Annexe 13. ACLs GrSecurity pour Debian-secinst▲
Patch pour le fichier /etc/grsec/acl :
Sélectionnez
4c4,5
< /home rwx
---
> /home rx
> /mnt r
14a16,17
> /dev/dsp rw
> /dev/mixer rw
24a28
> /etc/postfix r
31c35
< /root rx
---
> /root r
35a40
> /var/spool/postfix/lib rx
38c43
< /var/log r
---
> /var/log
42,48d46
< /home/system rx
<
< # If you use WAS and if you want to set next for admins ?
< /var/was/installableApps rw
< # Same for this one if you use a webserver ?
< /var/www/htdocs rw
<
53d50
< include </etc/grsec/debian-secinst>/etc/grsec/debian-secinst/Adm_addons :
Sélectionnez
# Debian-secinst v0.1.11 : ANNEXE 13 - ACLs GrSecurity pour Debian-secinst
# Simon Castro - http://www.entreelibre.com/scastro/debian-secinst/
#
# These acls are addons for the default security restrictions applied with
# /etc/grsec/acl. They are used to lower the security level so that admins can
# work on the server without having to get root or gradm -a permissions.
#
# The first acls allow user to administrate the server while the last ones
# are related to specific daemons administration such as Apache or Ibm Websphere
# Application Server.
#
# Un-securing the server is way is something you should think about before
# doing anything :)
#
# Note that most of next Acls inherit default permissions from the / parent.
#
### Allowing /bin/su
/bin/su {
/etc/shadow r
/dev/log rw
/var/log/sulog rw
+CAP_SYS_TTY_CONFIG
+CAP_SETGID
+CAP_SETUID
+CAP_SYS_RESOURCE
}
/usr/bin/mesg {
+CAP_FOWNER
+CAP_FSETID
}
### Allowing /usr/bin/sudo
/usr/bin/sudo {
/dev/log rw
/etc/shadow r
/usr/bin/sudo x
+CAP_SETGID
+CAP_SETUID
}
### Allowing /bin/ps without logfiles errors ?
/bin/ps {
+CAP_DAC_OVERRIDE
+CAP_SYS_PTRACE
}
### Allowing Mail on the server (does not inherit from / parent)
/usr/bin/mail do {
/etc r
/etc/grsec h
/lib rx
/usr/lib rx
/usr/share/zoneinfo r
/proc r
/tmp rw
/var/mail rw
/bin/bash x
/usr/sbin/exim x
/usr/bin/dotlockfile ix
/usr/bin/mail x
/ h
-CAP_ALL
+CAP_DAC_OVERRIDE
+CAP_DAC_READ_SEARCH
+CAP_SETUID
+CAP_SETGID
connect { disabled }
bind { disabled }
}
### Allowing Reboot via shutdown
/sbin/shutdown {
/etc
/etc/ld.so.preload r
/etc/ld.so.cache r
/etc/nsswitch.conf r
/etc/passwd r
/dev/initctl rw
+CAP_DAC_OVERRIDE
+CAP_SETUID
+CAP_SYS_TTY_CONFIG
}
/sbin/reboot {
/var/log/wtmp a
+CAP_SYS_BOOT
}
### Do we use an Apache webserver ?
/usr/sbin/apachectl {
+CAP_DAC_OVERRIDE
}
### Allow the system backup script to do what is right...
/home/system/scripts/backup/system_backup.sh o {
/ r
/bin rx
/usr/bin rx
/lib rx
/usr/lib rx
/home r
/proc r
/etc r
/dev/log rw
/dev/tty rw
/dev/pts rw
/dev/null rw
/backup rw
/bin/mount ix
+CAP_SYS_ADMIN
/usr/bin/logger ix
/bin/mkdir ix
/bin/tar ix
/usr/bin/md5sum ix
/bin/grep ix
/bin/rm ix
/usr/bin/openssl ix
+CAP_DAC_READ_SEARCH
+CAP_DAC_OVERRIDE
}
### Allow the samba_backup script to do what's right (including stop/starting samba)
/home/system/scripts/backup/samba_backup.sh o {
/
/bin rx
/usr/bin rx
/lib rx
/usr/lib rx
/dev/tty rw
/dev/pts rw
/etc/ld.so.preload r
/etc/ld.so.cache r
/etc/fstab r
/etc/mtab r
/proc r
/etc/default/samba r
/etc/init.d/samba irx
/sbin/start-stop-daemon ix
/var/run/samba/ rw
/usr/sbin/nmbd ix
/usr/sbin/smbd ix
/usr/share/zoneinfo r
/var/log/samba a
/etc/samba r
/dev/log rw
/dev/urandom r
/dev/null rw
/usr/share/samba r
# If ran from cron
/var/lib/samba rw
/var/cache/samba rw
/home/system/scripts/backup/system_backup.sh rx
+CAP_DAC_OVERRIDE
}
# If Samba_backup.sh is ran from cron
/usr/sbin/smbd {
+CAP_SETGID
+CAP_SETUID
}
### Allow the system_report script to do what's right
/home/system/scripts/reports/system_report.sh o {
/bin rx
/sbin rx
/usr/bin rx
/usr/sbin rx
/lib rx
/usr/lib rx
/etc/ld.so.cache r
/etc/ld.so.preload r
/etc/mtab r
/etc/mail.rc r
/proc r
/usr/share/zoneinfo r
/dev/null rw
/dev/tty rw
/dev/pts rw
/dev/log rw
/tmp rw
/
/usr/bin/logger ix
/bin/netstat ix
/usr/bin/mail ix
+CAP_DAC_OVERRIDE
+CAP_DAC_READ_SEARCH
+CAP_SETGID
+CAP_SETUID
/home/system/scripts/reports/system_report.sh rx
/home/system/scripts/reports rw
}
/etc/grsec/debian-secinst/Dmn_apache :
# Debian-secinst v0.1.11 : ANNEXE 11 - Configuration des ACLs GrSecurity
# Simon Castro - http://www.entreelibre.com/scastro/debian-secinst/
#
# Update of the apache acl configuration file provided with the Gradm toolset
# version 1.9.12.
#
/usr/sbin/apache oXA {
/usr/share r
/etc r
/etc/grsec h
/etc/ld.so.cache r
/tmp rwx
/lib rx
/usr/lib rx
/var/log/apache a
/var/run/apache.pid w
/var/www rx
/dev/null rw
/bin/bash x
/usr/sbin/apache x
# These one remove errors related to a debian-secinst setup
/proc/sys/kernel/version r
/dev/urandom r
# Uncomment here if you use a Websphere Application Server
/usr/local/websphere500/appserver/bin/mod_app_server_http.so rx
/var/was/config/cells/plugin-cfg.xml r
/var/was/logs ra
/lockTrace rw
/
-CAP_ALL
+CAP_DAC_OVERRIDE
+CAP_KILL
+CAP_SETGID
+CAP_SETUID
+CAP_NET_BIND_SERVICE
RES_CRASH 3 10m
connect {
0.0.0.0/0:53 dgram udp
# If you use a Websphere Application Server, set the destination
# tcp ports one by one or use that kind of range...
#{Application_server_IP_address}:9080-9099 stream tcp
# Uncomment here if the Websphere Application Server is located
# behind Apache (reverse-proxy mode).
#127.0.0.1:9090 stream tcp
}
bind {
0.0.0.0/0:80 stream tcp
# Add here the few more listenning ports of your Apache setup...
#0.0.0.0/0:443 stream tcp
}
}/etc/grsec/debian-secinst/Dmn_cron :
Sélectionnez
# Debian-secinst v0.1.11 : ANNEXE 11 - Configuration des ACLs GrSecurity
# Simon Castro - http://www.entreelibre.com/scastro/debian-secinst/
#
# Update of the cron acl configuration file provided with the Gradm toolset
# version 1.9.12.
#
/usr/sbin/cron oX {
/etc/environment
/var/spool/cron/crontabs
/var/mail
/usr/sbin/sendmail x
/root
/lib rx
/etc r
/etc/grsec h
/dev/log rw
/bin/bash x
/usr/sbin/cron x
/ h
-CAP_ALL
+CAP_SETGID
+CAP_SETUID
RES_CRASH 1 10m
connect {
disabled
}
bind {
disabled
}
}
### Cron.daily
/etc/cron.daily/exim {
+CAP_DAC_OVERRIDE
+CAP_DAC_READ_SEARCH
}
/etc/cron.daily/aide o {
/bin x
/usr/bin x
/lib rx
/etc/mtab r
/etc/ld.so.preload r
/etc/ld.so.cache r
/proc r
/dev/null w
/dev/tty rw
/tmp rw
/var/log/aide rw
/etc/cron.daily/aide x
/
-CAP_ALL
}
/etc/cron.daily/find {
/ r
/var/lib/locate/ rw
/usr/bin/updatedb irx
/bin/rm ix
/bin/mv ix
/bin/chmod ix
}
/etc/cron.daily/logrotate {
/bin/sh ix
/etc/init.d/apache irx
/usr/sbin/logrotate ix
/var/lib/logrotate/status rw
}
/etc/cron.daily/man-db {
/ r
/sbin/start-stop-daemon ix
/bin/sh ix
/usr/bin/find ix
+CAP_SETUID
+CAP_SETGID
}
/etc/cron.daily/modutils {
/var/log/ksymoops rw
/sbin/insmod_ksymoops_clean irx
/bin/cp ix
/bin/rm ix
/usr/bin/find ix
+CAP_CHOWN
+CAP_FSETID
}
/etc/cron.daily/standard {
/etc/shadow r
/etc/gshadow r
/var/log rw
/usr/bin/cmp ix
}
/etc/cron.daily/sysklogd {
/var/log rw
/bin/chmod ix
/etc/init.d/sysklogd irx
+CAP_FSETID
}
/usr/sbin/checksecurity {
/ r
/var/log rw
/usr/bin/find ix
/bin/mv ix
/bin/chmod ix
/bin/chown ix
/bin/rm ix
+CAP_DAC_READ_SEARCH
+CAP_DAC_OVERRIDE
+CAP_FSETID
+CAP_CHOWN
}
### Cron.weekly
/etc/cron.weekly/man-db {
/ r
/sbin/start-stop-daemon ix
/bin/sh ix
/usr/bin/find ix
+CAP_SETUID
+CAP_SETGID
}
/etc/cron.weekly/sysklogd {
/var/log rw
/bin/chmod ix
/etc/init.d/sysklogd irx
+CAP_FSETID
}
### Cron.monthly
### Script to rotate debian-secinst specific logfiles
/home/system/scripts/crond/sysklogd {
/var/log rw
/etc/init.d/sysklogd irx
}
### Last acl often called
/sbin/start-stop-daemon k {
+CAP_SETUID
+CAP_KILL
/sbin/syslogd x
}/etc/grsec/debian-secinst/Dmn_syslogd :
Sélectionnez
# Debian-secinst v0.1.11 : ANNEXE 11 - Configuration des ACLs GrSecurity
# Simon Castro - http://www.entreelibre.com/scastro/debian-secinst/
#
# Update of the syslogd acl configuration file provided with the Gradm toolset
# version 1.9.12.
#
# In this file are presented all of the logs related management acls.
#
/sbin/syslogd poX {
/etc/syslog.conf r
/dev/console rw
/etc/services r
/lib rx
/dev
/dev/log rw
/var/run rw
/var/log rw
/sbin/syslogd x
/ h
# Setup debian-secinst
/usr/bin/savelog ix
-CAP_ALL
RES_CRASH 1 10m
connect {
disabled
}
bind {
disabled
}
}
/usr/bin/savelog {
/var/log rw
/bin/gzip ix
/bin/chgrp ix
/bin/mv ix
/bin/chmod ix
/bin/chown ix
/usr/bin/touch ix
/bin/ln ix
/bin/rm ix
/usr/bin/aide ix
+CAP_CHOWN
+CAP_FOWNER
+CAP_FSETID
+CAP_DAC_READ_SEARCH
+CAP_DAC_OVERRIDE
}/etc/grsec/debian-secinst/Dmn_websphere :
Sélectionnez
# Debian-secinst v0.1.11 : ANNEXE 11 - Configuration des ACLs GrSecurity
# Simon Castro - http://www.entreelibre.com/scastro/debian-secinst/
#
# Allow a Websphere Application server to run and to be remotely managed by
# HTTP administration console (i.e. : Adding/Removing new web applications,
# starting/stopping web applications, etc...).
#
# You can use this generic acl but you'd better use the learning mode to be
# much closer to your own environment.
#
/usr/local/websphere500/appserver/java/jre/bin/exe/java do {
/bin rx
/dev
/dev/pts rw
/dev/tty rw
/dev/null rw
/etc r
/etc/grsec h
/etc/ld.so.cache r
/etc/ld.so.preload r
/home
/lib rx
/opt
/proc r
/usr
/usr/bin rx
/usr/lib/ rx
/usr/local
/usr/share/zoneinfo r
/tmp rw
/var
/usr/local/websphere500 r
/usr/local/websphere500/appserver/bin rx
/usr/local/websphere500/appserver/java/jre/bin rx
/var/was/logs/ rw
/var/was/temp/ rw
/var/was/tranlog/ rw
/var/was/wstemp/ rw
# On production servers, you maybe should use read-only
/var/was/config/ rw
/var/was/installedApps/ rw
/var/was/installableApps r
/var/was/properties r
/usr/local/websphere500/appserver/java/jre/bin/java irx
/usr/local/websphere500/appserver/java/jre/bin/exe/java rx
/ h
-CAP_ALL
}/etc/grsec/debian-secinst/Sys_aide :
Sélectionnez
# Debian-secinst v0.1.11 : ANNEXE 11 - Configuration des ACLs GrSecurity
# Simon Castro - http://www.entreelibre.com/scastro/debian-secinst/
#
# Acls for an AIDE configuration.
#
/usr/bin/aide o {
/bin rx
/sbin r
/etc r
/home/system r
/lib rx
/usr r
/var/log/aide rw
/usr/bin/aide rx
/
-CAP_ALL
+CAP_DAC_READ_SEARCH
+CAP_DAC_OVERRIDE
}/etc/grsec/debian-secinst/Sys_exim :
Sélectionnez
# Debian-secinst v0.1.11 : ANNEXE 11 - Configuration des ACLs GrSecurity
# Simon Castro - http://www.entreelibre.com/scastro/debian-secinst/
#
# Allow exim to run (used by cron jobs and by users Mail actions)
#
# Note : /usr/sbin/sendmail is a symlink to this one...
#
/usr/sbin/exim_tidydb {
+CAP_DAC_OVERRIDE
+CAP_DAC_READ_SEARCH
}
/usr/sbin/exim doX {
/etc r
/etc/grsec h
/lib rx
/usr/lib rx
/usr/share/zoneinfo r
/home
/proc r
/dev/null rw
/var/spool/exim rw
/var/log/exim/mainlog a
/var/log/exim/paniclog a
/var/mail rw
/usr/sbin/exim x
/
-CAP_ALL
+CAP_SETGID
+CAP_SETUID
+CAP_DAC_OVERRIDE
+CAP_DAC_READ_SEARCH
RES_CRASH 1 10m
}