Index: chapter.sgml
===================================================================
RCS file: /home/ncvs/doc/en_US.ISO8859-1/books/handbook/security/chapter.sgml,v
retrieving revision 1.122
diff -u -r1.122 chapter.sgml
--- chapter.sgml 4 Dec 2002 15:21:24 -0000 1.122
+++ chapter.sgml 4 Dec 2002 18:25:52 -0000
@@ -74,6 +74,11 @@
How to configure and use extended file system access
control lists (ACLs) with UFS.
+
+
+ How to configure and load access control extension
+ modules using the TrustedBSD MAC Framework.
+
Before reading this chapter, you should:
@@ -3531,6 +3536,236 @@
It is recommended to use the former over the latter to avoid remount
issues with the root file system.
+
+
+
+
+
+ Robert
+ Watson
+ Sponsored by DARPA and Network Associates Laboratories.
+ Contributed by
+
+
+
+
+ MAC
+
+ Mandatory Access Control (MAC)
+
+ FreeBSD 5.0 includes a new kernel security framework, the
+ TrustedBSD MAC Framework. The MAC Framework permits compile-time,
+ boot-time, and run-time extension of the kernel access control
+ policy, and can be used to load support for Mandatory Access
+ Control (MAC), and custom security modules
+ such as hardening modules. The MAC Framework is currently
+ considered to be an experimental feature, and should not yet
+ be used in production environments without careful consideration.
+ It is anticipated that the MAC Framework will be appropriate for
+ more widespread production use by FreeBSD 5.2.
+
+ When configured into a kernel, the MAC Framework permits
+ security modules to augment the existing kernel access control
+ model, restricting access to system services and objects. For
+ example, the mac_bsdextended module augments file system access
+ control, permitting administrators to provide a firewall-like
+ ruleset constraining access to file system objects based on user
+ ids and group membership. Some modules require little or no
+ configuration, such as mac_seeotheruids, whereas others perform
+ ubiquitous object labeling, such as mac_biba and mac_mls, and
+ require extensive configuration.
+
+ To enable the MAC Framework in your system kernel, you must
+ add the following entry to your kernel configuration:
+
+ options MAC
+
+ Security policy modules shipped with the base system may
+ be loaded using &man.kldload.8; or in the boot &man.loader.8;
+ They may also be compiled directly into the kernel using the
+ following options, if the use of modules is not desired.
+
+ Different MAC policies may be configured in different ways;
+ frequently, MAC policy modules export configuration parameters
+ using the &man.sysctl.8; MIB using the
+ security.mac.* namespace. Policies relying on file system
+ or other labels may require a configuration step that involes
+ assigning initial labels to system objects or creating a
+ policy configuration file. For information on how to configure
+ and use each policy module, see its man page.
+
+ A variety of tools are available to configure the MAC Framework
+ and labels maintained by various policies. Extensions have been
+ made to the login and credential management mechanisms
+ (&man.setusercontext.3;) to support initial user labeling using
+ &man.login.conf.5;. In addition, modifications have been made
+ to &man.su.1;, &man.ps.1;, &man.ls.1;, and &man.ifconfig.8; to
+ inspect and set labels on processes, files, and interfaces. In
+ addition, several new tools have been added to manage labels
+ on objects, including &man.getfmac.8;, &man.setfmac.8;, and
+ &man.setfsmac.8; to manage labels on files, and &man.getpmac.8; and
+ &man.setpmac.8;.
+
+ What follows is a list of policy modules shipped with FreeBSD
+ 5.0.
+
+ Biba Integrity Policy (mac_biba)
+
+ Biba Integrity Policy
+
+ Vendor: TrustedBSD Project
+ Module name: mac_biba.ko
+ Kernel option: MAC_BIBA
+ The Biba Integrity Policy (XXXMANPAGE) provides
+ for hierarchal and non-hierarchal labeling of all system
+ objects with integrity data, and the strict enforcement of
+ an information flow policy to prevent corruption of high
+ integrity subjects and data by low-integrity subjects.
+ Integrity is enforced by preventing high integrity
+ subjects (generally processes) from reading load integrity
+ objects (often files), and preventing low integrity
+ subjects from writing to high integrity objects.
+ This security policy is frequently used in commercial
+ trusted systems to provide strong protection for the
+ Trusted Code Base (TCB). Because it
+ provides ubiquitous labeling, the Biba integrity policy
+ must be compiled into the kernel or loaded at boot.
+
+
+ Interface Silencing Policy (mac_ifoff)
+
+ Interface Silencing Policy
+
+ Vendor: TrustedBSD Project
+ Module name: mac_ifoff.ko
+ Kernel option: MAC_IFOFF
+ The interface silencing policy (XXXMANPAGE)
+ prohibits the use of network interfaces during the boot
+ until explicitly enabled, preventing spurious stack output
+ stack response to incoming packets. This is appropriate
+ for use in environments where the monitoring of packets
+ is required, but no traffic may be generated.
+
+
+ Low-Watermark Mandatory Access Control (LOMAC)
+ (mac_lomac)
+
+ Low-Watermark Mandatory Access Control
+
+
+ LOMAC
+
+ Vendor: Network Associates Laboratories
+ Module name: mac_lomac.ko
+ Kernel option: MAC_LOMAC
+ Similar to the Biba Integrity Policy, the LOMAC
+ policy (XXXMANPAGE) relies on the ubiquitous
+ labeling of all system objects with integrity labels.
+ Unlike Biba, LOMAC permits high integrity subjects to
+ read from low integrity objects, but then downgrades the
+ label on the subject to prevent future writes to high
+ integrity objects. This policy may provide for greater
+ compatibility, as well as require less initial
+ configuration than Biba. However, as with Biba, it
+ ubiquitously labels objects and must therefore be
+ compiled into the kernel or loaded at boot.
+
+
+ Multi-Level Security Policy (MLS) (mac_mls)
+
+ Multi-Level Security Policy
+
+
+ MLS
+
+ Vendor: TrustedBSD Project
+ Module name: mac_mls.ko
+ Kernel option: MAC_MLS
+ Multi-Level Security (MLS)
+ (XXXMANPAGE) provides for hierarchal and
+ non-hierarchal labeling of all system objects with
+ sensitivity data, and the strict enforcement of an
+ information flow policy to prevent the leakage of
+ confidential data to untrusted parties. The logical
+ conjugate of the Biba Integrity Policy,
+ MLS is frequently shipped in
+ commercial trusted operating systems to protect data
+ secrecy in multi-user environments. Hierarchal labels
+ provide support for the notion of clearances and
+ classifications in traditional parlance; non-hierarchal
+ labels provide support for "need-to-know". As with
+ Biba, ubiquitous labeling of objects occurs, and it
+ must therefore be compiled into the kernel or loaded
+ at boot. As with Biba, extensive initial configuration
+ may be required.
+
+
+ MAC Stub Policy (mac_none)
+
+ MAC Stub Policy
+
+ Vendor: TrustedBSD Project
+ Module name: mac_none.ko
+ Kernel option: MAC_NONE
+ The None policy (XXXMANPAGE) provides a stub
+ sample policy for developers, implementing all entry
+ points, but not changing the system access control
+ policy. Running this on a production system would
+ not be highly beneficial.
+
+
+ Process Partition Policy (mac_partition)
+
+ Process Partition Policy
+
+ Vendor: TrustedBSD Project
+ Module name: mac_partition.ko
+ Kernel option: MAC_PARTITION
+ The Partition policy (XXXMANPAGE) provides for a
+ simple process visibility limitation, assigning labels to
+ processes identifying what numeric system partition they
+ are present in. If none, all other processes are visible
+ using standard monitoring tools; if a partition identifier
+ is present, then only other processes in the same
+ partition are visible. This policy may be compiled into
+ the kernel, loaded at boot, or loaded at run-time.
+
+
+ See Other Uids Policy (mac_seeotheruids)
+
+ See Other Uids Policy
+
+ Vendor: TrustedBSD Project
+ Module name: mac_seeotheruids.ko
+ Kernel option: MAC_BIBA
+ The See Other Uids policy (XXXMANPAGE) implements
+ a similar process visibility model to mac_partition,
+ except that it relies on process credentials to control
+ visibility of processes, rather than partition labels. This
+ policy may be configured to exempt certain users and groups,
+ including permitting system operators to view all processes
+ without special privilege. This policy may be compiled into
+ the kernel, loaded at boot, or loaded at run-time.
+
+
+ MAC Framework Test Policy
+
+ MAC Framework Test Policy
+
+ Vendor: TrustedBSD Project
+ Module name: mac_test.ko
+ Kernel option: MAC_TEST
+ The Test policy (XXXMANPAGE) provides a regression test
+ environment for the MAC Framework, and will cause a
+ fail-stop in the event that internal MAC Framework assertions
+ about proper data labeling fail. This module can be used to
+ detect failures to properly label system objects in the kernel
+ implementation. This policy may be compiled into the kernel,
+ loaded at boot, or loaded at run-time.
+
+
+
+