[gentoo-hardened] Discussion about security policy based on Linux Capabilities - gentoo-hardened

From:	tazok <tazok.id0@×××××.com>
To:	gentoo-hardened@l.g.o
Subject:	[gentoo-hardened] Discussion about security policy based on Linux Capabilities
Date:	Thu, 03 May 2007 19:48:17
Message-Id:	`897813410705031246q2a16c528m594625151bdd701b@mail.gmail.com`

1

Hi to the mailing list, some time ago I began writting a security

2

policy based on the rsbac framework (based in the RC module between

3

others). Some of the modules of the RSBAC are common with other

4

frameworks as the one based on the linux capabilities, so users of

5

others framewoks (as could be LIDS, SELinux or GrSecurity) could find

6

this useful (even libcap users). I would like to get your opinion

7

about one "beta" policy I wrote time ago. It's only a least privilege

8

policy approach (restrict root rights when they launch binaries, so

9

maximum privileges granted to binaries).  The "policy" is this:

10

11

12

#!/bin/bash

13

echo "setting CAP MODULE"

14

15

#set binary (not links) maximum capabilities to 0

16

for FILE in /bin/* /sbin/* /usr/bin/* /usr/sbin/*

17

do

18

 if [ ! -L "$FILE" ]

19

 then for CAPABILITY in "CHOWN" "DAC_OVERRIDE" "DAC_READ_SEARCH"

20

"FOWNER" "FSETID" "KILL" "SETGID" "SETUID" "SETPCAP" "LINUX_IMMUTABLE"

21

"NET_BIND_SERVICE" "NET_BROADCAST" "NET_ADMIN" "NET_RAW" "IPC_LOCK"

22

"IPC_OWNER" "SYS_MODULE" "SYS_RAWIO" "SYS_CHROOT" "SYS_PTRACE"

23

"SYS_PACCT" "SYS_ADMIN" "SYS_BOOT" "SYS_NICE" "SYS_RESOURCE"

24

"SYS_TIME" "SYS_TTY_CONFIG" "MKNOD" "LEASE"

25

do attr_set_file_dir -m CAP FILE "$FILE" max_caps "$CAPABILITY"

26

done

27

fi

28

done

29

30

#/bin

31

attr_set_file_dir -a CAP FILE "/bin/login" max_caps FOWNER CHOWN SETUID SETGID

32

attr_set_file_dir -a CAP FILE "/bin/chroot" max_caps SYS_CHROOT

33

attr_set_file_dir -a CAP FILE "/bin/mount" max_caps SYS_ADMIN DAC_OVERRIDE

34

attr_set_file_dir -a CAP FILE "/bin/netstat" max_caps DAC_READ_SEARCH

35

attr_set_file_dir -a CAP FILE "/bin/nice" max_caps SYS_NICE

36

attr_set_file_dir -a CAP FILE "/bin/passwd" max_caps CHOWN

37

attr_set_file_dir -a CAP FILE "/bin/killall" max_caps KILL SYS_PTRACE

38

attr_set_file_dir -a CAP FILE "/bin/ping" max_caps NET_RAW

39

attr_set_file_dir -a CAP FILE "/bin/su" max_caps SETGID SETUID

40

attr_set_file_dir -a CAP FILE "/bin/umount" max_caps SYS_ADMIN DAC_OVERRIDE

41

attr_set_file_dir -a CAP FILE "/bin/chattr" max_caps LINUX_IMMUTABLE

42

FOWNER DAC_READ_SEARCH

43

attr_set_file_dir -a CAP FILE "/bin/chmod" max_caps FOWNER DAC_READ_SEARCH

44

attr_set_file_dir -a CAP FILE "/bin/chgrp" max_caps CHOWN DAC_READ_SEARCH

45

attr_set_file_dir -a CAP FILE "/bin/cat" max_caps DAC_READ_SEARCH

46

attr_set_file_dir -a CAP FILE "/bin/cp" max_caps DAC_READ_SEARCH

47

attr_set_file_dir -a CAP FILE "/bin/dd" max_caps DAC_READ_SEARCH

48

attr_set_file_dir -a CAP FILE "/bin/ls" max_caps DAC_READ_SEARCH

49

attr_set_file_dir -a CAP FILE "/bin/dir" max_caps DAC_READ_SEARCH

50

attr_set_file_dir -a CAP FILE "/bin/vdir" max_caps DAC_READ_SEARCH

51

attr_set_file_dir -a CAP FILE "/bin/chown" max_caps DAC_READ_SEARCH CHOWN

52

attr_set_file_dir -a CAP FILE "/bin/kill" max_caps KILL

53

attr_set_file_dir -a CAP FILE "/bin/mknod" max_caps MKNOD

54

attr_set_file_dir -a CAP FILE "/bin/hostname" max_caps SYS_ADMIN

55

attr_set_file_dir -a CAP FILE "/bin/gawk-3.1.5" max_caps DAC_READ_SEARCH

56

attr_set_file_dir -a CAP FILE "/bin/grep" max_caps DAC_READ_SEARCH

57

attr_set_file_dir -a CAP FILE "/bin/rm" max_caps DAC_OVERRIDE

58

attr_set_file_dir -a CAP FILE "/bin/rmdir" max_caps DAC_OVERRIDE

59

attr_set_file_dir -a CAP FILE "/bin/stat" max_caps DAC_READ_SEARCH

60

attr_set_file_dir -a CAP FILE "/bin/zless" max_caps DAC_READ_SEARCH

61

attr_set_file_dir -a CAP FILE "/bin/zmore" max_caps DAC_READ_SEARCH

62

attr_set_file_dir -a CAP FILE "/bin/bzmore" max_caps DAC_READ_SEARCH

63

attr_set_file_dir -a CAP FILE "/bin/bzdiff" max_caps DAC_READ_SEARCH

64

attr_set_file_dir -a CAP FILE "/bin/bzgrep" max_caps DAC_READ_SEARCH

65

attr_set_file_dir -a CAP FILE "/bin/bzip2" max_caps DAC_READ_SEARCH

66

attr_set_file_dir -a CAP FILE "/bin/bzip2recover" max_caps DAC_READ_SEARCH

67

attr_set_file_dir -a CAP FILE "/bin/cksum" max_caps DAC_READ_SEARCH

68

attr_set_file_dir -a CAP FILE "/bin/comm" max_caps DAC_READ_SEARCH

69

attr_set_file_dir -a CAP FILE "/bin/cpio" max_caps DAC_READ_SEARCH

70

attr_set_file_dir -a CAP FILE "/bin/du" max_caps DAC_READ_SEARCH

71

attr_set_file_dir -a CAP FILE "/bin/gzip" max_caps DAC_READ_SEARCH

72

attr_set_file_dir -a CAP FILE "/bin/gzexe" max_caps DAC_READ_SEARCH

73

attr_set_file_dir -a CAP FILE "/bin/head" max_caps DAC_READ_SEARCH

74

#attr_set_file_dir -a CAP FILE "/bin/echo" max_caps

75

attr_set_file_dir -a CAP FILE "/bin/install" max_caps DAC_READ_SEARCH

76

attr_set_file_dir -a CAP FILE "/bin/link" max_caps DAC_READ_SEARCH

77

attr_set_file_dir -a CAP FILE "/bin/ln" max_caps DAC_READ_SEARCH

78

attr_set_file_dir -a CAP FILE "/bin/lsattr" max_caps DAC_READ_SEARCH

79

#attr_set_file_dir -a CAP FILE "/bin/lsmod" max_caps SYS_MODULE

80

attr_set_file_dir -a CAP FILE "/bin/mkdir" max_caps DAC_OVERRIDE

81

attr_set_file_dir -a CAP FILE "/bin/more" max_caps DAC_READ_SEARCH

82

attr_set_file_dir -a CAP FILE "/bin/mv" max_caps DAC_READ_SEARCH

83

#DAC_OVERRIDE to directories not owned by root

84

attr_set_file_dir -a CAP FILE "/bin/nano" max_caps DAC_OVERRIDE

85

attr_set_file_dir -a CAP FILE "/bin/readlink" max_caps DAC_READ_SEARCH

86

attr_set_file_dir -a CAP FILE "/bin/ed" max_caps DAC_OVERRIDE

87

attr_set_file_dir -a CAP FILE "/bin/sed" max_caps DAC_OVERRIDE

88

attr_set_file_dir -a CAP FILE "/bin/sort" max_caps DAC_READ_SEARCH

89

attr_set_file_dir -a CAP FILE "/bin/split" max_caps DAC_READ_SEARCH

90

attr_set_file_dir -a CAP FILE "/bin/stty" max_caps DAC_OVERRIDE

91

attr_set_file_dir -a CAP FILE "/bin/tar" max_caps DAC_OVERRIDE

92

attr_set_file_dir -a CAP FILE "/bin/tee" max_caps DAC_OVERRIDE

93

attr_set_file_dir -a CAP FILE "/bin/touch" max_caps DAC_OVERRIDE

94

attr_set_file_dir -a CAP FILE "/bin/uniq" max_caps DAC_READ_SEARCH

95

attr_set_file_dir -a CAP FILE "/bin/unlink" max_caps DAC_OVERRIDE

96

attr_set_file_dir -a CAP FILE "/bin/wc" max_caps DAC_READ_SEARCH

97

98

#/sbin

99

attr_set_file_dir -a CAP FILE "/sbin/arp" max_caps NET_ADMIN

100

attr_set_file_dir -a CAP FILE "/sbin/arping" max_caps NET_RAW

101

attr_set_file_dir -a CAP FILE "/sbin/badblocks" max_caps DAC_READ_SEARCH

102

attr_set_file_dir -a CAP FILE "/sbin/blockdev" max_caps DAC_READ_SEARCH

103

attr_set_file_dir -a CAP FILE "/sbin/losetup" max_caps SYS_ADMIN IPC_LOCK

104

attr_set_file_dir -a CAP FILE "/sbin/ctrlaltdel" max_caps SYS_BOOT

105

attr_set_file_dir -a CAP FILE "/sbin/lilo" max_caps SYS_RAWIO

106

attr_set_file_dir -a CAP FILE "/sbin/hdparm" max_caps SYS_ADMIN SYS_RAWIO

107

attr_set_file_dir -a CAP FILE "/sbin/hwclock" max_caps SYS_RAWIO

108

attr_set_file_dir -a CAP FILE "/sbin/ifconfig" max_caps NET_ADMIN

109

#attr_set_file_dir -a CAP FILE "/sbin/insmod" max_caps SYS_MODULE

110

attr_set_file_dir -a CAP FILE "/sbin/mii-tool" max_caps NET_ADMIN

111

attr_set_file_dir -a CAP FILE "/sbin/swapon" max_caps SYS_ADMIN

112

attr_set_file_dir -a CAP FILE "/sbin/pivot_root" max_caps SYS_ADMIN

113

#attr_set_file_dir -a CAP FILE "/sbin/rmmod" max_caps SYS_MODULE

114

attr_set_file_dir -a CAP FILE "/sbin/route" max_caps NET_ADMIN

115

attr_set_file_dir -a CAP FILE "/sbin/agetty" max_caps DAC_OVERRIDE

116

attr_set_file_dir -a CAP FILE "/sbin/shutdown" max_caps SYS_BOOT

117

attr_set_file_dir -a CAP FILE "/sbin/halt" max_caps SYS_BOOT

118

119

Please realized that this "policy" has been done with a probe and

120

error approach on an gentoo hardened system.  Most of DAC_READ_SEARCH

121

and DAC_OVERRIDE can be omited to make the DAC a bit more strict. Any

122

comment/suggestion/critic about it would be very appreciated.

123

124

Thanks for all

125

126

PD: there is one conduct code in the mailing list that I must read and follow?ż.

127

--

128

gentoo-hardened@g.o mailing list

Gentoo Archives: gentoo-hardened

Replies

1	Hi to the mailing list, some time ago I began writting a security
2	policy based on the rsbac framework (based in the RC module between
3	others). Some of the modules of the RSBAC are common with other
4	frameworks as the one based on the linux capabilities, so users of
5	others framewoks (as could be LIDS, SELinux or GrSecurity) could find
6	this useful (even libcap users). I would like to get your opinion
7	about one "beta" policy I wrote time ago. It's only a least privilege
8	policy approach (restrict root rights when they launch binaries, so
9	maximum privileges granted to binaries). The "policy" is this:
10
11
12	#!/bin/bash
13	echo "setting CAP MODULE"
14
15	#set binary (not links) maximum capabilities to 0
16	for FILE in /bin/* /sbin/* /usr/bin/* /usr/sbin/*
17	do
18	if [ ! -L "$FILE" ]
19	then for CAPABILITY in "CHOWN" "DAC_OVERRIDE" "DAC_READ_SEARCH"
20	"FOWNER" "FSETID" "KILL" "SETGID" "SETUID" "SETPCAP" "LINUX_IMMUTABLE"
21	"NET_BIND_SERVICE" "NET_BROADCAST" "NET_ADMIN" "NET_RAW" "IPC_LOCK"
22	"IPC_OWNER" "SYS_MODULE" "SYS_RAWIO" "SYS_CHROOT" "SYS_PTRACE"
23	"SYS_PACCT" "SYS_ADMIN" "SYS_BOOT" "SYS_NICE" "SYS_RESOURCE"
24	"SYS_TIME" "SYS_TTY_CONFIG" "MKNOD" "LEASE"
25	do attr_set_file_dir -m CAP FILE "$FILE" max_caps "$CAPABILITY"
26	done
27	fi
28	done
29
30	#/bin
31	attr_set_file_dir -a CAP FILE "/bin/login" max_caps FOWNER CHOWN SETUID SETGID
32	attr_set_file_dir -a CAP FILE "/bin/chroot" max_caps SYS_CHROOT
33	attr_set_file_dir -a CAP FILE "/bin/mount" max_caps SYS_ADMIN DAC_OVERRIDE
34	attr_set_file_dir -a CAP FILE "/bin/netstat" max_caps DAC_READ_SEARCH
35	attr_set_file_dir -a CAP FILE "/bin/nice" max_caps SYS_NICE
36	attr_set_file_dir -a CAP FILE "/bin/passwd" max_caps CHOWN
37	attr_set_file_dir -a CAP FILE "/bin/killall" max_caps KILL SYS_PTRACE
38	attr_set_file_dir -a CAP FILE "/bin/ping" max_caps NET_RAW
39	attr_set_file_dir -a CAP FILE "/bin/su" max_caps SETGID SETUID
40	attr_set_file_dir -a CAP FILE "/bin/umount" max_caps SYS_ADMIN DAC_OVERRIDE
41	attr_set_file_dir -a CAP FILE "/bin/chattr" max_caps LINUX_IMMUTABLE
42	FOWNER DAC_READ_SEARCH
43	attr_set_file_dir -a CAP FILE "/bin/chmod" max_caps FOWNER DAC_READ_SEARCH
44	attr_set_file_dir -a CAP FILE "/bin/chgrp" max_caps CHOWN DAC_READ_SEARCH
45	attr_set_file_dir -a CAP FILE "/bin/cat" max_caps DAC_READ_SEARCH
46	attr_set_file_dir -a CAP FILE "/bin/cp" max_caps DAC_READ_SEARCH
47	attr_set_file_dir -a CAP FILE "/bin/dd" max_caps DAC_READ_SEARCH
48	attr_set_file_dir -a CAP FILE "/bin/ls" max_caps DAC_READ_SEARCH
49	attr_set_file_dir -a CAP FILE "/bin/dir" max_caps DAC_READ_SEARCH
50	attr_set_file_dir -a CAP FILE "/bin/vdir" max_caps DAC_READ_SEARCH
51	attr_set_file_dir -a CAP FILE "/bin/chown" max_caps DAC_READ_SEARCH CHOWN
52	attr_set_file_dir -a CAP FILE "/bin/kill" max_caps KILL
53	attr_set_file_dir -a CAP FILE "/bin/mknod" max_caps MKNOD
54	attr_set_file_dir -a CAP FILE "/bin/hostname" max_caps SYS_ADMIN
55	attr_set_file_dir -a CAP FILE "/bin/gawk-3.1.5" max_caps DAC_READ_SEARCH
56	attr_set_file_dir -a CAP FILE "/bin/grep" max_caps DAC_READ_SEARCH
57	attr_set_file_dir -a CAP FILE "/bin/rm" max_caps DAC_OVERRIDE
58	attr_set_file_dir -a CAP FILE "/bin/rmdir" max_caps DAC_OVERRIDE
59	attr_set_file_dir -a CAP FILE "/bin/stat" max_caps DAC_READ_SEARCH
60	attr_set_file_dir -a CAP FILE "/bin/zless" max_caps DAC_READ_SEARCH
61	attr_set_file_dir -a CAP FILE "/bin/zmore" max_caps DAC_READ_SEARCH
62	attr_set_file_dir -a CAP FILE "/bin/bzmore" max_caps DAC_READ_SEARCH
63	attr_set_file_dir -a CAP FILE "/bin/bzdiff" max_caps DAC_READ_SEARCH
64	attr_set_file_dir -a CAP FILE "/bin/bzgrep" max_caps DAC_READ_SEARCH
65	attr_set_file_dir -a CAP FILE "/bin/bzip2" max_caps DAC_READ_SEARCH
66	attr_set_file_dir -a CAP FILE "/bin/bzip2recover" max_caps DAC_READ_SEARCH
67	attr_set_file_dir -a CAP FILE "/bin/cksum" max_caps DAC_READ_SEARCH
68	attr_set_file_dir -a CAP FILE "/bin/comm" max_caps DAC_READ_SEARCH
69	attr_set_file_dir -a CAP FILE "/bin/cpio" max_caps DAC_READ_SEARCH
70	attr_set_file_dir -a CAP FILE "/bin/du" max_caps DAC_READ_SEARCH
71	attr_set_file_dir -a CAP FILE "/bin/gzip" max_caps DAC_READ_SEARCH
72	attr_set_file_dir -a CAP FILE "/bin/gzexe" max_caps DAC_READ_SEARCH
73	attr_set_file_dir -a CAP FILE "/bin/head" max_caps DAC_READ_SEARCH
74	#attr_set_file_dir -a CAP FILE "/bin/echo" max_caps
75	attr_set_file_dir -a CAP FILE "/bin/install" max_caps DAC_READ_SEARCH
76	attr_set_file_dir -a CAP FILE "/bin/link" max_caps DAC_READ_SEARCH
77	attr_set_file_dir -a CAP FILE "/bin/ln" max_caps DAC_READ_SEARCH
78	attr_set_file_dir -a CAP FILE "/bin/lsattr" max_caps DAC_READ_SEARCH
79	#attr_set_file_dir -a CAP FILE "/bin/lsmod" max_caps SYS_MODULE
80	attr_set_file_dir -a CAP FILE "/bin/mkdir" max_caps DAC_OVERRIDE
81	attr_set_file_dir -a CAP FILE "/bin/more" max_caps DAC_READ_SEARCH
82	attr_set_file_dir -a CAP FILE "/bin/mv" max_caps DAC_READ_SEARCH
83	#DAC_OVERRIDE to directories not owned by root
84	attr_set_file_dir -a CAP FILE "/bin/nano" max_caps DAC_OVERRIDE
85	attr_set_file_dir -a CAP FILE "/bin/readlink" max_caps DAC_READ_SEARCH
86	attr_set_file_dir -a CAP FILE "/bin/ed" max_caps DAC_OVERRIDE
87	attr_set_file_dir -a CAP FILE "/bin/sed" max_caps DAC_OVERRIDE
88	attr_set_file_dir -a CAP FILE "/bin/sort" max_caps DAC_READ_SEARCH
89	attr_set_file_dir -a CAP FILE "/bin/split" max_caps DAC_READ_SEARCH
90	attr_set_file_dir -a CAP FILE "/bin/stty" max_caps DAC_OVERRIDE
91	attr_set_file_dir -a CAP FILE "/bin/tar" max_caps DAC_OVERRIDE
92	attr_set_file_dir -a CAP FILE "/bin/tee" max_caps DAC_OVERRIDE
93	attr_set_file_dir -a CAP FILE "/bin/touch" max_caps DAC_OVERRIDE
94	attr_set_file_dir -a CAP FILE "/bin/uniq" max_caps DAC_READ_SEARCH
95	attr_set_file_dir -a CAP FILE "/bin/unlink" max_caps DAC_OVERRIDE
96	attr_set_file_dir -a CAP FILE "/bin/wc" max_caps DAC_READ_SEARCH
97
98	#/sbin
99	attr_set_file_dir -a CAP FILE "/sbin/arp" max_caps NET_ADMIN
100	attr_set_file_dir -a CAP FILE "/sbin/arping" max_caps NET_RAW
101	attr_set_file_dir -a CAP FILE "/sbin/badblocks" max_caps DAC_READ_SEARCH
102	attr_set_file_dir -a CAP FILE "/sbin/blockdev" max_caps DAC_READ_SEARCH
103	attr_set_file_dir -a CAP FILE "/sbin/losetup" max_caps SYS_ADMIN IPC_LOCK
104	attr_set_file_dir -a CAP FILE "/sbin/ctrlaltdel" max_caps SYS_BOOT
105	attr_set_file_dir -a CAP FILE "/sbin/lilo" max_caps SYS_RAWIO
106	attr_set_file_dir -a CAP FILE "/sbin/hdparm" max_caps SYS_ADMIN SYS_RAWIO
107	attr_set_file_dir -a CAP FILE "/sbin/hwclock" max_caps SYS_RAWIO
108	attr_set_file_dir -a CAP FILE "/sbin/ifconfig" max_caps NET_ADMIN
109	#attr_set_file_dir -a CAP FILE "/sbin/insmod" max_caps SYS_MODULE
110	attr_set_file_dir -a CAP FILE "/sbin/mii-tool" max_caps NET_ADMIN
111	attr_set_file_dir -a CAP FILE "/sbin/swapon" max_caps SYS_ADMIN
112	attr_set_file_dir -a CAP FILE "/sbin/pivot_root" max_caps SYS_ADMIN
113	#attr_set_file_dir -a CAP FILE "/sbin/rmmod" max_caps SYS_MODULE
114	attr_set_file_dir -a CAP FILE "/sbin/route" max_caps NET_ADMIN
115	attr_set_file_dir -a CAP FILE "/sbin/agetty" max_caps DAC_OVERRIDE
116	attr_set_file_dir -a CAP FILE "/sbin/shutdown" max_caps SYS_BOOT
117	attr_set_file_dir -a CAP FILE "/sbin/halt" max_caps SYS_BOOT
118
119	Please realized that this "policy" has been done with a probe and
120	error approach on an gentoo hardened system. Most of DAC_READ_SEARCH
121	and DAC_OVERRIDE can be omited to make the DAC a bit more strict. Any
122	comment/suggestion/critic about it would be very appreciated.
123
124	Thanks for all
125
126	PD: there is one conduct code in the mailing list that I must read and follow?ż.
127	--
128	gentoo-hardened@g.o mailing list