Hardened Sys: sudo, restricted shells, binary tools? - BSD

This is a discussion on Hardened Sys: sudo, restricted shells, binary tools? - BSD ; Are there tools for OpenBSD that will verify or control binaries / executeables other than systrace? If I add access to the applications firefox, mozilla, ftp, tcpdump, etc., how can I tie those applications down to a single users home ...

+ Reply to Thread
Results 1 to 3 of 3

Thread: Hardened Sys: sudo, restricted shells, binary tools?

  1. Hardened Sys: sudo, restricted shells, binary tools?

    Are there tools for OpenBSD that will verify or control binaries /
    executeables other than systrace?


    If I add access to the applications firefox, mozilla, ftp, tcpdump,
    etc., how can I tie those applications down to a single users home path
    so that the user or any languages embed in the applications cannot open
    paths to save, view or invoke utilities outside their home ~/user ?

    I am asking what I may have left out that is quick, dirty & obvious.
    The account should have Internet access (ftp and http protocol support)
    using dhcp dhclient, use ifconfig to bring interfaces up and down, have
    general access to pfctl as well as add problem sites to tables in pf,
    and view ongoing network activity through tcpdump and pfctl.

    I have (or am in the process of)...

    - have added a login class within /etc/login.conf named "restricted"
    where for "shell" I added /bin/rksh . I remain confused on what it
    takes to get a restricted shell to work properly. What is the proper
    way to set up a restricted shell for a single user? I've applied the
    restricted shell and logged in as this user and was able to cd to / and
    perform an ls on any filesystem in the box.

    - have modified select filesystems within /etc/fstab to read only,
    noexec, nodev, nosuid

    - have modified /etc/ttys so that root cannot be used to log directly
    into the system, or pas through single user mode without a password.

    - have added S/Key to all user accounts (not root yet) so that sudo may
    be used without revealing the users password.

    - have added quotas to users, so as to prevent writing to areas of the
    filesystem that are controlled via /etc/fstab

    - have developed a comprehensive sudo configuration to restrict the
    commands that that users can execute, while using sudo. sudo has a
    good feel to it, but (1)I've seen the published workarounds (2)they
    should have included a hash function so that files on the OS with a
    registered sudo hash would not run no matter where the utility was
    located.

    If the following is NOT the right way to develop a sudo configuration?
    So far I have gone through the filesystems mounted on / at boot. The
    following is an example for /sbin.

    # /SBIN
    #
    # ALLOW
    Cmnd_Alias A_SBIN =
    /sbin/halt,/sbin/mount,/sbin/pfctl,/sbin/reboot,/sbin/umount, \
    /sbin/shutdown

    #
    # DENY
    Cmnd_Alias D_SBIN = /sbin/ancontrol,/sbin/atactl,/sbin/badsect, \
    /sbin/brconfig,/sbin/ccdconfig,/sbin/chown,/sbin/clri,/sbin/dhclient,\
    /sbin/dhclient-script,/sbin/disklabel,/sbin/dmesg,/sbin/dump, \
    /sbin/dumpfs,/sbin/fdisk,/sbin/fsck,/sbin/fsck_ext2fs,/sbin/fsck_ffs,\
    /sbin/fsck_msdos,/sbin/fsdb,/sbin/fsirand,/sbin/growfs, \
    /sbin/ifconfig,/sbin/init,/sbin/iopctl,/sbin/ipsecadm,/sbin/isakmpd, \
    /sbin/kbd,/sbin/ldconfig,/sbin/lmccontrol,/sbin/mkfifo, \
    /sbin/mknod,/sbin/modload,/sbin/modunload,/sbin/mount_ados, \
    /sbin/mount_cd9660,/sbin/mount_ext2fs,/sbin/mount_fdesc, \
    /sbin/mount_ffs,/sbin/mount_kernfs,/sbin/mount_mfs,/sbin/mount_msdos,\
    /sbin/mount_nfs,/sbin/mount_ntfs,/sbin/mount_null,/sbin/mount_portal,\
    /sbin/mount_procfs,/sbin/mount_umap,/sbin/mount_union, \
    /sbin/mount_xfs,/sbin/mountd,/sbin/ncheck,/sbin/ncheck_ffs, \
    /sbin/newfs,/sbin/newfs_msdos,/sbin/nfsd,/sbin/nologin,/sbin/pflogd, \
    /sbin/ping,/sbin/ping6,/sbin/quotacheck,/sbin/raidctl,/sbin/rdump, \
    /sbin/restore,/sbin/route,/sbin/routed,/sbin/rrestore,/sbin/rtquery, \
    /sbin/rtsol,/sbin/savecore,/sbin/scan_ffs,/sbin/scsi,/sbin/slattach, \
    /sbin/swapctl,/sbin/swapon,/sbin/sysctl,/sbin/ttyflags,/sbin/tunefs, \
    /sbin/wicontrol,/sbin/wsconsctl


    - am about to implement chflags wherever possible. Quite a bit of
    work...logs and all.

    - am preparing for use of systrace, but policy development and testing
    is _very_ time consuming given the number of utilities. I have to
    attempt to use the applications through their expected range before
    going online.

    - am developing a rewrite of the script /etc/security and
    /etc/changelist for three digests md5, sha512 & rmd160.

    - am developing a script that will run while the system boots through
    single user mode to verify text files ("if -T _ && -f _") signed using
    the admins signature at the time of the installation followed by hash
    as in /etc/security script above (which I will release for peer
    review...and while I'm no programmer for what I have it works for what
    its worth). I'm going to keep working on it till it gels.

    - I have not chrooted anything yet and do not know if that would help.

    Notes used:
    - OPENBSD
    - FAQ 10.18 ON KSH
    - /etc/ksh.kshrc
    - ksh (1) - public domain Korn shell

    - PALMER p 108
    - a restricted shell can be called in one of two ways..."allegedly."
    # rksh
    # ksh -r
    - the restricted shell is one attribute of the secure env, the other
    incl. binary restrictions & filesystem restrictions
    - PATH variables must contain only system executeables and no local or
    user controlled directories. this prevents the execution of user
    supplied binaries in /home or /tmp
    - make sure the user cannot execute editors such as vi




    I'm doing this work to improve my own skills and am planning to make
    all notes and diff(s) of all work available for quick installation to
    others OpenBSD systems if anyone is interested. ETA ~ 1 month if I can
    make the output completely worthwhile.


    Appreciate all the help.

    Thanks In Advance!
    Tommy


  2. Re: Hardened Sys: sudo, restricted shells, binary tools?

    "chmod -R 0 /" or something like may be a good starting point. users
    can only run programs that have the x bit set.


  3. Re: Hardened Sys: sudo, restricted shells, binary tools?

    Do you have an opinion regarding the development of empty systrace
    policies for applications the user is not to use, and fully developed
    policies for those allowed? What I am planning to do is cover as many
    applications as I deem reasonable throughout the entire operating
    system using a script for the creation of the empty policies.

    Thanks.
    Tommy


+ Reply to Thread