17.15 Nagios in a MAC Jail

The following demonstration implements a secure environment using various MAC modules with properly configured policies. This is only a test as implementing a policy and ignoring it could be disastrous in a production environment.

Before beginning this process, multilabel must be set on each file system as not doing so will result in errors. This example assumes that net-mngt/nagios-plugins, net-mngt/nagios, and www/apache22 are all installed, configured, and working correctly.

17.15.1 Create an Insecure User Class

Begin the procedure by adding the following user class to /etc/login.conf:

insecure:\
:copyright=/etc/COPYRIGHT:\
:welcome=/etc/motd:\
:setenv=MAIL=/var/mail/$,BLOCKSIZE=K:\
:path=~/bin:/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin
:manpath=/usr/share/man /usr/local/man:\
:nologin=/usr/sbin/nologin:\
:cputime=1h30m:\
:datasize=8M:\
:vmemoryuse=100M:\
:stacksize=2M:\
:memorylocked=4M:\
:memoryuse=8M:\
:filesize=8M:\
:coredumpsize=8M:\
:openfiles=24:\
:maxproc=32:\
:priority=0:\
:requirehome:\
:passwordtime=91d:\
:umask=022:\
:ignoretime@:\
:label=biba/10(10-10):

Add the following line to the default user class:

:label=biba/high:

Next, issue the following command to rebuild the database:

# cap_mkdb /etc/login.conf

17.15.2 Boot Configuration

Add the following lines to /boot/loader.conf:

mac_biba_load="YES"
mac_seeotheruids_load="YES"

17.15.3 Configure Users

Set the root user to the default class using:

# pw usermod root -L default

All user accounts that are not root or system users will now require a login class. The login class is required otherwise users will be refused access to common commands such as vi(1). The following sh script should do the trick:

# for x in `awk -F: '($3 >= 1001) && ($3 != 65534) { print $1 }' \
	/etc/passwd`; do pw usermod $x -L default; done;

Drop the nagios and www users into the insecure class:

# pw usermod nagios -L insecure
# pw usermod www -L insecure

17.15.4 Create the Contexts File

A contexts file should now be created as /etc/policy.contexts.

# This is the default BIBA policy for this system.

# System:
/var/run                        biba/equal
/var/run/*                      biba/equal

/dev                            biba/equal
/dev/*                          biba/equal

/var				biba/equal
/var/spool                      biba/equal
/var/spool/*                    biba/equal

/var/log                        biba/equal
/var/log/*                      biba/equal

/tmp				biba/equal
/tmp/*				biba/equal
/var/tmp			biba/equal
/var/tmp/*			biba/equal

/var/spool/mqueue		biba/equal
/var/spool/clientmqueue		biba/equal

# For Nagios:
/usr/local/etc/nagios
/usr/local/etc/nagios/*         biba/10

/var/spool/nagios               biba/10
/var/spool/nagios/*             biba/10

# For apache
/usr/local/etc/apache           biba/10
/usr/local/etc/apache/*         biba/10

This policy enforces security by setting restrictions on the flow of information. In this specific configuration, users, including root, should never be allowed to access Nagios. Configuration files and processes that are a part of Nagios will be completely self contained or jailed.

This file will be read by the system by issuing the following command:

# setfsmac -ef /etc/policy.contexts /
# setfsmac -ef /etc/policy.contexts /

Note: The above file system layout will differ depending upon the environment and must be run on every file system.

/etc/mac.conf requires the following modifications in the main section:

default_labels file ?biba
default_labels ifnet ?biba
default_labels process ?biba
default_labels socket ?biba

17.15.5 Enable Networking

Add the following line to /boot/loader.conf:

security.mac.biba.trust_all_interfaces=1

And the following to the network card configuration stored in rc.conf. If the primary Internet configuration is done via DHCP, this may need to be configured manually after every system boot:

maclabel biba/equal

17.15.6 Testing the Configuration

Ensure that the web server and Nagios will not be started on system initialization and reboot. Ensure the root user cannot access any of the files in the Nagios configuration directory. If root can issue an ls(1) command on /var/spool/nagios, something is wrong. Otherwise a “permission denied” error should be returned.

If all seems well, Nagios, Apache, and Sendmail can now be started:

# cd /etc/mail && make stop && \
setpmac biba/equal make start && setpmac biba/10\(10-10\) apachectl start && \
setpmac biba/10\(10-10\) /usr/local/etc/rc.d/nagios.sh forcestart

Double check to ensure that everything is working properly. If not, check the log files for error messages. Use sysctl(8) to disable the mac_biba(4) security policy module enforcement and try starting everything again as usual.

Note: The root user can still change the security enforcement and edit its configuration files. The following command will permit the degradation of the security policy to a lower grade for a newly spawned shell:

# setpmac biba/10 csh

To block this from happening, force the user into a range using login.conf(5). If setpmac(8) attempts to run a command outside of the compartment's range, an error will be returned and the command will not be executed. In this case, set root to biba/high(high-high).