[Ubuntu] Apache2 ACL Contribution

Submit your RBAC policies or suggest policy improvements

Moderators: spender, PaX Team

[Ubuntu] Apache2 ACL Contribution

Postby cookiemonster » Wed Jun 25, 2008 1:31 pm

Here is an apache ACL we developed that we're contributing to everyone, hope you guys find it useful. I'm curious to find out the community's ideas on the possibility of confining web applications (php perl etc..) applications on a per virtualhost bases dynamically. I'm really looking forward to your comments and contribution to build a better policy and fortunately we could intergrate this as a default policy in the next gradm release :wink: .

Sincerely,

CookieMonster.

Code: Select all
subject /usr/sbin/apache2 op {
    /usr/share r
    /etc r
    /etc/grsec h
    /etc/ld.so.cache r
    /tmp rwxcld
    /lib rx
    /usr/lib rx
    /var/lib/php5/ rxwcd
    /var/log/apache2 a
    /var/log/apache a
    /var/run/apache.pid wclrd
    /var/run/apache2.pid wclrd
    /var/run/apache2 crwxdl
    /var/www rxwlcd
    /proc r
    /proc/meminfo r
    /proc/filesystems  r
    /proc/sys/kernel r
    /dev/null rw
    /dev/urandom rx
    /bin/dash rx
    /usr/bin/cronolog rx
    /usr/sbin/apache2 rx
    /usr/sbin/sendmail rx
    /usr/sbin/postdrop rx
    /
    -CAP_ALL
    +CAP_DAC_OVERRIDE
    +CAP_KILL
    +CAP_SETGID
    +CAP_SETUID
    +CAP_NET_BIND_SERVICE
    +CAP_CHOWN
    RES_CRASH 1 10m
    connect 0.0.0.0:3306 stream tcp ip
    connect 0.0.0.0/0:80 stream tcp ip
    connect 0.0.0.0/0:53 dgram udp
    bind 0.0.0.0/0:80 stream tcp
    bind 0.0.0.0/0:443 stream tcp
}
subject /usr/sbin/apache2:/bin/dash {
    / r
    /usr/bin/cronolog x
    /usr/sbin/sendmail x
    /usr/sbin/postdrop x
    /usr/bin h
    /bin h
    /usr/sbin h
    /sbin h
    /etc/grsec h
    connect disabled
    bind disabled
    -CAP_ALL
}

subject /usr/sbin/apache2:/bin/dash:/usr/bin/cronolog {
    / h
    /mnt/log rwcdl
    connect disabled
    bind disabled
    -CAP_ALL
}

subject /usr/sbin/apache2:/bin/dash:/usr/sbin/sendmail {
    / rwxlcd
    /etc/grsec h
    connect 0.0.0.0/0:25 stream ip tcp
    connect 0.0.0.0/0:0 dgram ip tcp
    bind 0.0.0.0/0:0 dgram ip
    -CAP_ALL
}

subject /usr/sbin/apache2:/usr/sbin/sendmail {
     / rwxlcd
    /usr/sbin/postdrop x
    /usr/bin h
    /bin h
    /usr/sbin h
    /sbin h
    /etc/grsec h
    connect disabled
    bind disabled
    -CAP_ALL
}

subject /usr/sbin/apache2:/usr/sbin/sendmail:/usr/sbin/postdrop {
     / rwxlcd
    /usr/bin h
    /bin h
    /usr/sbin h
    /sbin h
    /etc/grsec h
    connect disabled
    bind disabled
    -CAP_ALL
}
cookiemonster
 
Posts: 8
Joined: Wed Jun 25, 2008 1:15 pm

Re: [Ubuntu] Apache2 ACL Contribution

Postby spender » Fri Jun 27, 2008 11:25 am

The
/ rwxlcd
objects are quite dangerous, despite only appearing in nested subjects. I'd recommend using subject-based learning on these subjects to tighten them down some.
Also, I don't know about the layout of /var/lib/php5, but:
/var/lib/php5/ rxwcd
is also dangerous.
/var/run/apache2 crwxdl
is execute needed there?

Wherever possible, the existence of writable and executable paths should be avoided.

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm
Location: VA, USA


Return to RBAC policy development

cron