ANNEXE 13 - ACLs GrSecurity pour Debian-secinst =============================================== Patch pour le fichier /etc/grsec/acl : -------------------------------------- 4c4,5 < /home rwx --- > /home rx > /mnt r 14a16,17 > /dev/dsp rw > /dev/mixer rw 24a28 > /etc/postfix r 31c35 < /root rx --- > /root r 35a40 > /var/spool/postfix/lib rx 38c43 < /var/log r --- > /var/log 42,48d46 < /home/system rx < < # If you use WAS and if you want to set next for admins ? < /var/was/installableApps rw < # Same for this one if you use a webserver ? < /var/www/htdocs rw < 53d50 < include /etc/grsec/debian-secinst/Adm_addons : -------------------------------------- # Debian-secinst v0.1.11 : ANNEXE 13 - ACLs GrSecurity pour Debian-secinst # Simon Castro - http://www.entreelibre.com/scastro/debian-secinst/ # # These acls are addons for the default security restrictions applied with # /etc/grsec/acl. They are used to lower the security level so that admins can # work on the server without having to get root or gradm -a permissions. # # The first acls allow user to administrate the server while the last ones # are related to specific daemons administration such as Apache or Ibm Websphere # Application Server. # # Un-securing the server is way is something you should think about before # doing anything :) # # Note that most of next Acls inherit default permissions from the / parent. # ### Allowing /bin/su /bin/su { /etc/shadow r /dev/log rw /var/log/sulog rw +CAP_SYS_TTY_CONFIG +CAP_SETGID +CAP_SETUID +CAP_SYS_RESOURCE } /usr/bin/mesg { +CAP_FOWNER +CAP_FSETID } ### Allowing /usr/bin/sudo /usr/bin/sudo { /dev/log rw /etc/shadow r /usr/bin/sudo x +CAP_SETGID +CAP_SETUID } ### Allowing /bin/ps without logfiles errors ? /bin/ps { +CAP_DAC_OVERRIDE +CAP_SYS_PTRACE } ### Allowing Mail on the server (does not inherit from / parent) /usr/bin/mail do { /etc r /etc/grsec h /lib rx /usr/lib rx /usr/share/zoneinfo r /proc r /tmp rw /var/mail rw /bin/bash x /usr/sbin/exim x /usr/bin/dotlockfile ix /usr/bin/mail x / h -CAP_ALL +CAP_DAC_OVERRIDE +CAP_DAC_READ_SEARCH +CAP_SETUID +CAP_SETGID connect { disabled } bind { disabled } } ### Allowing Reboot via shutdown /sbin/shutdown { /etc /etc/ld.so.preload r /etc/ld.so.cache r /etc/nsswitch.conf r /etc/passwd r /dev/initctl rw +CAP_DAC_OVERRIDE +CAP_SETUID +CAP_SYS_TTY_CONFIG } /sbin/reboot { /var/log/wtmp a +CAP_SYS_BOOT } ### Do we use an Apache webserver ? /usr/sbin/apachectl { +CAP_DAC_OVERRIDE } ### Allow the system backup script to do what is right... /home/system/scripts/backup/system_backup.sh o { / r /bin rx /usr/bin rx /lib rx /usr/lib rx /home r /proc r /etc r /dev/log rw /dev/tty rw /dev/pts rw /dev/null rw /backup rw /bin/mount ix +CAP_SYS_ADMIN /usr/bin/logger ix /bin/mkdir ix /bin/tar ix /usr/bin/md5sum ix /bin/grep ix /bin/rm ix /usr/bin/openssl ix +CAP_DAC_READ_SEARCH +CAP_DAC_OVERRIDE } ### Allow the samba_backup script to do what's right (including stop/starting samba) /home/system/scripts/backup/samba_backup.sh o { / /bin rx /usr/bin rx /lib rx /usr/lib rx /dev/tty rw /dev/pts rw /etc/ld.so.preload r /etc/ld.so.cache r /etc/fstab r /etc/mtab r /proc r /etc/default/samba r /etc/init.d/samba irx /sbin/start-stop-daemon ix /var/run/samba/ rw /usr/sbin/nmbd ix /usr/sbin/smbd ix /usr/share/zoneinfo r /var/log/samba a /etc/samba r /dev/log rw /dev/urandom r /dev/null rw /usr/share/samba r # If ran from cron /var/lib/samba rw /var/cache/samba rw /home/system/scripts/backup/system_backup.sh rx +CAP_DAC_OVERRIDE } # If Samba_backup.sh is ran from cron /usr/sbin/smbd { +CAP_SETGID +CAP_SETUID } ### Allow the system_report script to do what's right /home/system/scripts/reports/system_report.sh o { /bin rx /sbin rx /usr/bin rx /usr/sbin rx /lib rx /usr/lib rx /etc/ld.so.cache r /etc/ld.so.preload r /etc/mtab r /etc/mail.rc r /proc r /usr/share/zoneinfo r /dev/null rw /dev/tty rw /dev/pts rw /dev/log rw /tmp rw / /usr/bin/logger ix /bin/netstat ix /usr/bin/mail ix +CAP_DAC_OVERRIDE +CAP_DAC_READ_SEARCH +CAP_SETGID +CAP_SETUID /home/system/scripts/reports/system_report.sh rx /home/system/scripts/reports rw } /etc/grsec/debian-secinst/Dmn_apache : -------------------------------------- # Debian-secinst v0.1.11 : ANNEXE 11 - Configuration des ACLs GrSecurity # Simon Castro - http://www.entreelibre.com/scastro/debian-secinst/ # # Update of the apache acl configuration file provided with the Gradm toolset # version 1.9.12. # /usr/sbin/apache oXA { /usr/share r /etc r /etc/grsec h /etc/ld.so.cache r /tmp rwx /lib rx /usr/lib rx /var/log/apache a /var/run/apache.pid w /var/www rx /dev/null rw /bin/bash x /usr/sbin/apache x # These one remove errors related to a debian-secinst setup /proc/sys/kernel/version r /dev/urandom r # Uncomment here if you use a Websphere Application Server /usr/local/websphere500/appserver/bin/mod_app_server_http.so rx /var/was/config/cells/plugin-cfg.xml r /var/was/logs ra /lockTrace rw / -CAP_ALL +CAP_DAC_OVERRIDE +CAP_KILL +CAP_SETGID +CAP_SETUID +CAP_NET_BIND_SERVICE RES_CRASH 3 10m connect { 0.0.0.0/0:53 dgram udp # If you use a Websphere Application Server, set the destination # tcp ports one by one or use that kind of range... #{Application_server_IP_address}:9080-9099 stream tcp # Uncomment here if the Websphere Application Server is located # behind Apache (reverse-proxy mode). #127.0.0.1:9090 stream tcp } bind { 0.0.0.0/0:80 stream tcp # Add here the few more listenning ports of your Apache setup... #0.0.0.0/0:443 stream tcp } } /etc/grsec/debian-secinst/Dmn_cron : ------------------------------------ # Debian-secinst v0.1.11 : ANNEXE 11 - Configuration des ACLs GrSecurity # Simon Castro - http://www.entreelibre.com/scastro/debian-secinst/ # # Update of the cron acl configuration file provided with the Gradm toolset # version 1.9.12. # /usr/sbin/cron oX { /etc/environment /var/spool/cron/crontabs /var/mail /usr/sbin/sendmail x /root /lib rx /etc r /etc/grsec h /dev/log rw /bin/bash x /usr/sbin/cron x / h -CAP_ALL +CAP_SETGID +CAP_SETUID RES_CRASH 1 10m connect { disabled } bind { disabled } } ### Cron.daily /etc/cron.daily/exim { +CAP_DAC_OVERRIDE +CAP_DAC_READ_SEARCH } /etc/cron.daily/aide o { /bin x /usr/bin x /lib rx /etc/mtab r /etc/ld.so.preload r /etc/ld.so.cache r /proc r /dev/null w /dev/tty rw /tmp rw /var/log/aide rw /etc/cron.daily/aide x / -CAP_ALL } /etc/cron.daily/find { / r /var/lib/locate/ rw /usr/bin/updatedb irx /bin/rm ix /bin/mv ix /bin/chmod ix } /etc/cron.daily/logrotate { /bin/sh ix /etc/init.d/apache irx /usr/sbin/logrotate ix /var/lib/logrotate/status rw } /etc/cron.daily/man-db { / r /sbin/start-stop-daemon ix /bin/sh ix /usr/bin/find ix +CAP_SETUID +CAP_SETGID } /etc/cron.daily/modutils { /var/log/ksymoops rw /sbin/insmod_ksymoops_clean irx /bin/cp ix /bin/rm ix /usr/bin/find ix +CAP_CHOWN +CAP_FSETID } /etc/cron.daily/standard { /etc/shadow r /etc/gshadow r /var/log rw /usr/bin/cmp ix } /etc/cron.daily/sysklogd { /var/log rw /bin/chmod ix /etc/init.d/sysklogd irx +CAP_FSETID } /usr/sbin/checksecurity { / r /var/log rw /usr/bin/find ix /bin/mv ix /bin/chmod ix /bin/chown ix /bin/rm ix +CAP_DAC_READ_SEARCH +CAP_DAC_OVERRIDE +CAP_FSETID +CAP_CHOWN } ### Cron.weekly /etc/cron.weekly/man-db { / r /sbin/start-stop-daemon ix /bin/sh ix /usr/bin/find ix +CAP_SETUID +CAP_SETGID } /etc/cron.weekly/sysklogd { /var/log rw /bin/chmod ix /etc/init.d/sysklogd irx +CAP_FSETID } ### Cron.monthly ### Script to rotate debian-secinst specific logfiles /home/system/scripts/crond/sysklogd { /var/log rw /etc/init.d/sysklogd irx } ### Last acl often called /sbin/start-stop-daemon k { +CAP_SETUID +CAP_KILL /sbin/syslogd x } /etc/grsec/debian-secinst/Dmn_syslogd : --------------------------------------- # Debian-secinst v0.1.11 : ANNEXE 11 - Configuration des ACLs GrSecurity # Simon Castro - http://www.entreelibre.com/scastro/debian-secinst/ # # Update of the syslogd acl configuration file provided with the Gradm toolset # version 1.9.12. # # In this file are presented all of the logs related management acls. # /sbin/syslogd poX { /etc/syslog.conf r /dev/console rw /etc/services r /lib rx /dev /dev/log rw /var/run rw /var/log rw /sbin/syslogd x / h # Setup debian-secinst /usr/bin/savelog ix -CAP_ALL RES_CRASH 1 10m connect { disabled } bind { disabled } } /usr/bin/savelog { /var/log rw /bin/gzip ix /bin/chgrp ix /bin/mv ix /bin/chmod ix /bin/chown ix /usr/bin/touch ix /bin/ln ix /bin/rm ix /usr/bin/aide ix +CAP_CHOWN +CAP_FOWNER +CAP_FSETID +CAP_DAC_READ_SEARCH +CAP_DAC_OVERRIDE } /etc/grsec/debian-secinst/Dmn_websphere : ----------------------------------------- # Debian-secinst v0.1.11 : ANNEXE 11 - Configuration des ACLs GrSecurity # Simon Castro - http://www.entreelibre.com/scastro/debian-secinst/ # # Allow a Websphere Application server to run and to be remotely managed by # HTTP administration console (i.e. : Adding/Removing new web applications, # starting/stopping web applications, etc...). # # You can use this generic acl but you'd better use the learning mode to be # much closer to your own environment. # /usr/local/websphere500/appserver/java/jre/bin/exe/java do { /bin rx /dev /dev/pts rw /dev/tty rw /dev/null rw /etc r /etc/grsec h /etc/ld.so.cache r /etc/ld.so.preload r /home /lib rx /opt /proc r /usr /usr/bin rx /usr/lib/ rx /usr/local /usr/share/zoneinfo r /tmp rw /var /usr/local/websphere500 r /usr/local/websphere500/appserver/bin rx /usr/local/websphere500/appserver/java/jre/bin rx /var/was/logs/ rw /var/was/temp/ rw /var/was/tranlog/ rw /var/was/wstemp/ rw # On production servers, you maybe should use read-only /var/was/config/ rw /var/was/installedApps/ rw /var/was/installableApps r /var/was/properties r /usr/local/websphere500/appserver/java/jre/bin/java irx /usr/local/websphere500/appserver/java/jre/bin/exe/java rx / h -CAP_ALL } /etc/grsec/debian-secinst/Sys_aide : ------------------------------------ # Debian-secinst v0.1.11 : ANNEXE 11 - Configuration des ACLs GrSecurity # Simon Castro - http://www.entreelibre.com/scastro/debian-secinst/ # # Acls for an AIDE configuration. # /usr/bin/aide o { /bin rx /sbin r /etc r /home/system r /lib rx /usr r /var/log/aide rw /usr/bin/aide rx / -CAP_ALL +CAP_DAC_READ_SEARCH +CAP_DAC_OVERRIDE } /etc/grsec/debian-secinst/Sys_exim : ------------------------------------ # Debian-secinst v0.1.11 : ANNEXE 11 - Configuration des ACLs GrSecurity # Simon Castro - http://www.entreelibre.com/scastro/debian-secinst/ # # Allow exim to run (used by cron jobs and by users Mail actions) # # Note : /usr/sbin/sendmail is a symlink to this one... # /usr/sbin/exim_tidydb { +CAP_DAC_OVERRIDE +CAP_DAC_READ_SEARCH } /usr/sbin/exim doX { /etc r /etc/grsec h /lib rx /usr/lib rx /usr/share/zoneinfo r /home /proc r /dev/null rw /var/spool/exim rw /var/log/exim/mainlog a /var/log/exim/paniclog a /var/mail rw /usr/sbin/exim x / -CAP_ALL +CAP_SETGID +CAP_SETUID +CAP_DAC_OVERRIDE +CAP_DAC_READ_SEARCH RES_CRASH 1 10m }