hardenedbsd
/
secadm
mirror of https://git.hardenedbsd.org/hardenedbsd/secadm.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
294 Commits 1 Branch 0 Tags 725 KiB
C 84.3%
Roff 10.4%
Shell 4.5%
Makefile 0.8%
Go to file
Shawn Webb 01112cf07c Fixup for HardenedBSD 13-STABLE 
Apparently FreeBSD's API change to NDINIT wasn't MFC'd to 13-STABLE.

Signed-off-by:	Shawn Webb <shawn.webb@hardenedbsd.org>
 		2022-05-18 15:30:03 -04:00
etc
kmod Fixup for HardenedBSD 13-STABLE 2022-05-18 15:30:03 -04:00
libsecadm
secadm Remove mis-added third clause 2021-06-26 21:55:05 -04:00
util
.gitignore
Makefile
README.md

README.md

secadm

https://git.hardenedbsd.org/hardenedbsd/secadm

Introduction

secadm is a project to replace the mac_bsdextended(4)/ugidfw(8) integration the HardenedBSD project has done for ASLR, SEGVGUARD, and PTrace hardening. The secadm project will be implemented as a custom ports entry in the HardenedBSD/freebsd-ports repo. The port will consist of three parts: a kernel module that integrates with the MAC framework, a shared library that communicates between kernel and userland, and an application that consumes the shared library.

The MAC module will work on a per-jail basis. It will communicate with userland via a sysctl node. The MAC module should hook into the execve() call to set per-process security/hardening flags, such as toggling ASLR or SEGVGUARD. Each jail manages its own rules. Rules applied in one jail do not interact or impact other jails.

The shared library will be named libsecadm and will simply act as a communication layer between userland applications and the sysctl. The shared library will perform the same sanitization and sanity checking on all rule changes, including the removal of rules, that the MAC module performs.

The userland application will be named secadm. It will consume libsecadm and libucl. Rules will be written in json to allow for a configuration file format that is readable and parseable by both humans and machines. Using the json format will also allow for additional flexibility and dynamic content. One can imagine secadm deployed in a security appliance where the rulesets are created and updated via a web service API.

secadm supports toggling ASLR, mmap(MAP_32BIT), SEGVGUARD, SHLIBRANDOM, PAGEEXEC, and MPROTECT restrictions. As of version 0.2, secadm also introduces a new Integriforce feature. Integriforce ensures executable file integrity prior to execution.

About Version 0.3.0

Version 0.3.0 is a complete rewrite of secadm. You'll notice that commands like secadm set and secadm list no longer work. They have been replaced by secadm load /path/to/file and secadm show respectively. Additionally, individual rules can be added and deleted with the secadm add and secadm del commands. Rules can be enabled and disabled with the secadm enable and secadm disable commands.

The flags that can be passed to secadm add pax are:

  • A, a: Enable, disable ASLR
  • B, b: Enable, disable mmap(MAP_32BIT) protection
  • L, l: Enable, disable SHLIBRANDOM
  • M, m: Enable, disable MPROTECT
  • P, p: Enable, disable PAGEEXEC
  • S, s: Enable, disable SEGVGUARD
  • O, o: Enable, disable hbsdcontrol based FS-EA rules overriding

By default, secadm show will show the active ruleset in abbreviated format. secadm now integrates with libxo to provide ruleset output in JSON, UCL, or XML formats. Specify a different format by using the -f option to secadm show. For example, secadm show -f ucl.

Order of rule evaluation

When the kernel is compiled with the PAX_CONTROL_EXTATTR kernel option, the order of the evaluation is secadm then hbsdcontrol. This ensures that the hbsdcontrol's settings always take precedence. To make secadm's rules take precedence, use the O flag for that rule (prefer_acl is the long option).

Requirements

  • HardenedBSD version 1200055 or greater:
    • sysctl hardening.version should show 1200055
  • HardenedBSD kernel compiled with options PAX_CONTROL_ACL
  • textproc/libucl
  • textproc/libxo

Installation And Usage

# make
# make depend all install

To list which per-applicatin features your version of secadm supports:

# secadm list features

To load the secadm kernel module:

# kldload secadm

Copy the sample ruleset to the right spot:

# cp etc/secadm-desktop.rules.example /usr/local/etc/secadm.rules

Edit your rules:

# vi /usr/local/etc/secadm.rules

Activate them. Please note that setting a new ruleset will flush your previously-loaded rules.

# secadm load /usr/local/etc/secadm.rules

To verify that your ruleset loaded successfully:

# secadm list

To flush rules:

# secadm flush

Installing to a Jail

The libsecadm shared library and secadm userland application must both be installed into, or be accessible by, each jail individually in order to enforce security policies inside of the jail.

Note: if jails are setup to use a read-only basejail, manual installation of libsecadm.0.so into the basejail's /usr/lib directory is required.

Writing Application Rules

secadm currently supports toggling ASLR, SEGVGUARD, mprotect(exec) hardening, and on certain HardenedBSD builds, PAGEEXEC hardening. In the etc directory, you will find secadm.rules.sample, which shows how to write rules. You can use the prefer_acl keyword, to ensure secadm's rule takes in effect over the file system extended attributes based settings.

secadm uses libucl for parsing its config file. As it stands right now, the order of the rules do not matter, but that could change with time as we add new features. The sample config file is in a relaxed JSON format, though libucl supports different syntaxes. Please refer to libucl's documentation for help in learning the different possible syntaxes.

secadm {
	pax {
		path: "/bin/ls",
		aslr: false,
		segvguard: false
	},
	pax {
		path: "/bin/pwd",
		mprotect: true,
		pageexec: true,
		prefer_acl: true
	}
}

Integriforce

secadm version 0.2 supports a new feature, called Integriforce. This feature provides executable file integrity enforcement. If a rule exists for a given file, that file's hash as defined in the rule is matched against the hash of the file. If the hashes don't match, execution may be disallowed, depending on the configuration settings. Integriforce is an optional, but powerful, feature. Integriforce currently supports only SHA1 or SHA256.

NOTE: Files that are under Integriforce management cannot be modified or deleted. The ruleset will need to be flushed prior to modifying or deleting the file.

Configuring Integriforce

In the root object of the configuration file, secadm will look for an integriforce object. In the integriforce object, add a files array. In the files array, place an array of objects, where each object contains the following options:

  1. mode (string, default "hard"): If set, this must equal either "soft" or "hard". Soft mode means execution is allowed if hashes don't match, but a warning message is printed. Hard mode prints an error messages and disallows execution.
  2. files (array of objects): Each object must contain the following fields:
    1. path (string): The path to the executable.
    2. hash (string): The hash (sha1 or sha256) of the executable.
    3. type (string): Either "sha1" or "sha256".
    4. mode (optional, string, default to inherit): The enforcing mode for this file.

Example config:

secadm {
	integriforce {
		path: "/bin/ls",
		hash: "873e49767e36f80a8814f41c90c98d888c83eeb4fe2fcab155b5ecb6cc6b67f6",
		type: "sha256",
		mode: "hard"
	}
}

Strict Application Allow Listing

When Integriforce rules have been added, secadm can be placed in strict application allow (whitelist) mode. secadm will prohibit the execution of applications and the loading of shared libraries not having a corresponding entry in the Integriforce configuration.

To enable strict application allow list mode:

# secadm set -W

To disable strict application allow list mode:

# secadm set -w

To enable strict application allow list mode in the secadm configuration file:

secadm {
	whitelist_mode: true
}

Adding secadm itself and the shared libraries it depends on to the Integriforce configuration is highly recommended. Otherwise, the secadm configuration cannot be changed without first rebooting the system.

Trusted Path Execution (TPE)

Trusted Path Execution prevents users from directly executing binaries in untrusted directories. A trusted directory is defined as a directory that is writable only by root and owned by root. The current TPE implementation does not handle the indirect execution of scripts.

TPE options that can be set:

  1. enable:
    • Required. Type: Boolean
    • Description: Enable TPE protections.
  2. all:
    • Optional. Type: Boolean
    • Description: Enable TPE for all users.
  3. invert:
    • Optional. Type: Boolean
    • Description: Invert the Group ID (GID) logic.
  4. gid:
    • Optional. Type: Integer
    • Description: Group ID for which TPE is applied.

The enable TPE via the command-line:

# secadm tpe -TA

Configuring TPE in the secadm configuation file:

secadm {
	tpe {
		enable: true,
		all: true,
		invert: false,
		gid: 1000
	}
}

Note About ABI and API Stability

Both the userland and kernel ABI and API are under heavy development. Though care has been taken to keep future changes and features in mind, the API and ABI are not stable and may change from release to release. If you plan to develop third-party applications that consume libsecadm, please do so at your own risk. If you feel you need added features or a change to an existing feature, please file a bug report at secadm's issue tracker at HardenedBSD's self-hosted GitLab instance.