• Принудительный контроль доступа (MAC)
• Mandatory Access Control
• Повышение уровня безопасности apache с использованием МАС
• Biba Model
• Multilevel security

• Попробовать добавить уровень защиты (securelevel) для запрета изменения меток пользователям root

# cat /etc/login.conf
...
russian|Russian Users Accounts:\
        :charset=UTF-8:\
        :lang=ru_RU.UTF-8:\
        :tc=default:\
        :label=mls/5,biba/5:
...

# cap_mkdb /etc/login.conf

# pw usermod user1 -L russian

# mkdir ~user1/doc

# chown user1:user1 ~user1/doc

# setfmac 'biba/5,mls/5' ~user1/doc

# ls ~user1/doc

# setfmac 'biba/high,mls/low' ~user1/doc

# setpmac 'biba/5,mls/5' setfmac 'biba/high,mls/low' ~user1/doc

• Web сервер на shell
• Сервис INETD

# fetch -qo - http://server.corpX.un/index.html

# fetch -qo - http://server.corpX.un/../../etc/passwd

Идея: все процессы будут работать с меткой equal по умолчанию

• Установка исходных текстов ядра

# rcsdiff /usr/src/sys/security/mac_mls/mac_mls.c

875c875
<       mls_set_effective(dest, MAC_MLS_TYPE_LOW, 0, NULL);
---
>       mls_set_effective(dest, MAC_MLS_TYPE_EQUAL, 0, NULL);

# rcsdiff /usr/src/sys/security/mac_biba/mac_biba.c

915c915
<       biba_set_effective(dest, MAC_BIBA_TYPE_HIGH, 0, NULL);
---
>       biba_set_effective(dest, MAC_BIBA_TYPE_EQUAL, 0, NULL);

• Компиляция и инсталяция ядра

# cat /boot/loader.conf

mac_mls_load="YES"
mac_biba_load="YES"

# init 6

# ps axZ

• Решение проблем с инфраструктурой MAC
• В однопользовательский режим выполняем:

# tunefs -l enable /

# init 6

• Проверки:

 # mount

/dev/ad0s1a on / (ufs, local, multilabel)
...

# getfmac /etc/passwd

# ls -Zl /etc/passwd

!!! Процесс занимает 2-5 минут !!!

# setfmac 'biba/high,mls/high' /etc/passwd

# ldd /bin/sh
# ldd /bin/cat
# ldd /usr/bin/file

# man file

# cat /etc/policy.contexts

.*                              biba/high,mls/high

/                               biba/equal,mls/equal
/var                            biba/equal,mls/equal
/var/www                        biba/equal,mls/equal
/var/www/.*                     biba/equal,mls/equal
/bin                            biba/equal,mls/equal
/bin/sh                         biba/equal,mls/equal
/bin/cat                        biba/equal,mls/equal
/libexec                        biba/equal,mls/equal
/libexec/ld-elf.so.1            biba/equal,mls/equal
/lib                            biba/equal,mls/equal
/lib/libedit.so.7               biba/equal,mls/equal
/lib/libncursesw.so.8           biba/equal,mls/equal
/lib/libc.so.7                  biba/equal,mls/equal
/usr                            biba/equal,mls/equal
/usr/bin                        biba/equal,mls/equal
/usr/bin/file                   biba/equal,mls/equal
/lib/libz.so.6                  biba/equal,mls/equal
/usr/lib                        biba/equal,mls/equal
/usr/lib/libmagic.so.4          biba/equal,mls/equal
/usr/share                      biba/equal,mls/equal
/usr/share/misc                 biba/equal,mls/equal
/usr/share/misc/magic           biba/equal,mls/equal
/usr/local                      biba/equal,mls/equal
/usr/local/sbin                 biba/equal,mls/equal
/usr/local/sbin/webd            biba/equal,mls/equal

# setfsmac -evf /etc/policy.contexts /

# cat /etc/inetd.conf

...
http stream tcp nowait root /usr/sbin/setpmac setpmac biba/low,mls/low /usr/local/sbin/webd