98 lines
3 KiB
Text
98 lines
3 KiB
Text
|
BSD Secure Levels Linux Security Module
|
||
|
|
Michael A. Halcrow <mike@halcrow.us>
|
||
|
|
|
||
|
|
|
||
|
|
Introduction
|
||
|
|
|
||
|
|
Under the BSD Secure Levels security model, sets of policies are
|
||
|
|
associated with levels. Levels range from -1 to 2, with -1 being the
|
||
|
|
weakest and 2 being the strongest. These security policies are
|
||
|
|
enforced at the kernel level, so not even the superuser is able to
|
||
|
|
disable or circumvent them. This hardens the machine against attackers
|
||
|
|
who gain root access to the system.
|
||
|
|
|
||
|
|
|
||
|
|
Levels and Policies
|
||
|
|
|
||
|
|
Level -1 (Permanently Insecure):
|
||
|
|
- Cannot increase the secure level
|
||
|
|
|
||
|
|
Level 0 (Insecure):
|
||
|
|
- Cannot ptrace the init process
|
||
|
|
|
||
|
|
Level 1 (Default):
|
||
|
|
- /dev/mem and /dev/kmem are read-only
|
||
|
|
- IMMUTABLE and APPEND extended attributes, if set, may not be unset
|
||
|
|
- Cannot load or unload kernel modules
|
||
|
|
- Cannot write directly to a mounted block device
|
||
|
|
- Cannot perform raw I/O operations
|
||
|
|
- Cannot perform network administrative tasks
|
||
|
|
- Cannot setuid any file
|
||
|
|
|
||
|
|
Level 2 (Secure):
|
||
|
|
- Cannot decrement the system time
|
||
|
|
- Cannot write to any block device, whether mounted or not
|
||
|
|
- Cannot unmount any mounted filesystems
|
||
|
|
|
||
|
|
|
||
|
|
Compilation
|
||
|
|
|
||
|
|
To compile the BSD Secure Levels LSM, seclvl.ko, enable the
|
||
|
|
SECURITY_SECLVL configuration option. This is found under Security
|
||
|
|
options -> BSD Secure Levels in the kernel configuration menu.
|
||
|
|
|
||
|
|
|
||
|
|
Basic Usage
|
||
|
|
|
||
|
|
Once the machine is in a running state, with all the necessary modules
|
||
|
|
loaded and all the filesystems mounted, you can load the seclvl.ko
|
||
|
|
module:
|
||
|
|
|
||
|
|
# insmod seclvl.ko
|
||
|
|
|
||
|
|
The module defaults to secure level 1, except when compiled directly
|
||
|
|
into the kernel, in which case it defaults to secure level 0. To raise
|
||
|
|
the secure level to 2, the administrator writes ``2'' to the
|
||
|
|
seclvl/seclvl file under the sysfs mount point (assumed to be /sys in
|
||
|
|
these examples):
|
||
|
|
|
||
|
|
# echo -n "2" > /sys/seclvl/seclvl
|
||
|
|
|
||
|
|
Alternatively, you can initialize the module at secure level 2 with
|
||
|
|
the initlvl module parameter:
|
||
|
|
|
||
|
|
# insmod seclvl.ko initlvl=2
|
||
|
|
|
||
|
|
At this point, it is impossible to remove the module or reduce the
|
||
|
|
secure level. If the administrator wishes to have the option of doing
|
||
|
|
so, he must provide a module parameter, sha1_passwd, that specifies
|
||
|
|
the SHA1 hash of the password that can be used to reduce the secure
|
||
|
|
level to 0.
|
||
|
|
|
||
|
|
To generate this SHA1 hash, the administrator can use OpenSSL:
|
||
|
|
|
||
|
|
# echo -n "boogabooga" | openssl sha1
|
||
|
|
abeda4e0f33defa51741217592bf595efb8d289c
|
||
|
|
|
||
|
|
In order to use password-instigated secure level reduction, the SHA1
|
||
|
|
crypto module must be loaded or compiled into the kernel:
|
||
|
|
|
||
|
|
# insmod sha1.ko
|
||
|
|
|
||
|
|
The administrator can then insmod the seclvl module, including the
|
||
|
|
SHA1 hash of the password:
|
||
|
|
|
||
|
|
# insmod seclvl.ko
|
||
|
|
sha1_passwd=abeda4e0f33defa51741217592bf595efb8d289c
|
||
|
|
|
||
|
|
To reduce the secure level, write the password to seclvl/passwd under
|
||
|
|
your sysfs mount point:
|
||
|
|
|
||
|
|
# echo -n "boogabooga" > /sys/seclvl/passwd
|
||
|
|
|
||
|
|
The September 2004 edition of Sys Admin Magazine has an article about
|
||
|
|
the BSD Secure Levels LSM. I encourage you to refer to that article
|
||
|
|
for a more in-depth treatment of this security module:
|
||
|
|
|
||
|
|
http://www.samag.com/documents/s=9304/sam0409a/0409a.htm
|