Segura EPM for Linux allows management and control of parent and child processes. Through access policies, administrators can define specific child processes that can be spawned or which parent processes are permitted to spawn certain child processes when configuring new policies.
Use case: only the bash
shell can execute the ls
command
We will create a rule that only allows the bash shell to execute the ls
command. This configuration requires registering a new rule within the Segura platform.
- In Segura, in the navigation bar, hover over the Products menu and select EPM.
- In the side menu, select Policies > Linux > Policies.
- Click Add to be directed to the policy selection screen.
- Click the Device button.
- On the Access policy registration form, navigate to the General tab and complete the following fields:
- Policy name: fill in with
Only bash can execute “ls”
. - Status: select Enable.
- Guideline: select Execute from the dropdown menu.
- Checker (path or executor): fill in with
exec="/bin/ls"
. - Enable audit: select Yes.
- On the Rules table, click the Add button and fill in:
- Allow or Lock: select Allow from the dropdown menu.
- Rule Text: fill in with the
task.exe="/bin/bash"
- Policy name: fill in with
- Navigate to the Review tab and click Save.
Use case: the bash
shell can execute only the ls
command
To enforce that the bash shell is restricted to executing only the ls command, a new rule must be created and registered within the Segura platform, as illustrated in the upcoming scenario.
- In Segura, in the navigation bar, hover over the Products menu and select EPM.
- In the side menu, select Policies > Linux > Policies.
- Click Add to be directed to the policy selection screen.
- Click the Device button.
- On the Access policy registration form, navigate to the General tab and complete the following fields:
- Policy name: fill in with
Bash can only execute “ls”
. - Status: select Enable.
- Guideline: select Execute from the dropdown menu.
- Checker (path or executor): fill in with
exec="/bin/ls"
. - Enable audit: select Yes.
- On the Rules table, click the Add button twice and fill in:
- Allow or Lock: select Allow from the dropdown menu.
- Rule Text: fill in with the
task.exe="/bin/bash"
. - Allow or Lock: select Lock from the dropdown menu.
- Rule Text: fill in with the
*
to deny all the commands except thels
.
- Policy name: fill in with
- Navigate to the Review tab and click Save.
We will apply the control of Parent and Child processes to any type of execution, including shell, software, and script.
Validating the policy on the target device
Here's an example illustrating the concept of parent-child processes.
- We established the rule on the target device.
- The database administrator user is permitted to write to the file.
- The superuser will not have the capability to write to the file.
View the /sys/kernel/security/caitsith/policy
file to check the default CaitSith rules applied to the device.
root@debian:/root# cat /sys/kernel/security/caitsith/policy
POLICY_VERSION = 20120401
stat Policy updated: 9036 (Last: 2019/12/24 00:31:57)
stat Requests denied: 10 (Last: 2019/12/23 18:55:22)
stat Memory used by policy: 4512
stat Memory used by audit: 63808
stat Memory used by query: 0
quota memory audit 16777216
quota memory query 1048576
quota audit [1] allowed = 0 denied = 1024 unmatched = 1024
100 acl write path="/etc/oracle/tnsnames.ora"
audit 1
100 allow task.uid = 1002
200 deny
Writing to the file as a DBA User
Using the DBA user account, content will now be added to the designated file. This action should be permitted under the current rule set. It's important to observe that the DBA user possesses write privileges to this specific file.
dba@debian:-S$ ls -1 /etc/oracle/
total 4
-rw-r--r-- 1 dba oracle 118 Jan 23 21:42 tnsnames.ora
dba@debian:~$ echo 'production=(DESCRIPTION= (ADDRESS=(PROTOCOL=tcp) (HOST=db.corp) (PORT=1630)) (CONNECT_DATA= (SERVICE_NAME=intranet.corp)))' > /etc/oracle/tnsnames.ora
dba@debian:-$ cat /etc/oracle/tnsnames.ora
production= (DESCRIPTION= (ADDRESS= (PROTOCOL=tcp) (HOST=db.corp) (PORT=1630)) (CONNECT_DATA= (SERVICE_NAME=intranet.corp)))
Trying to write to the file as superuser
Due to a specifically crafted policy denial rule, the superuser is prevented from writing to the file. Consequently, even with superuser privileges, the write operation is unsuccessful.
root@debian:~# ls -1 /etc/oracle/
total 4
-rw-r--r-- 1 dba oracle 118 Jan 23 21:43 tnsnames.ora
root@debian:~# echo "root was here” > /etc/oracle/tnsnames.ora
bash: /etc/oracle/tnsnames.ora: Operation not permitted
root@debian:~# cat /etc/oracle/tnsnames.ora
production= (DESCRIPTION= (ADDRESS= (PROTOCOL=tcp) (HOST=db.corp) (PORT=1630)) (CONNECT_DATA= (SERVICE_NAME=intranet.corp)))
root@debian:~# id
uid=0 (root) gid=0 (root) groups=0 (root)