.o mailing list |