HP Compartment Guard for Linux Version 3 0
Version 3.0 168-8585 3 29 21 03-3331-6111 Page 1
Version 3.0 Revision Rev1.0 2004/6/17 3.0 Release Page 2
Version 3.0 HP Compartment Guard for Linux Version 3.0 1... 6 2... 7 3 chroot... 8 4 POSIX MAC... 9 5... 11 6... 12 6.1...12 6.2 Version 3.0...13 7 /etc/hpcg... 15 7.1...15 7.2...17 7.3...18 7.4...18 7.4.1 boot-user.conf...18 7.4.2 policy-user.conf...19 7.5 INC EXC...20 8... 21 8.1 cgstatcap...21 8.2 cgaddcomp...22 8.3 cgdelcomp...23 8.4 cgsealcomp...23 8.5 cgstatcomp...24 8.6 cggetcomp...25 8.7 cgadmlic...25 8.8 cgissecure...25 8.9 cgadmmod...26 8.10 cgstatproc...26 8.11 cgadmrule...28 Page 3
Version 3.0 8.12 cgsetcomp...30 8.13 cgadmserv...31 8.14 cgviewlog...33 8.15 cgmakerule...34 9... 35 9.1...35 9.2 capability...36 9.3 exec...37 9.4 file...39 9.5 inet...41 9.6 ipc...42 9.7 packet...43 9.8 ps...44 9.9 socket...45 9.10 unix...45 10 Alarm Pass through... 47 10.1...47 10.1.1...47 10.1.2...48 10.1.3...48 10.1.4 syslog...49 10.1.5...50 10.2 Alarm...51 10.2.1 Alarm...51 10.2.2 Alarm...51 10.2.3 Alarm...52 10.3 Pass through...54 10.3.1 Pass through...54 10.3.2 Pass through...54 11... 56 11.1...56 11.2...56 11.3...57 Page 4
Version 3.0 11.3.1...57 11.3.2...57 11.3.3 (1)...58 11.3.4 1...59 11.3.5 (2)...59 11.3.6 (2)...59 11.3.7 (3)...60 11.3.8 (3)...60 11.3.9...60 11.3.10...61 11.3.11...62 11.3.12...62 11.3.13...62 11.3.14...63 12... 65 12.1...65 12.2 unix...65 12.3...66 12.4 fsdb...66 12.5 cgalarmd...67 13... 68 13.1......68 Page 5
Version 3.0 1 WEB,DB,CGI,syshi,system syshi kernel system syslog Compartment Guard 4 Compartment Guard syslogd klogd Page 6
Version 3.0 2 Compartment Guard CGI e-mail Compartment Guard WEB eth0 http MAIL eth0 smtp telnet ftp WEB eth1 Server Compartment Guard WEB DB Page 7
Version 3.0 3 chroot chroot chroot web cgi /compt/web /compt/cgi chroot chroot Page 8
Version 3.0 4 POSIX MAC Linux POSIX POSIX root /usr/src/linux/include/linux/capability.h http://ftp.kernel.org/pub/linux/libs/security/linux-privs/kernel-2.4/capfaq-0.2.tx t POSIX Linux Comparment Guard Linux Compartment Guard Compartment Guard MAC MAC CAP_MAC_ADMIN CAP_MAC_SETCID CAP_MAC_OVERRIDE_FS CAP_MAC_OVERRIDE_NET Compartment Guard < > MAC < > ID Override < > Override < > CAP_MAC_SIGNAL_SHIELD CAP_MAC_IGNORE_SIGNAL_SHIELD < > CAP_MAC_IGNORE_SIGNAL_SHIELD < > CAP_MAC_SIGNAL_SHIELD Page 9
Version 3.0 CAP_MAC_ALARM < > log_denial log_allow alarm_denial CAP_MAC_ALL CAP_MAC_OVERRIDE CAP_LINUX_ALL use_syslog CAP_MAC_ADMIN CAP_MAC_SETCID CAP_MAC_OVERRIDE_FS CAP_MAC_OVERRIDE_NET CAP_MAC_IGNORE_SIGNAL_SHIELD CAP_MAC_SIGNAL_SEALED CAP_MAC_ALARM 7 CAP_MAC_OVERRIDE_FS CAP_MAC_OVERRIDE_NET 2 Linux Page 10
Version 3.0 5 Red Hat Enterprise Linux AS 2.1 Red Hat Enterprise Linux AS 3 Pentium Pro IA-32 PCMCIA Page 11
Version 3.0 6 6.1 Compartment Guard hpcg-up-3.0.tar.gz hpcg-smp-3.0.tar.gz hpcg-ent-3.0.tar.gz UniProcessor SMP 64GB /tmp "modutils","tux" RPM Compartment Guard Compartment Guard Compartment Guard Red Hat Linux "no" Compartment Guard for Linux Web (http://www.hp.com/jp/hpcg) Red Hat Enterprise Linux 3 linux Compartment Guard "Compartment Guard Installation was successfully completed." Page 12
Version 3.0 cgadmlic Compartment Guard GRUB "Compartment Guard(2.4.26-hpcg3.0)" LILO /etc/lilo.conf lilo 6.2 Version 3.0 Compartment Guard Version 1.x Version 2 0 Compartment Guard Version 3.0 Compartment Guard Linux Version 3.0 /tmp Page 13
Version 3.0 "Compartment Guard Installation was successfully completed." Version 3.0 cgadmlic Compartment Guard GRUB "Compartment Guard(2.4.26-hpcg3.0)" Page 14
Version 3.0 7 /etc/hpcg /etc/hpcg Compartment Guard /etc/hpcg/init 7.1 /etc/hpcg/init/<compartment>/ <compartment>.services Setup /etc/hpcg/rc.d/plugin REGISTER_COMPDNS RULE SEALED 4 Page 15
Version 3.0 foo.service comp { } disable,plugin,setup plugin setup { } ";" Setup Page 16
Version 3.0 disabled yes,no no yes {} < > plugin disabled : yes,no no yes param : setup Setup {} < > disabled : yes,no no yes arg : setup <compartment>.rules plugin RULE disabled no <compartment>.setup setup disabled no 7.2 /etc/hpcg/init/<service>.services /etc/hpcg/init/sysinit.services user.services user.services service {} Page 17
Version 3.0 disabled,required,comp ";" disabled yes,no no yes yes,no required no yes comp 7.3 /etc/hpcg/init/pam/access : : : /etc/hpcg/init/pam/access root system CAP_MAC_ADMINCAP_MAC_SETCIDCAP_MAC_OVERRIDE_FS cgadmin system CAP_MAC_ADMINCAP_MAC_SETCID cgadmin system Version 1.1 Compartment Guard cgadmin /etc/hpcg/init/pam/access cgadmin 7.4 7.4.1 boot-user.conf Alarm Pass through Page 18
Version 3.0 /etc/hpcg/init/policy/boot-user.conf 10 Alarm Pass through boot-user.conf ALARM_DENIAL DISABLE_MODULE_LOADING LOG_ALLOW LOG_DENIAL PASS_THROUGH USE_SYSLOG true,false true Allow Denial Pass through 0 1 1 syslog /etc/hpcg/init/policy boot-sys.conf boot-user.conf boot-sys.conf boot-user.conf boot-sys.conf boot-sys.conf root uid=0 root 7.4.2 policy-user.conf /etc/hpcg/init/policy -user.conf -sys.conf policy-user.conf policy-sys.conf policy-user.conf policy-user.conf OWNER_CHECK OWNER_USER OWNER_CHECK true false true false OWNER_USER OWNER_CHECK true OWNER_USER 1 cgadmin Page 19
Version 3.0 /etc/hpcg/init/policy policy-sys.conf policy-user.conf policy-sys.conf policy-user.conf policy-sys.conf 7.5 INC EXC /etc/hpcg/init/<compartment> INC <compartment>.rules-inc EXC <compartment>.rules-exc syshi,system,kernel,syslog 2 INC EXC <compartment>.rules Compartment Guard EXC <compartment>.rules INC INC EXC <compartment>.services RULE EXC INC 1 EXC INC Page 20
Version 3.0 8 Compartment Guard cgstatcap cgaddcomp cgdelcomp cgsealcomp cgstatcomp cggetcomp cgadmlic cgissecure cgadmmod cgstatproc cgadmrule cgsetcomp cgadmserv cgviewlog UID 0 ID Compartment Guard Denial log cgmakerule Compartment Guard sys syshi system syslog kernel default hpcg- 8.1 cgstatcap MAC cgstatcap -h Page 21
Version 3.0 system CAP_MAC_ADMINCAP_MAC_SETCID CAP_MAC_OVERRIDE_FS "-" pie permitted,inheritable,effective "pie" "p_e" Linux -l MAC Linux -a MAC Linux 8.2 cgaddcomp Page 22
Version 3.0 foo /etc/hpcg/init/foo -t 8.3 cgdelcomp /etc/hpcg/init/foo /etc/hpcg/init/foo -f 8.4 cgsealcomp UID 0 unseal seal seal/unseal -s Page 23
Version 3.0 seal cgsealcomp unseal -u 8.5 cgstatcomp ID CID seal -s test CID 1000 Seal Page 24
Version 3.0 8.6 cggetcomp /bin/bash system 8.7 cgadmlic Compartment Guard -c ASCII -n 8.8 cgissecure Compartment Guard Page 25
Version 3.0 0 Compartment Guard -v 8.9 cgadmmod -s -e -d 8.10 cgstatproc Page 26
Version 3.0 ID -f lssfnca l CAP_MAC_ALARM S CAP_MAC_SIGNAL_SHEILD s CAP_MAC_IGNORE_SIGNAL_SHEILD f CAP_MAC_OVERRIDE_FS n CAP_MAC_OVERRIDE_NET c CAP_MAC_SETCID a CAP_MAC_ADMIN syslogd CAP_MAC_OVERRIDE_NET bash CAP_MAC_OVERRIDE_FSCAP_MAC_SETCIDCAP_MAC_ADMIN -p ID Page 27
Version 3.0 -c Linux 8.11 cgadmrule CAP_MAC_ADMIN -l cgadmrule rid ID ID 6 3 -a -a cgadmrule 7-bit ASCII Page 28
Version 3.0 -a <Enter> <Ctrl-d> ID 3 ID -d ID -d -d <Enter> <Ctrl-d> Page 29
Version 3.0 8.12 cgsetcomp CAP_MAC_SETCID system foo -c -p "+" "-" httpd CAP_MAC_ADMIN CAP_MAC_SETCID Page 30
Version 3.0 -c -p 8.13 cgadmserv -l -s -c Page 31
Version 3.0 usrinit usrinit foo foo REGISTER_COMP RULE DNS foo.setup "--- 2 0 usrinit -m start/stop -s service1 /etc/hpcg/init/user.services disable yes service2 /etc/hpcg/init/user.service required yes -m start/stop Page 32
Version 3.0 -c foo /etc/hpcg/init/foo/foo.services disable yes bar -m restart disable required -m -a 8.14 cgviewlog /var/log/hpcg/ hpcg: syslog syslog -H -c ID ID -t denial allow --csv CSV Comma Separated Value 1 socket,inet,unix,packet,ipc,file,ps,su Page 33
Version 3.0 10 date / 8.15 cgmakerule 11 Page 34
Version 3.0 9 9.1 BNF Backus-Naur Form "{" "}" ";" ID cgadmrule ID ID 1 "$" Page 35
Version 3.0 cgadmrule 7-bit ASCII capability exec file inet ipc packet ps socket unix IPv4 IPC Packet Unix 9.2 capability capability CAP_MAC_ADMIN capability capability capability comp permitted.* 1 permitted.raise permitted.lower permitted.filter permitted,inheritable,effective modifier Page 36
Version 3.0.raise.lower.filter permitted permitted permitted 9.3 exec exec exec exec exec from.comp filename comp uid gid effective.* exec * ID ID 1 permitted.raise permitted.lower permitted.filter Page 37
Version 3.0 inheritable.* permitted.* 1 permitted.raise permitted.lower permitted.filter 1 permitted.raise permitted.lower permitted.filter permitted,inheritable,effective modifier.raise.lower.filter Page 38
Version 3.0 9.4 file file MAC Linux DAC Discretionary Access Control file file omp ilename access read,write,execute,append write append file Linux DAC DAC read,write,execute file MAC Linux DAC Open file read Open file append execve file execute Page 39
Version 3.0 read execute MAC execute execute read read file file file file / * * default /etc/hpcg/init/default Page 40
Version 3.0 9.5 inet inet PF_INET INET TCP UDP Loopback INET ICMP SOCK_RAW inet PF_INET Loopback TCP TCP TCP UDP UDP bidir inet inet from.comp * from.comp from.host Page 41
Version 3.0 from.host localhost from.comp from.host IPv4 192.168.1.100 255.255.255.0 192.168.1.100/24 / netmask from.port * to.comp * TCP,UDP RAW 165536 2 1024:65536 /etc/services to.comp to.host to.host localhost to.comp to.host to.port * protocol * tcp,upd /etc/protocol interface * bidir false true false 9.6 ipc ipc System V IPC IPC ipc IPC Page 42
Version 3.0 ipc ipc from.comp * to.comp * method sem,shm,msq * key * IPC ID API * 9.7 packet packet PF_PACKET packet packet packet Page 43
Version 3.0 packet from.comp to.comp * * interface * bidir false true false 9.8 ps ps TCP ps netstat ps ps ps /proc ps ps from.comp to.comp * * Page 44
Version 3.0 9.9 socket socket PF_INET,PF_PACKET,PF_UNIX socket socket comp * socket family * 9.10 unix unix PF_UNIX UNIX UNIX SOCK_STREAM SOCK_DGRAM 2 unix unix unix Page 45 from.comp *
Version 3.0 to.comp * address * Page 46
Version 3.0 10 Alarm Pass through 10.1 10.1.1 Compartment Guard /var/log/hpcg/hpcg.log Denial Allow Denial Allow hpcg Compartment Guard OPCODE TYPE Allowed Denied Allow Denied pid PID ID PID PROCESS RULE Denial Denial Page 47
Version 3.0 10.1.2 8 socket inet unix packet ipc SOCKET_CREATE IP_INPUT,IP_OUTPUT,RAW_RCV,TCP_RCV,UDP_RCV,SKB_RCV UNIX_CONN,UNIX_SND,UNIX_RCV PACKET_SND,PACKET_RCV IPC_MSG_GET,IPC_MSG_SND,IPC_MSG_RCV, IPC_SHM_GET,IPC_SHM_RCV,IPC_SHM_RCV file FS_PERMISSION,FS_CHDIR,FS_CHMOD,FS_CHOWN, FS_FILEOPEN,FS_LINK_DST,FS_LINK_SRC,FS_MKDIR,FS_MKNOD, FS_MOUNT,FS_NAMEIOPEN,FS_RENAME_DST,FS_RENAME_SRC, FS_RENAME_SRC_FILE,FS_RMDIR,FS_STAT,FS_TRUNCATE, FS_UMOUNT,FS_UNLINK,FS_UTIME ps su PS SU 10.1.3 /var/log/hpcg/hpcg.log Allow Denial /proc Denial /proc/sys/csec/log_denial Allow /proc/sys/csec/log_allow CAP_MAC_ALARM inet Denial Page 48
Version 3.0, all Denial none Denial Allow /etc/hpcg/init/policy/boot-user.conf boot-user.conf 10.1.4 syslog /var/log/hpcg/hpcg.log syslog syslog /proc /proc/sys/csec/use_syslog 1 syslog CAP_MAC_ALARM syslog /var/log/hpcg/hpcg.log Page 49
Version 3.0 /proc/sys/csec/use_syslog 0 10.1.5 Compartment Guard 80% syslog 50% syslog syslog syslog Page 50
Version 3.0 10.2 Alarm 10.2.1 Alarm Alarm 10.2.2 Alarm /etc/hpcg/alarm/denial Alarm Denial denial 1 $1 2 $2 Denial 3 $3 ID 4 $4 5 $5 /etc/hpcg/alarm Compartment Guard hpcgalarm hpcgalarm Alarm hpcgalarm : hpcgalarm pseudo UID=0 root Page 51
Version 3.0 10.2.3 Alarm Alarm Alarm /proc/sys/csec/alarm_denial CAP_MAC_ALARM inet Alarm Alarm, Alarm all Alarm none Page 52
Version 3.0 alarm /etc/hpcg/init/policy/boot-user.conf boot-user.conf Page 53
Version 3.0 10.3 Pass through 10.3.1 Pass through Pass through Compartment Guard Pass through Linux Denial Denial Pass through Denial Pass through / 10.3.2 Pass through Pass through /proc/sys/csec/pass_through CAP_MAC_ADMIN inet Pass through Pass through, Pass through all Page 54
Version 3.0 Pass through none Pass through /etc/hpcg/init/policy/boot-user.conf boot-user Page 55
Version 3.0 11 11.1 11.2 (1) (1) (2) (2) (3)? No Yes - - - - Page 56
Version 3.0 11.3 11.3.1 cgmakerule -system -CAP_MAC_ADMINCAP_MAC_ALARM cgstatcap cgmakerule 11.3.2 Compartment Guard Pass through Pass through Web /usr/sbin/httpd Page 57
Version 3.0 /usr/sbin/httpd httpd /usr/sbin/httpd httpd hpcg_httpd 11.3.3 (1) Web Web # /etc/rc.d/init.d/httpd start Starting httpd: [ OK ] # /etc/rc.d/init.d/httpd stop Stopping httpd: [ OK ] Page 58
Version 3.0 11.3.4 1 # cgmakerule --next # cgmakerule next csec.log_denial = none 431 event(s) caught 42 rule(s) generated 20 rule(s) deleted 42 rule(s) added csec.log_denial = all 11.3.5 (2) 11.3.6 (2) # cgmakerule --next Page 59
Version 3.0 # cgmakerule next csec.log_denial = none 19 event(s) caught 40 rule(s) generated 2 rule(s) deleted 0 rule(s) added csec.log_denial = all 11.3.4 (1) 11.3.7 (3) 11.3.5 (2) 11.3.8 (3) # cgmakerule --next # cgmakerule next csec.log_denial = none 0 event(s) caught No new rules are generated. Ready to commit csec.log_denial = all 11.3.9 Compartment Guard Compartment Guard Page 60
Version 3.0 hpcg_ httpd hpcg_httpd Pass through 11.3.11 11.3.7 (2) # cgmakerule commit # cgmakerule commit httpd.serv csec.log_denial = all csec.pass_through = none Compartment Guard httpd hpcg_httpd 11.3.10 # cgmakerule complete Page 61
Version 3.0 # cgmakerule complete Rule generation summary 40 rule(s) total 1 compartment(s) total 1 service(s) total 11.3.11 # cgmakerule uncomplete # cgmakerule uncomplete csec.log_denial = all csec.pass_through = all 11.3.12 # cgmakerule count # cgmakerule count 391 event(s) caught 11.3.13 11.3.9 Compartment Page 62
Version 3.0 Guard # cgmakerule count # cgmakerule revise httpd.serv csec.log_denial = all csec.pass_through = none Ready to uncommit in order to revise rules for following compartment(s). httpd 11.3.11 # cgmakerule complete 11.3.14 # cgmakerule abort # cgmakerule abort csec.log_denial = none csec.pass_through = none 11.3.11 Page 63
Version 3.0 Page 64
Version 3.0 12 12.1 Compartment Guard fork() & exec() Linux MAC P,I,E Permitted,Inheritable,Effective "&" rp,ri,re Permitted,Inheritable,Effective <- capability modifier lower,filter,raise P'',I'',E'' Permitted,Inheritable,Effective E'' 12.2 unix UNIX ls Page 65
Version 3.0 "s" "=" unix file foo bar 12.3 OS OS Compartment Guard 1 2 Web IP 80 Web Compartment Guard IP Compartment Guard UNIX SystemV IPC 12.4 fsdb fsdb File system Database Compartment Guard sdb syshi cgalarmd CAP_MAC_SIGNAL_SHIELD CAP_MAC_IGNORE_SIGNAL_SHIELD CAP_MAC_IGNORE_SIGNAL_SHEILD Page 66
Version 3.0 CAP_MAC_IGNORE_SIGNAL_SHEILD 12.5 cgalarmd cgalarmd Compartment Guard Alarm Daemon alarm_denial Denial I/O SLEEP cgalarmd fsdb syshi cgalarmd CAP_MAC_SIGNAL_SHIELD CAP_MAC_IGNORE_SIGNAL_SHIELD cgalarmd SIGHUP cgalarmd CAP_MAC_SIGNAL_SHIELD CAP_MAC_IGNORE_SIGNAL_SHIELD SIGHUP Page 67
Version 3.0 13... 13.1... syshi Page 68