first generation of autogened acls
Posted: Mon Mar 18, 2002 5:41 pm
Well troops, while some lazy bums were out boozing it up over spring break I was working hard on the acl autogernation code. What i have is a first pass.
Firstly, here are the file.acl and proc.acl files that i started with.
/ rwx
/etc r
/etc/rc.d rx
/etc/passwd r
/etc/shadow r
/var/log/wtmp rw
/var/log ar
/tmp rw
/etc/grsec hr
/boot r
/lib rx
/usr rx
/etc/lilo.conf r
/bin rx
/sbin rx
/dev r
/dev/null rw
/dev/zero rw
/bin/login {
/ rwx
/etc/shadow ro
/var/log/lastlog rwo
}
/usr/sbin/sshd {
/ rwx
/etc/shadow ro
/var/log/lastlog rwo
+CAP_NET_BIND_SERVICE
}
/bin/su {
/ rwx
/etc/shadow ro
}
/usr/bin/sudo {
/ rwx
/etc/shadow ro
}
/usr/bin/passwd {
/ rwx
/etc/shadow rwo
}
/etc/rc.d/init.d/halt vk {
/ rwx
+CAP_SYS_ADMIN
+CAP_SYS_RAWIO
+CAP_NET_ADMIN
}
/etc/rc.d/rc vk {
/ rwx
+CAP_SYS_ADMIN
+CAP_NET_ADMIN
}
And after about a week of running in "access collection" mode (basically watching all the access) my Quasimoto perl code was able to generate this set of acls:
/etc/grsec hr
/boot r
/etc/rc.d rx
/etc r
/etc/lilo.conf r
/etc/passwd r
/etc/ld.so.cache xr
/sbin rx
/etc/shadow r
/bin rx
/dev/null rw
/var/log ar
/tmp rw
/dev/tty rw
/ rwx
/dev r
/var/log/wtmp rw
/dev/zero rw
/lib rx
/usr rx
/usr/sbin/vipw {
/ rwx
/etc row
}
/etc/rc.d/rc vk {
+CAP_NET_ADMIN
+CAP_SYS_ADMIN
/ rwx
}
/usr/bin/sudo {
/ rwx
/etc/shadow ro
}
/usr/sbin/logrotate {
/ rwx
/var/log ow
}
/usr/bin/passwd {
/ rwx
/etc/shadow rwo
}
/bin/view {
/ rwx
/etc/.ptmp.swp row
/etc/.ptmp.swpx row
}
/bin/su {
/ rwx
/etc/shadow ro
}
/bin/login {
/ rwx
/var/log/lastlog rwo
/etc/shadow ro
}
/etc/rc.d/init.d/halt vk {
+CAP_NET_ADMIN
+CAP_SYS_ADMIN
+CAP_SYS_RAWIO
/ rwx
}
/usr/lib/gcc-lib/i386-redhat-linux/2.96/cpp0 {
/ rwx
/tmp/vmware-config0/vmmon-only xo
}
/bin/sed {
/ rwx
/etc/sysconfig/i18n xro
}
/bin/rm {
/ rwx
/var/log/sa ow
}
/bin/ps {
/ rwx
/boot/System.map-2.4.9-grsec-1.9.4 xro
}
/sbin/ldconfig {
/etc/ld.so.cache~ row
/ rwx
/etc row
}
/usr/bin/vmware-config.pl {
/ rwx
/etc/vmware/locations roa
}
/usr/bin/run-parts {
/ rwx
/etc xro
}
/usr/sbin/sshd {
+CAP_NET_BIND_SERVICE
/dev/tty row
/ rwx
/var/log/lastlog rwo
/dev/ptmx xrow
/etc/shadow ro
/dev/pts row
}
In summary, the proc.acl file was bloated the most with simple things like sed being able to access i18n files. But file.acl was only lengthened by /dev/tty and /etc/ld.conf.so.cache.
Firstly, here are the file.acl and proc.acl files that i started with.
/ rwx
/etc r
/etc/rc.d rx
/etc/passwd r
/etc/shadow r
/var/log/wtmp rw
/var/log ar
/tmp rw
/etc/grsec hr
/boot r
/lib rx
/usr rx
/etc/lilo.conf r
/bin rx
/sbin rx
/dev r
/dev/null rw
/dev/zero rw
/bin/login {
/ rwx
/etc/shadow ro
/var/log/lastlog rwo
}
/usr/sbin/sshd {
/ rwx
/etc/shadow ro
/var/log/lastlog rwo
+CAP_NET_BIND_SERVICE
}
/bin/su {
/ rwx
/etc/shadow ro
}
/usr/bin/sudo {
/ rwx
/etc/shadow ro
}
/usr/bin/passwd {
/ rwx
/etc/shadow rwo
}
/etc/rc.d/init.d/halt vk {
/ rwx
+CAP_SYS_ADMIN
+CAP_SYS_RAWIO
+CAP_NET_ADMIN
}
/etc/rc.d/rc vk {
/ rwx
+CAP_SYS_ADMIN
+CAP_NET_ADMIN
}
And after about a week of running in "access collection" mode (basically watching all the access) my Quasimoto perl code was able to generate this set of acls:
/etc/grsec hr
/boot r
/etc/rc.d rx
/etc r
/etc/lilo.conf r
/etc/passwd r
/etc/ld.so.cache xr
/sbin rx
/etc/shadow r
/bin rx
/dev/null rw
/var/log ar
/tmp rw
/dev/tty rw
/ rwx
/dev r
/var/log/wtmp rw
/dev/zero rw
/lib rx
/usr rx
/usr/sbin/vipw {
/ rwx
/etc row
}
/etc/rc.d/rc vk {
+CAP_NET_ADMIN
+CAP_SYS_ADMIN
/ rwx
}
/usr/bin/sudo {
/ rwx
/etc/shadow ro
}
/usr/sbin/logrotate {
/ rwx
/var/log ow
}
/usr/bin/passwd {
/ rwx
/etc/shadow rwo
}
/bin/view {
/ rwx
/etc/.ptmp.swp row
/etc/.ptmp.swpx row
}
/bin/su {
/ rwx
/etc/shadow ro
}
/bin/login {
/ rwx
/var/log/lastlog rwo
/etc/shadow ro
}
/etc/rc.d/init.d/halt vk {
+CAP_NET_ADMIN
+CAP_SYS_ADMIN
+CAP_SYS_RAWIO
/ rwx
}
/usr/lib/gcc-lib/i386-redhat-linux/2.96/cpp0 {
/ rwx
/tmp/vmware-config0/vmmon-only xo
}
/bin/sed {
/ rwx
/etc/sysconfig/i18n xro
}
/bin/rm {
/ rwx
/var/log/sa ow
}
/bin/ps {
/ rwx
/boot/System.map-2.4.9-grsec-1.9.4 xro
}
/sbin/ldconfig {
/etc/ld.so.cache~ row
/ rwx
/etc row
}
/usr/bin/vmware-config.pl {
/ rwx
/etc/vmware/locations roa
}
/usr/bin/run-parts {
/ rwx
/etc xro
}
/usr/sbin/sshd {
+CAP_NET_BIND_SERVICE
/dev/tty row
/ rwx
/var/log/lastlog rwo
/dev/ptmx xrow
/etc/shadow ro
/dev/pts row
}
In summary, the proc.acl file was bloated the most with simple things like sed being able to access i18n files. But file.acl was only lengthened by /dev/tty and /etc/ld.conf.so.cache.