Hi all,
I am wondering of protecting an integrity database (tripwire) with RBAC.
The aim is to protect the integrity database, so an attacker wouold not change the integrity database after he changed something on the filesystem of the server he attacked.
So i would configure my database to be modified only by tripwire process.
However, on a Linux, Root is able to switch its identity under the one he likes.
Then, RBAC continament is useless no ?
If root can be who he wants to be...
Bypassing RBAC with SU command ?
6 posts
• Page 1 of 1
Bypassing RBAC with SU command ?
by evilangel » Mon Feb 02, 2009 11:24 am
- evilangel
- Posts: 59
- Joined: Thu May 15, 2008 7:57 pm
Re: Bypassing RBAC with SU command ?
by cormander » Mon Feb 02, 2009 1:16 pm
If you make the tripwire database only readable by the tripwire process, and not anything else under the default role, you should be fine. The RBAC system is designed to disallow even root from doing things you don't want.
- cormander
- Posts: 154
- Joined: Tue Jan 29, 2008 12:51 pm
Re: Bypassing RBAC with SU command ?
by evilangel » Tue Feb 03, 2009 9:44 am
RBAC do not disallow the SU command, right ?
Therefore, root can be the user it needs to be, no ?
If something is only accessible for the user X, then root switch to the identity X.
Therefore, root can be the user it needs to be, no ?
If something is only accessible for the user X, then root switch to the identity X.
- evilangel
- Posts: 59
- Joined: Thu May 15, 2008 7:57 pm
Re: Bypassing RBAC with SU command ?
by cormander » Tue Feb 03, 2009 1:47 pm
Here is how you would setup the policy. Under the default role, do:
/path/to/tripwire-binary r
This makes the binary read-only, not even root can modify it. Right under it, do:
/path/to/tripwire/database h
This makes the database hidden, even from root. Then, in the default role, you add a subject:
subject /path/to/tripwire-binary
/path/to/tripwire/database rw
This makes the tripwire database read-write to only the tripwire binary, which root can't modify.
/path/to/tripwire-binary r
This makes the binary read-only, not even root can modify it. Right under it, do:
/path/to/tripwire/database h
This makes the database hidden, even from root. Then, in the default role, you add a subject:
subject /path/to/tripwire-binary
/path/to/tripwire/database rw
This makes the tripwire database read-write to only the tripwire binary, which root can't modify.
- cormander
- Posts: 154
- Joined: Tue Jan 29, 2008 12:51 pm
Re: Bypassing RBAC with SU command ?
by evilangel » Wed Feb 04, 2009 3:34 am
Thanks Cormander for info.
I think i misunderstood RBAC.
I thought that RBAC "linked" a file to a profile (eg:root, alice, bob,...)
Eg: Only Bob is allowed to modify Bob's file, and no one else (not even Root).
Thus i was wondering of the SU command, allowing root to switch to another profile. (and so breaking RBAC)
However, according what you said, i understood something different.
RBAC "links" a file to another one.
Eg: tripwire binary and tripwire database, who ever is the owner of both files.
Am I right ?
Thanks
I think i misunderstood RBAC.
I thought that RBAC "linked" a file to a profile (eg:root, alice, bob,...)
Eg: Only Bob is allowed to modify Bob's file, and no one else (not even Root).
Thus i was wondering of the SU command, allowing root to switch to another profile. (and so breaking RBAC)
However, according what you said, i understood something different.
RBAC "links" a file to another one.
Eg: tripwire binary and tripwire database, who ever is the owner of both files.
Am I right ?
Thanks
- evilangel
- Posts: 59
- Joined: Thu May 15, 2008 7:57 pm
Re: Bypassing RBAC with SU command ?
by cormander » Wed Feb 04, 2009 1:55 pm
In a way, yes. The RBAC system is based on a policy file, which is one large access control list. You define what processes do what that other files; ie read, write, and execute (among other things).
- cormander
- Posts: 154
- Joined: Tue Jan 29, 2008 12:51 pm
6 posts
• Page 1 of 1