Mandate Tag Management in MAFM 3.0
I already wrote about the mandatory model in the MAFN 3.0. This article is a description of the configuration files and utilities for configuring mandatory access. In this article, there are practically no theoretical descriptions of the principles and properties. There is a description of configuration files, graphics and console programs for us of the three mandatory access.
All console commands described in this article have the option --help. I did not want to copy-paste help pages, but I strongly advise you to read, there are a lot of interesting things there! In the article I gave the most popular options for using commands.
Some information
In addition to the discretionary restriction of access to files, the MSVS has a mandatory access restriction. The principle of a mandatory access restriction is to compare the mandatory label of the file and the mandatory label of the user accessing the file. The form of user access to the file depends on the result of the comparison.
The label consists of a security level and a set of categories. The maximum number of levels is 8. The maximum number of categories is 61. A category and level consist of a numerical value and a name corresponding to a value. For categories, a numeric value in hexadecimal format. For example, a level can have the value 0 10 , and the name “Not Secret”. The category can have the value 0000000000000002 16 , the name - "Communication Troops".
When accessing files, you can configure ignoring mandatory levels / categories to read / read / run.
The Mandatory model of OS MSVS 3.0 has been described in more detail.
')
Proper configuration of mandatory access will help to avoid problems during development and administration. Levels and categories present in the system are described in the configuration files.
Configuration files
1. / etc / security / mac_levels - the file stores the relationship between the numeric values ​​of the security levels and their names.
2. / etc / security / mac_categories — the file stores the relationship between the numeric values ​​of the categories, in hexadecimal notation, and their names.
The format of these two files is as follows:
name: value
Name is the name of the category or level, value is the numeric value of the level or category.
3. / etc / security / mac - the file stores mandatory labels of users.
The file has the following format:
username: min_level: min_category: max_level: max_category
Each line of this file belongs to one of the system users. Min_level, min_category, max_level, max_category - numeric values ​​of maximum and minimum levels and categories. Very often, users do not specify min_level and min_category, in which case their values ​​are equal to the minimum values. Therefore, the user can use a level from 0 to the maximum level allowed to him.
In all configuration files, comments begin with “#”.
System Setup
You can also manage the number of security levels and categories using the graphical utility macadmin . Allows you to add and remove security levels and categories in the system.
User setup
To manage mandatory labels of users, you can use both a graphical shell and console commands. To manage labels in graphical mode, you can use the useradmin utility. When adding a new user through this utility, it will be necessary to specify security levels and the maximum allowed categories. You can change the mandatory label, also in the user editing mode, in the Security tab.
Also, it is possible to set the maximum security level, the maximum set of categories. It is also possible to give the user privileges: MCBC_CAP_SETMAC, MCBC_CAP_CHMAC, MCBC_CAP_IGNMACLVL, MCBC_CAP_IGNMACCAT.
To edit user tags in console mode, there is a usermac command. This command will allow a more flexible configuration of the user's mandate rights. Most often, it is used with the key “-m” - to change users' credentials.
The command sets for the user user a minimum security level with a numeric value of 0, and a maximum security level with a numeric value of two.
To display the current user mandatory label, it is convenient to use the
The result is the security level and category at the current time in the current user.
Setting files
To assign mandatory labels to files, the system also contains graphical and console utilities. The graphical utility is invoked by selecting the “Mandatory Attributes” tab in the “File Properties” window (by right clicking on the file—> Properties).
In this utility, you can assign a security level to the file. Select the categories to which this file belongs. In addition, you can set ignoring mandatory attributes for levels (upper row) and for categories (lower row).
In the case of editing the properties of a directory, the selected security level and a set of categories, you can apply recursively to all objects contained in the directory by ticking "recursively."
To manage labels for files in console mode, use the chmac command.
The command recursively assigns the security level to the / tmp directory with a numeric value of 2.
Expansion of standard commands
In addition to the separate commands described above for access control, there are extensions for standard commands.
Displays the file label tag
Information about the mandatory labels of running processes
Search for a file by security level or category or attribute.
These utilities are the tools for customizing the mandatory model in MSWS 3.0. Nothing extra, I think.
All console commands described in this article have the option --help. I did not want to copy-paste help pages, but I strongly advise you to read, there are a lot of interesting things there! In the article I gave the most popular options for using commands.
Some information
In addition to the discretionary restriction of access to files, the MSVS has a mandatory access restriction. The principle of a mandatory access restriction is to compare the mandatory label of the file and the mandatory label of the user accessing the file. The form of user access to the file depends on the result of the comparison.
The label consists of a security level and a set of categories. The maximum number of levels is 8. The maximum number of categories is 61. A category and level consist of a numerical value and a name corresponding to a value. For categories, a numeric value in hexadecimal format. For example, a level can have the value 0 10 , and the name “Not Secret”. The category can have the value 0000000000000002 16 , the name - "Communication Troops".
When accessing files, you can configure ignoring mandatory levels / categories to read / read / run.
The Mandatory model of OS MSVS 3.0 has been described in more detail.
')
Proper configuration of mandatory access will help to avoid problems during development and administration. Levels and categories present in the system are described in the configuration files.
Configuration files
1. / etc / security / mac_levels - the file stores the relationship between the numeric values ​​of the security levels and their names.
2. / etc / security / mac_categories — the file stores the relationship between the numeric values ​​of the categories, in hexadecimal notation, and their names.
The format of these two files is as follows:
name: value
Name is the name of the category or level, value is the numeric value of the level or category.
3. / etc / security / mac - the file stores mandatory labels of users.
The file has the following format:
username: min_level: min_category: max_level: max_category
Each line of this file belongs to one of the system users. Min_level, min_category, max_level, max_category - numeric values ​​of maximum and minimum levels and categories. Very often, users do not specify min_level and min_category, in which case their values ​​are equal to the minimum values. Therefore, the user can use a level from 0 to the maximum level allowed to him.
In all configuration files, comments begin with “#”.
System Setup
You can also manage the number of security levels and categories using the graphical utility macadmin . Allows you to add and remove security levels and categories in the system.
User setup
To manage mandatory labels of users, you can use both a graphical shell and console commands. To manage labels in graphical mode, you can use the useradmin utility. When adding a new user through this utility, it will be necessary to specify security levels and the maximum allowed categories. You can change the mandatory label, also in the user editing mode, in the Security tab.
Also, it is possible to set the maximum security level, the maximum set of categories. It is also possible to give the user privileges: MCBC_CAP_SETMAC, MCBC_CAP_CHMAC, MCBC_CAP_IGNMACLVL, MCBC_CAP_IGNMACCAT.
To edit user tags in console mode, there is a usermac command. This command will allow a more flexible configuration of the user's mandate rights. Most often, it is used with the key “-m” - to change users' credentials.
usermac –m 0:2 userThe command sets for the user user a minimum security level with a numeric value of 0, and a maximum security level with a numeric value of two.
To display the current user mandatory label, it is convenient to use the
macid command.The result is the security level and category at the current time in the current user.
Setting files
To assign mandatory labels to files, the system also contains graphical and console utilities. The graphical utility is invoked by selecting the “Mandatory Attributes” tab in the “File Properties” window (by right clicking on the file—> Properties).
In this utility, you can assign a security level to the file. Select the categories to which this file belongs. In addition, you can set ignoring mandatory attributes for levels (upper row) and for categories (lower row).
In the case of editing the properties of a directory, the selected security level and a set of categories, you can apply recursively to all objects contained in the directory by ticking "recursively."
To manage labels for files in console mode, use the chmac command.
chmac –R 2 /tmpThe command recursively assigns the security level to the / tmp directory with a numeric value of 2.
Expansion of standard commands
In addition to the separate commands described above for access control, there are extensions for standard commands.
ls –MDisplays the file label tag
ps –MInformation about the mandatory labels of running processes
find –level / -category / -mac-attrSearch for a file by security level or category or attribute.
These utilities are the tools for customizing the mandatory model in MSWS 3.0. Nothing extra, I think.
Source: https://habr.com/ru/post/133977/
All Articles