Quote:
Originally Posted by rtaft
I'm not really going down this path anymore, but it would be nice to know how to do it if I ended up having to go back and make it more secure.
|
OK, so basically we're answering this one for, what?
I'd force SSH access to the box if possible since pubkey auth can't be circumvented (of course the sshd needs to deny password auth), it allows for starting an auditing trail, it allows you to force them running a command and it allows you to restrict network access. For the applications I'll assert they're CLI-only and I'll try to make sure there's enough of a logging trail to audit for morons, mischief and malice. There's a few methods I can think of right now, each with their own strengths and weaknesses. Some elements can be mixed I'm sure. Additions and corrections welcome. In no particular order:
0. GRSecurity with TPE enabled. GRSecurity enhances host security (amongst others chrooting), enhances logging (audit trail) and Trusted Path Execution denies users to execute commands outside their set path. Con: you'll need to patch the kernel. In 2.6 SELinux and GRSecurity seem to be able to live together but I haven't tried that myself.
1. SELinux. With the MLS policy there is absolutely *no* access allowed without proper context. A derivative would be to use the easier targeted policy instead but have those users not run as "user_u:system_r:unconfined_t" but subject to a custom policy that confines their movement. Con: MLS appears to be intensive to set up. A custom policy means adding the framework for these accounts, the applications and any transitions.
2. Virtualisation. The app runs inside a VM which can only be accessed from localhost through certain accounts.
3. PAM. On PAM-enabled systems users have no access to commands run as root unless they have the password. Basically this is done by setting the users PATH elelments so that /usr/bin precedes say /sbin and the link to the application triggers the PAM 'userhelper' / /etc/security/console.* stuff. Cons: probably, if DAC permissions are excessive.
4. Rootsh plus login menu plus sudo. Users are presented with a text-based menu on login instead of a shell. The menu doesn't allow for it to be backgrounded, allows only access to a set of commands, accepts no other input and logs the user out in case of breakage. The menu runs inside rootsh which provides a wrapper (audit trail again) which logs all commands. The applications run under different users than those logged in and can onyl be accessed with NOPASSWD sudoers entries. Con: can't think of any right now.