Installation et sécurisation d'une station Debian 3.0 stable15/05/2004
ANNEXE 13. ACLs GrSecurity pour Debian-secinst
ANNEXE 13. ACLs GrSecurity pour Debian-secinst
Patch pour le fichier /etc/grsec/acl :
4c4,5
< /home rwx
---
> /home rx
> /mnt r
14a16,17
> /dev/dsp rw
> /dev/mixer rw
24a28
> /etc/postfix r
31c35
< /root rx
---
> /root r
35a40
> /var/spool/postfix/lib rx
38c43
< /var/log r
---
> /var/log
42,48d46
< /home/system rx
<
< # If you use WAS and if you want to set next for admins ?
< /var/was/installableApps rw
< # Same for this one if you use a webserver ?
< /var/www/htdocs rw
<
53d50
< include </etc/grsec/debian-secinst>
/etc/grsec/debian-secinst/Adm_addons :
# Debian-secinst v0.1.11 : ANNEXE 13 - ACLs GrSecurity pour Debian-secinst
# Simon Castro - http://www.entreelibre.com/scastro/debian-secinst/
#
# These acls are addons for the default security restrictions applied with
# /etc/grsec/acl. They are used to lower the security level so that admins can
# work on the server without having to get root or gradm -a permissions.
#
# The first acls allow user to administrate the server while the last ones
# are related to specific daemons administration such as Apache or Ibm Websphere
# Application Server.
#
# Un-securing the server is way is something you should think about before
# doing anything :)
#
# Note that most of next Acls inherit default permissions from the / parent.
#
### Allowing /bin/su
/bin/su {
/etc/shadow r
/dev/log rw
/var/log/sulog rw
+CAP_SYS_TTY_CONFIG
+CAP_SETGID
+CAP_SETUID
+CAP_SYS_RESOURCE
}
/usr/bin/mesg {
+CAP_FOWNER
+CAP_FSETID
}
### Allowing /usr/bin/sudo
/usr/bin/sudo {
/dev/log rw
/etc/shadow r
/usr/bin/sudo x
+CAP_SETGID
+CAP_SETUID
}
### Allowing /bin/ps without logfiles errors ?
/bin/ps {
+CAP_DAC_OVERRIDE
+CAP_SYS_PTRACE
}
### Allowing Mail on the server (does not inherit from / parent)
/usr/bin/mail do {
/etc r
/etc/grsec h
/lib rx
/usr/lib rx
/usr/share/zoneinfo r
/proc r
/tmp rw
/var/mail rw
/bin/bash x
/usr/sbin/exim x
/usr/bin/dotlockfile ix
/usr/bin/mail x
/ h
-CAP_ALL
+CAP_DAC_OVERRIDE
+CAP_DAC_READ_SEARCH
+CAP_SETUID
+CAP_SETGID
connect { disabled }
bind { disabled }
}
### Allowing Reboot via shutdown
/sbin/shutdown {
/etc
/etc/ld.so.preload r
/etc/ld.so.cache r
/etc/nsswitch.conf r
/etc/passwd r
/dev/initctl rw
+CAP_DAC_OVERRIDE
+CAP_SETUID
+CAP_SYS_TTY_CONFIG
}
/sbin/reboot {
/var/log/wtmp a
+CAP_SYS_BOOT
}
### Do we use an Apache webserver ?
/usr/sbin/apachectl {
+CAP_DAC_OVERRIDE
}
### Allow the system backup script to do what is right...
/home/system/scripts/backup/system_backup.sh o {
/ r
/bin rx
/usr/bin rx
/lib rx
/usr/lib rx
/home r
/proc r
/etc r
/dev/log rw
/dev/tty rw
/dev/pts rw
/dev/null rw
/backup rw
/bin/mount ix
+CAP_SYS_ADMIN
/usr/bin/logger ix
/bin/mkdir ix
/bin/tar ix
/usr/bin/md5sum ix
/bin/grep ix
/bin/rm ix
/usr/bin/openssl ix
+CAP_DAC_READ_SEARCH
+CAP_DAC_OVERRIDE
}
### Allow the samba_backup script to do what's right (including stop/starting samba)
/home/system/scripts/backup/samba_backup.sh o {
/
/bin rx
/usr/bin rx
/lib rx
/usr/lib rx
/dev/tty rw
/dev/pts rw
/etc/ld.so.preload r
/etc/ld.so.cache r
/etc/fstab r
/etc/mtab r
/proc r
/etc/default/samba r
/etc/init.d/samba irx
/sbin/start-stop-daemon ix
/var/run/samba/ rw
/usr/sbin/nmbd ix
/usr/sbin/smbd ix
/usr/share/zoneinfo r
/var/log/samba a
/etc/samba r
/dev/log rw
/dev/urandom r
/dev/null rw
/usr/share/samba r
# If ran from cron
/var/lib/samba rw
/var/cache/samba rw
/home/system/scripts/backup/system_backup.sh rx
+CAP_DAC_OVERRIDE
}
# If Samba_backup.sh is ran from cron
/usr/sbin/smbd {
+CAP_SETGID
+CAP_SETUID
}
### Allow the system_report script to do what's right
/home/system/scripts/reports/system_report.sh o {
/bin rx
/sbin rx
/usr/bin rx
/usr/sbin rx
/lib rx
/usr/lib rx
/etc/ld.so.cache r
/etc/ld.so.preload r
/etc/mtab r
/etc/mail.rc r
/proc r
/usr/share/zoneinfo r
/dev/null rw
/dev/tty rw
/dev/pts rw
/dev/log rw
/tmp rw
/
/usr/bin/logger ix
/bin/netstat ix
/usr/bin/mail ix
+CAP_DAC_OVERRIDE
+CAP_DAC_READ_SEARCH
+CAP_SETGID
+CAP_SETUID
/home/system/scripts/reports/system_report.sh rx
/home/system/scripts/reports rw
}
/etc/grsec/debian-secinst/Dmn_apache :
# Debian-secinst v0.1.11 : ANNEXE 11 - Configuration des ACLs GrSecurity
# Simon Castro - http://www.entreelibre.com/scastro/debian-secinst/
#
# Update of the apache acl configuration file provided with the Gradm toolset
# version 1.9.12.
#
/usr/sbin/apache oXA {
/usr/share r
/etc r
/etc/grsec h
/etc/ld.so.cache r
/tmp rwx
/lib rx
/usr/lib rx
/var/log/apache a
/var/run/apache.pid w
/var/www rx
/dev/null rw
/bin/bash x
/usr/sbin/apache x
# These one remove errors related to a debian-secinst setup
/proc/sys/kernel/version r
/dev/urandom r
# Uncomment here if you use a Websphere Application Server
/usr/local/websphere500/appserver/bin/mod_app_server_http.so rx
/var/was/config/cells/plugin-cfg.xml r
/var/was/logs ra
/lockTrace rw
/
-CAP_ALL
+CAP_DAC_OVERRIDE
+CAP_KILL
+CAP_SETGID
+CAP_SETUID
+CAP_NET_BIND_SERVICE
RES_CRASH 3 10m
connect {
0.0.0.0/0:53 dgram udp
# If you use a Websphere Application Server, set the destination
# tcp ports one by one or use that kind of range...
#{Application_server_IP_address}:9080-9099 stream tcp
# Uncomment here if the Websphere Application Server is located
# behind Apache (reverse-proxy mode).
#127.0.0.1:9090 stream tcp
}
bind {
0.0.0.0/0:80 stream tcp
# Add here the few more listenning ports of your Apache setup...
#0.0.0.0/0:443 stream tcp
}
}
/etc/grsec/debian-secinst/Dmn_cron :
# Debian-secinst v0.1.11 : ANNEXE 11 - Configuration des ACLs GrSecurity
# Simon Castro - http://www.entreelibre.com/scastro/debian-secinst/
#
# Update of the cron acl configuration file provided with the Gradm toolset
# version 1.9.12.
#
/usr/sbin/cron oX {
/etc/environment
/var/spool/cron/crontabs
/var/mail
/usr/sbin/sendmail x
/root
/lib rx
/etc r
/etc/grsec h
/dev/log rw
/bin/bash x
/usr/sbin/cron x
/ h
-CAP_ALL
+CAP_SETGID
+CAP_SETUID
RES_CRASH 1 10m
connect {
disabled
}
bind {
disabled
}
}
### Cron.daily
/etc/cron.daily/exim {
+CAP_DAC_OVERRIDE
+CAP_DAC_READ_SEARCH
}
/etc/cron.daily/aide o {
/bin x
/usr/bin x
/lib rx
/etc/mtab r
/etc/ld.so.preload r
/etc/ld.so.cache r
/proc r
/dev/null w
/dev/tty rw
/tmp rw
/var/log/aide rw
/etc/cron.daily/aide x
/
-CAP_ALL
}
/etc/cron.daily/find {
/ r
/var/lib/locate/ rw
/usr/bin/updatedb irx
/bin/rm ix
/bin/mv ix
/bin/chmod ix
}
/etc/cron.daily/logrotate {
/bin/sh ix
/etc/init.d/apache irx
/usr/sbin/logrotate ix
/var/lib/logrotate/status rw
}
/etc/cron.daily/man-db {
/ r
/sbin/start-stop-daemon ix
/bin/sh ix
/usr/bin/find ix
+CAP_SETUID
+CAP_SETGID
}
/etc/cron.daily/modutils {
/var/log/ksymoops rw
/sbin/insmod_ksymoops_clean irx
/bin/cp ix
/bin/rm ix
/usr/bin/find ix
+CAP_CHOWN
+CAP_FSETID
}
/etc/cron.daily/standard {
/etc/shadow r
/etc/gshadow r
/var/log rw
/usr/bin/cmp ix
}
/etc/cron.daily/sysklogd {
/var/log rw
/bin/chmod ix
/etc/init.d/sysklogd irx
+CAP_FSETID
}
/usr/sbin/checksecurity {
/ r
/var/log rw
/usr/bin/find ix
/bin/mv ix
/bin/chmod ix
/bin/chown ix
/bin/rm ix
+CAP_DAC_READ_SEARCH
+CAP_DAC_OVERRIDE
+CAP_FSETID
+CAP_CHOWN
}
### Cron.weekly
/etc/cron.weekly/man-db {
/ r
/sbin/start-stop-daemon ix
/bin/sh ix
/usr/bin/find ix
+CAP_SETUID
+CAP_SETGID
}
/etc/cron.weekly/sysklogd {
/var/log rw
/bin/chmod ix
/etc/init.d/sysklogd irx
+CAP_FSETID
}
### Cron.monthly
### Script to rotate debian-secinst specific logfiles
/home/system/scripts/crond/sysklogd {
/var/log rw
/etc/init.d/sysklogd irx
}
### Last acl often called
/sbin/start-stop-daemon k {
+CAP_SETUID
+CAP_KILL
/sbin/syslogd x
}
/etc/grsec/debian-secinst/Dmn_syslogd :
# Debian-secinst v0.1.11 : ANNEXE 11 - Configuration des ACLs GrSecurity
# Simon Castro - http://www.entreelibre.com/scastro/debian-secinst/
#
# Update of the syslogd acl configuration file provided with the Gradm toolset
# version 1.9.12.
#
# In this file are presented all of the logs related management acls.
#
/sbin/syslogd poX {
/etc/syslog.conf r
/dev/console rw
/etc/services r
/lib rx
/dev
/dev/log rw
/var/run rw
/var/log rw
/sbin/syslogd x
/ h
# Setup debian-secinst
/usr/bin/savelog ix
-CAP_ALL
RES_CRASH 1 10m
connect {
disabled
}
bind {
disabled
}
}
/usr/bin/savelog {
/var/log rw
/bin/gzip ix
/bin/chgrp ix
/bin/mv ix
/bin/chmod ix
/bin/chown ix
/usr/bin/touch ix
/bin/ln ix
/bin/rm ix
/usr/bin/aide ix
+CAP_CHOWN
+CAP_FOWNER
+CAP_FSETID
+CAP_DAC_READ_SEARCH
+CAP_DAC_OVERRIDE
}
/etc/grsec/debian-secinst/Dmn_websphere :
# Debian-secinst v0.1.11 : ANNEXE 11 - Configuration des ACLs GrSecurity
# Simon Castro - http://www.entreelibre.com/scastro/debian-secinst/
#
# Allow a Websphere Application server to run and to be remotely managed by
# HTTP administration console (i.e. : Adding/Removing new web applications,
# starting/stopping web applications, etc...).
#
# You can use this generic acl but you'd better use the learning mode to be
# much closer to your own environment.
#
/usr/local/websphere500/appserver/java/jre/bin/exe/java do {
/bin rx
/dev
/dev/pts rw
/dev/tty rw
/dev/null rw
/etc r
/etc/grsec h
/etc/ld.so.cache r
/etc/ld.so.preload r
/home
/lib rx
/opt
/proc r
/usr
/usr/bin rx
/usr/lib/ rx
/usr/local
/usr/share/zoneinfo r
/tmp rw
/var
/usr/local/websphere500 r
/usr/local/websphere500/appserver/bin rx
/usr/local/websphere500/appserver/java/jre/bin rx
/var/was/logs/ rw
/var/was/temp/ rw
/var/was/tranlog/ rw
/var/was/wstemp/ rw
# On production servers, you maybe should use read-only
/var/was/config/ rw
/var/was/installedApps/ rw
/var/was/installableApps r
/var/was/properties r
/usr/local/websphere500/appserver/java/jre/bin/java irx
/usr/local/websphere500/appserver/java/jre/bin/exe/java rx
/ h
-CAP_ALL
}
/etc/grsec/debian-secinst/Sys_aide :
# Debian-secinst v0.1.11 : ANNEXE 11 - Configuration des ACLs GrSecurity
# Simon Castro - http://www.entreelibre.com/scastro/debian-secinst/
#
# Acls for an AIDE configuration.
#
/usr/bin/aide o {
/bin rx
/sbin r
/etc r
/home/system r
/lib rx
/usr r
/var/log/aide rw
/usr/bin/aide rx
/
-CAP_ALL
+CAP_DAC_READ_SEARCH
+CAP_DAC_OVERRIDE
}
/etc/grsec/debian-secinst/Sys_exim :
# Debian-secinst v0.1.11 : ANNEXE 11 - Configuration des ACLs GrSecurity
# Simon Castro - http://www.entreelibre.com/scastro/debian-secinst/
#
# Allow exim to run (used by cron jobs and by users Mail actions)
#
# Note : /usr/sbin/sendmail is a symlink to this one...
#
/usr/sbin/exim_tidydb {
+CAP_DAC_OVERRIDE
+CAP_DAC_READ_SEARCH
}
/usr/sbin/exim doX {
/etc r
/etc/grsec h
/lib rx
/usr/lib rx
/usr/share/zoneinfo r
/home
/proc r
/dev/null rw
/var/spool/exim rw
/var/log/exim/mainlog a
/var/log/exim/paniclog a
/var/mail rw
/usr/sbin/exim x
/
-CAP_ALL
+CAP_SETGID
+CAP_SETUID
+CAP_DAC_OVERRIDE
+CAP_DAC_READ_SEARCH
RES_CRASH 1 10m
}
Copyright (c) 2003 Simon Castro, scastro [ at ] entreelibre.com.
Permission is granted to copy, distribute and/or modify this document under the
terms of the GNU Free Documentation License, Version 1.2 or any later version
published by the Free Software Foundation; with the Invariant Sections being
LIST THEIR TITLES, with the Front-Cover Texts being LIST, and with the
Back-Cover Texts being LIST.
You must have received a copy of the license with this document and it should
be présent in the fdl.txt file.
If you did not receive this file or if you don't think this fdl.txt license is
correct, have a look on the official http://www.fsf.org/licenses/fdl.txt
licence file.
|