« back to all changes in this revision
Viewing changes to boucft/C/security.xml
- browse files at revision 6
- compare with another revision
- download diff
- download tarball
- view history from revision 6
- Committer: duanedesign
- Date: 2009-04-28 04:37:31 UTC
- mfrom: (1.1.1 boucft)
- Revision ID: duanedesign@gmail.com-20090428043731-rsq98s9lfd2ejutq
merge ~jgoguen/boucft/trunk rvn2
- files added:
- .bzrignore
- boucft/C
- libs
- libs/C
- libs/admon
- scripts
- files removed:
- boucft/Makefile
- boucft/boucft
- boucft/boucft/C
- boucft/debian
- boucft/libs
- boucft/libs/C
- boucft/libs/admon
- boucft/scripts
added
removed
boucft/C/security.xml
1
<?xml version="1.0" encoding="UTF-8"?>
2
<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3
"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd">
4
<book label="1">
5
<bookinfo>
6
<title>Best of Ubuntu Forums Community Tutorials</title>
7
8
<author>
9
<firstname>duanedesign</firstname>
10
11
<surname></surname>
12
13
<affiliation>
14
<orgname></orgname>
15
</affiliation>
16
</author>
17
18
<pubdate>041009</pubdate>
19
</bookinfo>
20
21
<chapter id="security-chapter">
22
<title>Ubuntu Security</title>
23
24
<section>
25
<title>Uncomplicated Firewall</title>
26
27
<para>I looked for a current how-to for UFW and when I did not see one I
28
wanted to add one.</para>
29
30
<para>(important note: UFW is not the firewall. UFW just configures your
31
iptables)</para>
32
33
<para>in most cases I recommend doing the following immediately:</para>
34
35
<para><code><code>sudo ufw default deny </code></code></para>
36
37
<para><code><code>sudo ufw enable </code></code></para>
38
39
<para>Then fine tuning can start: Some basic commands are:</para>
40
41
<para>Turn on the firewall Code: sudo ufw enable Turn off the
42
firewall</para>
43
44
<para><code><code>sudo ufw disable</code> </code></para>
45
46
<para>To add deny rules: blocking a port</para>
47
48
<para><code>sudo ufw deny port <port number></code></para>
49
50
<para>blocking an ip address</para>
51
52
<para><code>sudo ufw deny from <ip address> </code></para>
53
54
<para>blocking a specific ip address and port</para>
55
56
<para><code>sudo ufw deny from <ipaddress> to port <port
57
number> </code></para>
58
59
<para>advanced deny example for denying access from an ip address range
60
10.120.0.1 - 10.120.0.255 for SSH port 22</para>
61
62
<para><code>sudo ufw deny from 10.0.0.1/24 to any port 22</code></para>
63
64
<para>To add allow rules: to allow an ip address</para>
65
66
<para><code>sudo ufw allow from <ip address> </code></para>
67
68
<para>to allow a port</para>
69
70
<para><code>sudo ufw <port number> </code></para>
71
72
<para>allow a specific ip address and port</para>
73
74
<para><code>sudo ufw allow from <ipaddress> to any port <port
75
number> </code></para>
76
77
<para>advanced allow example for allowing access from an ip address
78
range 10.120.0.1 - 10.120.0.255 to port 22</para>
79
80
<para><code>sudo ufw allow from 10.0.0.0/24 to any port 22</code></para>
81
82
<para>To get the current status of your UFW rules</para>
83
84
<para><code>sudo ufw status To remove a deny or allow rule
85
</code></para>
86
87
<para><code>sudo ufw delete <rule type> from <ip address> to
88
any port <port number> </code></para>
89
90
<para>(note: you basically match the syntax for the creation of the rule
91
and add 'delete') You need to be careful with setting up allow and deny
92
rules that 'intersect' because the first rule matched is applied and the
93
remaining are ignored. SECNARIO: you want to block access to port 22
94
from 192.168.0.1 and 192.168.0.7 but allow all other 192.168.0.x IPs to
95
have access to port 22</para>
96
97
<para><code>sudo ufw deny from 192.168.0.1 to any port
98
22</code><code></code></para>
99
100
<para><code>sudo ufw deny from 192.168.0.7 to any port
101
22</code><code></code></para>
102
103
<para><code>sudo ufw allow from 192.168.0.0/24 to any port
104
22</code></para>
105
106
<para>if you do the allow statement before either of the deny statements
107
it will be matched first and the deny will not be evaluated. you can
108
check this by checking ufw status</para>
109
110
<para><code>sudo ufw status To Action From -- ------ ---- 22:tcp DENY
111
192.168.0.1 22:udp DENY 192.168.0.1 22:tcp DENY 192.168.0.7 22:udp DENY
112
192.168.0.7 22:tcp ALLOW 192.168.0.0/24 22:udp ALLOW
113
192.168.0.0/24</code></para>
114
115
<para>the allow is at the bottom and will be the last command evaluated
116
if it appeared above the deny rules the deny rules would not be
117
evaluated. I hope this helps you use ufw to secure your computer.</para>
118
</section>
119
120
<section>
121
<title>apparmor</title>
122
123
<para>AppArmor is designed to provide easy-to-use application security
124
for both servers and workstations. Novell AppArmor is an access control
125
system that lets you specify per program which files the program may
126
read, write, and execute. AppArmor secures applications by enforcing
127
good application behavior without relying on attack signatures, so it
128
can prevent attacks even if they are exploiting previously unknown
129
vulnerabilities.</para>
130
131
<note>
132
<para>First, by default AppArmor does very little (and thus with this
133
post I am hoping to change that ...). With a default installation
134
AppArmor protects only CUPS. You can install additional
135
AppArmor-profiles , which will get you started with a few additional
136
applications, but we must also write and customize our own
137
profiles.</para>
138
</note>
139
140
<para>To install some additional profiles :</para>
141
142
<para><screen><code>sudo apt-get install apparmor-profiles </code></screen></para>
143
144
<para>Although this installs some additional profiles, they are
145
permissive in that they default to the complain mode (you will need to
146
manually activate them).</para>
147
148
<para>Profiles are stored in <emphasis>/etc/apparmor.d</emphasis></para>
149
150
<para>On Ubuntu, AppArmor logs profile violations to<emphasis>
151
/var/log/messages</emphasis></para>
152
153
<para>Apparmor uses the kernel standard securityfs mechanism load and
154
monitor profiles.</para>
155
156
<para>securityfs is moutned on <emphasis>/sys/kernel/security
157
</emphasis>.</para>
158
159
<para><emphasis>/sys/kernel/security/apparmor/profiles</emphasis> is a
160
virtualized file representing the currently loaded set of
161
profiles.</para>
162
163
<para>On Ubuntu there are no gui tools to manage or write profiles, so
164
we are talking good old command line tools and editing configuration
165
files. The configuration files are text files and ,with a little
166
reading, are fairly easy to understand.</para>
167
168
<para><emphasis role="bold">Profiles</emphasis></para>
169
170
<para>Profiles are stored in <emphasis>/etc/apparmor.d</emphasis></para>
171
172
<para>Profiles are names for the application they confine, using the
173
full path, dropping the first / and converting the others to a . Firefox
174
is a bit confusing because /usr/bin/firefox is a link to
175
/usr/bin/firefox-3.0, which in turn is a link to
176
/usr/lib/firefox-3.0.4/firefox.sh (On Ubuntu 9.04 Alpha).</para>
177
178
<para>Thus <emphasis>/usr/lib/firefox-3.0.4/firefox.sh</emphasis></para>
179
180
<para>becomes
181
<emphasis>usr.lib.firefox-3.0.4.firefox.sh</emphasis></para>
182
183
<para>and is stored in
184
<emphasis>/etc/AppArmor.d/usr.lib.firefox-3.0.4.firefox.sh</emphasis></para>
185
186
<para>More on profiles later.</para>
187
188
<para><emphasis role="bold">Enforcement</emphasis></para>
189
190
<para>Once a profile is defined it is automatically activated when the
191
application is started. There are 2 modes of operation, complain and
192
enforce.</para>
193
194
<para><emphasis role="bold">complain</emphasis></para>
195
196
<para>In complain mode AA monitors applications and logs violations to
197
your profile without restricting or confining the application. I think
198
of this as "Testing" mode.</para>
199
200
<para><emphasis role="bold">enforce</emphasis></para>
201
202
<para>In enforce mode AA monitors applications and logs violations to
203
your profile. In the event of a violation, access to the resource is
204
denied and the application is confined.</para>
205
206
<para><emphasis role="bold">Start / Stop AppArmor</emphasis></para>
207
208
<para>Usage: /etc/init.d/apparmor
209
{start|stop|restart|try-restart|reload|force-reload|status|kill}</para>
210
211
<para>Start : sudo /etc/init.d/apparmor start</para>
212
213
<para>Stop : sudo /etc/init.d/apparmor stop</para>
214
215
<para>Reload: sudo /etc/init.d/apparmor reload</para>
216
217
<para>Show status: sudo /etc/init.d/apparmor status</para>
218
219
<para>and on ...</para>
220
221
<para><emphasis role="bold">Additional useful AppArmor
222
commands</emphasis></para>
223
224
<note>
225
<para>Note: In these examples, | = or. So you may use geprof or
226
aa-gprof (and on).</para>
227
</note>
228
229
<para><ulink type=""
230
url="http://www.novell.com/documentation/apparmor/index.html#21">Source
231
: Novell AppArmor Guide</ulink></para>
232
233
<para><emphasis role="bold">genprof | aa-genprof</emphasis></para>
234
235
<blockquote>
236
<para><quote>Generate or update a profile. When running, you must
237
specify a program to profile. If the specified program is not an
238
absolute path, genprof searches the $PATH variable. If a profile does
239
not exist, genprof creates one using autodep.</quote></para>
240
</blockquote>
241
242
<para>Syntax : sudo genprof <application></para>
243
244
<para>Example: sudo genprof firefox</para>
245
246
<para>This generates a profile for firefox at
247
/etc/apparmor.d/usr.lib.firefox-3.0.4.firefox.sh</para>
248
249
<para><emphasis role="bold">autodep | aa-autodep</emphasis></para>
250
251
<blockquote>
252
<para><quote>Guess basic AppArmor profile requirements. autodep
253
creates a stub profile for the program or application examined. The
254
resulting profile is called approximate because it does not
255
necessarily contain all of the profile entries that the program needs
256
to be confined properly. </quote></para>
257
</blockquote>
258
259
<para><emphasis role="bold">complain | aa-complain</emphasis></para>
260
261
<blockquote>
262
<para><quote>Set an AppArmor profile to enforce mode from complain
263
mode</quote>.</para>
264
</blockquote>
265
266
<para>syntax : complain rule</para>
267
268
<para>Example : sudo complain firefox</para>
269
270
<para><emphasis role="bold">enforce | aa-enforce</emphasis></para>
271
272
<blockquote>
273
<para><quote>Set an AppArmor profile to enforce mode from complain
274
mode.</quote></para>
275
</blockquote>
276
277
<para>syntax : enforce rule</para>
278
279
<para>Example : sudo enforce firefox</para>
280
281
<para><emphasis role="bold">unconfined | aa-unconfined</emphasis></para>
282
283
<blockquote>
284
<para><quote>Output a list of processes with open tcp or udp ports
285
that do not have AppArmor profiles loaded.</quote></para>
286
</blockquote>
287
288
<para><emphasis role="bold">logprof | aa-logprof</emphasis></para>
289
290
<blockquote>
291
<para><quote>Manage AppArmor profiles. logprof is an interactive tool
292
used to review the learning or complain mode output found in the
293
AppArmor syslog entries and to generate new entries in AppArmor
294
profiles.</quote></para>
295
</blockquote>
296
297
<para>Translation: search your logs for problems and use this
298
information to modify the firefox profile.</para>
299
300
<para><emphasis role="bold">apparmor_parser </emphasis></para>
301
302
<para>This is used to load, or more commonly reload a profile into the
303
kernel. After modifying (editing) a profile use :</para>
304
305
<screen><code>sudo apparmor_parser -r /etc/apparmor.d/<profile></code></screen>
306
307
<para>Where "<profile>" is the profile to re-load.</para>
308
309
<para>If you prefer you can restart AppArmor (same as reload)</para>
310
311
<screen><code>/etc/init.d/apparmor restart</code></screen>
312
313
<para><emphasis role="bold">Anatomy of a Profile</emphasis></para>
314
315
<para>Each application you wish to confine under AppArmor is given a
316
profile. Profiles are nothing more then text files and are generated by
317
you the user sometimes with the assistance of AppArmor tools from the
318
command line or managed with any editor (gedit, nano, vim, etc). I will
319
walk you through generating a profile for firefox in the next
320
post.</para>
321
322
<note>
323
<para>Each profile is named after the application to which it applies,
324
changing the / in the path to a . (the first / is simply dropped). So,
325
/usr/lib/firefox-3.0.4/firefox.sh becomes
326
usr.lib.firefox-3.0.4.firefox.sh.</para>
327
</note>
328
329
<note>
330
<para>Profiles are stored in the /etc/AppArmor.d directory.</para>
331
</note>
332
333
<para>Profiles are comprised of 4 sections #include, capability
334
entries, rules, and hats.</para>
335
336
<para><emphasis role="bold"># include</emphasis></para>
337
338
<para>#include is akin to sourcing or libraries and allows you to
339
generate a list of common restrictions. Rather then writing this list
340
over and over in profiles, you can keep it in a common location and
341
incorporate it into a profile with an #include. When you update the
342
common list, all your profiles are updated.</para>
343
344
<para><emphasis role="bold">Capability entries</emphasis></para>
345
346
<para>In English, this is permission checking.</para>
347
348
<para>In Geek speak :</para>
349
350
<blockquote>
351
<para>Capabilities statements are simply the word capability followed
352
by the name of the POSIX.1e capability as defined in the
353
capabilities(7) man page.</para>
354
</blockquote>
355
356
<para><emphasis role="bold">Rules</emphasis></para>
357
358
<para>These are basically a set of permissions applied to files or
359
directories. The syntas is a path followed by a set of rules. [path]
360
[rules] path You may use Globing or special characters in the
361
path.</para>
362
363
<screen><code>* Substitutes for any number of characters, except /</code>.<code>
364
** Substitutes for any number of characters, including /.
365
? Substitutes for any single character, except /.
366
[ abc ] Substitutes for the single character a, b, or c.
367
[ a-c ] Substitutes for the single character a, b, or c.
368
{ ab,cd } Expand to one rule to match ab and another to match cd.
369
[ ^a ] Substitutes for any character except a.</code></screen>
370
371
<para>Rules for files include</para>
372
373
<screen><code>r = read
374
w = write
375
l = link
376
k = lock
377
a = append</code></screen>
378
379
<para>Rules for executable (applications) include<code> </code></para>
380
381
<screen><command>ix = inherit = Inherit the parent's profile.
382
px = requires a separate profile exists for the application,
383
with environment scrubbing.
384
Px = requires a separate profile exists for the application,
385
without environment scrubbing.
386
ux and Ux = Allow execution of an application unconfined,
387
with and without environmental scrubbing. (use with caution if at all).
388
m = allow executable mapping.</command></screen>
389
390
<para>Example<code> </code></para>
391
392
<screen># a variable definition
393
@{HOME} = /home/*/ /root/
394
# a comment about foo.
395
/usr/bin/foo {
396
/bin/mount ux,
397
/dev/{,u}random r,
398
/etc/ld.so.cache r, /etc/foo.conf r,
399
/etc/foo/* r,
400
/lib/ld-*.so* x,
401
/lib/lib*.so* r,
402
/proc/[0-9]** r,
403
/usr/lib/** r,
404
/tmp/foo.pid wr,
405
/tmp/foo.* lrw, /@{HOME}/.foo_file rw,
406
# a comment about foo's subprofile, bar.
407
^bar
408
{ /lib/ld-*.so* x,
409
/usr/bin/bar ix,
410
/var/spool/* rwl,
411
} } </screen>
412
413
<para>Comments :</para>
414
415
<para>1. Note the use of variable. This is only necessary if you mount
416
your /home partition in a non-standard location.</para>
417
418
<screen><code> /@{HOME}/.foo_file</code></screen>
419
420
<para>2. Comments start with an octothorpe (#).</para>
421
422
<para>3. /etc/foo/* r,</para>
423
424
<blockquote>
425
<para>Allows read access to the files in /etc/foo /etc/** would allow
426
read access to all sub-directories in /etc</para>
427
</blockquote>
428
429
<para><emphasis role="bold">Hats</emphasis></para>
430
431
<para>While an AppArmor profile is applied to an application, there are
432
times with a sub process of the program may need access differing from
433
the main program. In this event, the sup process may "change hats" or
434
use an alternate sub-profile.</para>
435
436
<para>A profile may have more then 1 sub-profile, however the
437
sub-profiles may not have sud-sub profiles (if that makes sense).</para>
438
439
<para>Right now very few applications use hats, and one example is
440
Apache.</para>
441
442
<note>
443
<para>For a more detailed explanation see man AppArmor man
444
AppArmor.d</para>
445
</note>
446
</section>
447
448
<section>
449
<title>Securing Firefox</title>
450
451
<para>Adblock</para>
452
453
<para>We have two options here, Firefox extensions OR hosts file.</para>
454
455
<para>1. Firefox extension : Adblock Plus</para>
456
457
<para>2. Hosts file. I prefer a hosts file as it protects more then just
458
Firefox. Here is how I do it :
459
http://ubuntuforums.org/showthread.php?t=241460#2</para>
460
461
<para>Cookies</para>
462
463
<para>Go to your Firefox menu -> Preferences -> Privacy Tab
464
UNSELECT "Accept cookies from sites" All cookies are now blocked.</para>
465
466
<para>Javascript/Flash</para>
467
468
<para>Javascript/Flash are a cross platform programing languages
469
commonly used on the web. They add functionality, but also allow browser
470
hijacks. Install NoScript To configure, right click on the NoScript icon
471
(lower right) and select options.</para>
472
473
<para>Customize Google</para>
474
475
<para>That's right, google is feeding you adds Install this extension.
476
Customize Google Then : Tools -> Customize Google Options Go through
477
each category on the Left and tic off "Remove Adds" (and anything wlse
478
you might like).</para>
479
480
<para>Secure Private Data</para>
481
482
<para>1. Go to your Firefox menu -> Preferences -> Security Tab
483
Set a "Master Password". This will protect others from displaying your
484
passwords. If you have a sensitive password like to the Ubuntu Forums or
485
your Bank, BEST NOT TO STORE IT AT ALL. Hey, while you are there, check
486
out the password strength meter.</para>
487
488
<para>2. Install SafeHistory. Safe History will clear your private
489
information when you close Firefox.</para>
490
491
<para>3. Install SafeCache to be safer against CSRF attacks.</para>
492
493
<para>How to Whitelist</para>
494
495
<para>OK, now you will likely find Firefox somewhat restrictive. The
496
goal here is to allow "normal" functioning. In order to log into forums
497
or your banking sites we need to allow Cookies and Java. We will do this
498
ONLY for specific sites we trust via white lists.</para>
499
500
<para>1. Cookies - Firefox options -> Privacy tab Copy the Ubuntu url
501
from your browser : http://ubuntuforums.org/ Go to "Cookies" -> click
502
the "Exceptions" button -> paste ubuntu url -> click "Allow for
503
session"</para>
504
505
<note>
506
<para>For secure sites like Banking you will need to allow multiple
507
url (https), usually one from the home page, then one from the log in
508
page, and sometimes from the next page as well. So if you are having
509
problems, keep adding url to the white list.</para>
510
</note>
511
512
<para>2. Java - Right click on the NoScript icon -> Allow
513
Ubuntu.com</para>
514
515
<para>How to Surf Anonymously ~ Privoxy/TOR</para>
516
517
<para>Ubuntu wiki TOR
518
http://wiki.noreply.org/noreply/TheO...er/TorOnDebian If you use TOR and
519
have the capacity, consider contributing a TOR server (a few more
520
servers would speed things up for everyone).
521
http://en.linuxreviews.org/HOWTO_setup_a_Tor-server</para>
522
</section>
523
</chapter>
524
</book>
Loggerhead is a web-based interface for Breezy
Version: 2.0.1