FreeBSD Extended worth using in my case

S

skeleton616

Hello,

I've been messing around the different Mandatory Access Controls in FreeBSD lately and stumbled across the BSD Extended filesystem firewall. For my case I only have one user on my system so I was just wondering if it was worth using/looking into? I looked at the documentation for it and it is pretty bleak. Any help is appreciated it, thanks.
 
skeleton616 thanks for the link.
My opinions, from someone not really using MAC stuff:
It depends.
If you want to try to understand how MAC better works (my understanding is that is similar to SELinux) and see how it can be used to protect your system, sure go ahead and use it on your system.
Since you say it's a single user system, it may not actually make your system more secure, but it would increase your knowledge of
how to secure a system.

The last sentence in sec 5.2:
"Extreme caution should be taken when working with this module as incorrect use could block access to certain parts of the file system"

If it were me I'd be inclined to try in a VM or on a spare machine.

Link to current version of the handbook:

docs.freebsd.org

FreeBSD Handbook

A constantly evolving, comprehensive resource for FreeBSD users
docs.freebsd.org docs.freebsd.org
 
skeleton616 said:
Hello,

I've been messing around the different Mandatory Access Controls in FreeBSD lately and stumbled across the BSD Extended filesystem firewall. For my case I only have one user on my system so I was just wondering if it was worth using/looking into? I looked at the documentation for it and it is pretty bleak. Any help is appreciated it, thanks.
Click to expand...

It's not another firewall. It's using MAC to give you a finer/granular control of the file firewall system you're using.

Is it worth it for one user? Absolutely not. Like RBAC for Solaris, it's usefulness is in controlling user's (even root's) access to the system: devices, files, pipes etc.
Messing around with MAC is often a sure-fire way to lock yourself out... be careful.
 
mark_j said:
It's not another firewall. It's using MAC to give you a finer/granular control of the firewall system you're using.

Is it worth it for one user? Absolutely not. Like RBAC for Solaris, it's usefulness is in controlling user's (even root's) access to the system: devices, files, pipes etc.
Messing around with MAC is often a sure-fire way to lock yourself out... be careful.
Click to expand...
That's the kind of security model I use the most which is RBAC(I use Selinux). I only have one user but multiple roles so it controls user's access to the system but declaring what role has access to what instead of Root being all powerful just like you said. I was just curious to see if that BSD Extended could help me more in locking down certain things essentially. But since I only have one user it does seem silly to implement that but was just curious so I just decided to ask because their documentation sucks quite frankly.



I'm no expert but I have dabbled with the Biba policy and got it to work in BSD just fine so I'm no stranger when it comes to getting locked out. Just wish the documentation was better since this stuff has been around awhile. In fact I decided to document my findings when I messed with the Biba Access Control if anyone wants to take a look and give me pointers on how to document better:

https://github.com/dtdevore64/TrustedBSD-Installing-Biba-Policy
 
skeleton616 said:
That's the kind of security model I use the most which is RBAC(I use Selinux). I only have one user but multiple roles so it controls user's access to the system but declaring what role has access to what instead of Root being all powerful just like you said. I was just curious to see if that BSD Extended could help me more in locking down certain things essentially. But since I only have one user it does seem silly to implement that but was just curious so I just decided to ask because their documentation sucks quite frankly.



I'm no expert but I have dabbled with the Biba policy and got it to work in BSD just fine so I'm no stranger when it comes to getting locked out. Just wish the documentation was better since this stuff has been around awhile. In fact I decided to document my findings when I messed with the Biba Access Control if anyone wants to take a look and give me pointers on how to document better:

https://github.com/dtdevore64/TrustedBSD-Installing-Biba-Policy
Click to expand...
I agree the documentation is far from satisfactory in this regard. The authoring of the MAC seems to be written by someone who assumes a level of user knowledge and assumes some given facts, especially, how the MAC labels interact with the system and even WHY you should or should not use it.

I've not used selinux but I have used RBAC extensively and it is far superior to MAC - especially in maintenance (but I guess it's what you're used to). We use MAC on two servers at my work because of government mandates and I just don't go near them. ?

I honestly can't see a reason why you would want to add such granularity to the file system firewall when you're the only user. Can you offer a case why?

The only one I can see, off hand, is say your machine is exposed to the internet (in the DMZ) and you want to protect the file system should some hacker get in and gain root. Also, as I said, playing with ugidfw(8) can leave you in a real state should you get it wrong.
 
mark_j said:
I agree the documentation is far from satisfactory in this regard. The authoring of the MAC seems to be written by someone who assumes a level of user knowledge and assumes some given facts, especially, how the MAC labels interact with the system and even WHY you should or should not use it.

I've not used selinux but I have used RBAC extensively and it is far superior to MAC - especially in maintenance (but I guess it's what you're used to). We use MAC on two servers at my work because of government mandates and I just don't go near them. ?

I honestly can't see a reason why you would want to add such granularity to the file system firewall when you're the only user. Can you offer a case why?

The only one I can see, off hand, is say your machine is exposed to the internet (in the DMZ) and you want to protect the file system should some hacker get in and gain root. Also, as I said, playing with ugidfw(8) can leave you in a real state should you get it wrong.
Click to expand...
Yeah now that I think about it more I cannot offer a case on why I should implement it. I'm still new to BSD so I was just researching all the security benefits it has compared to just using a random Linux distribution. Just been playing around with the Biba/MLS models lately but will definitely not use in my day to day work. I strictly use RBAC and TE in Selinux on my daily machine and it is plenty.
 
skeleton616 said:
Yeah now that I think about it more I cannot offer a case on why I should implement it. I'm still new to BSD so I was just researching all the security benefits it has compared to just using a random Linux distribution. Just been playing around with the Biba/MLS models lately but will definitely not use in my day to day work. I strictly use RBAC and TE in Selinux on my daily machine and it is plenty.
Click to expand...
There's nothing stopping you experimenting, but, in essence, it will only be you who you're experimenting on. If you're fine being the scientist and the lab rat, go for it! :)

It's really, like all those role control systems, meaningful only in multi-user environments. That doesn't mean you shouldn't learn how to use it and implement it, just that testing it is a chore.

(It's much better testing on real people and experiencing their frustration because they can't even look at their own processes...
<evil laugh>)
 
You must log in or register to reply here.
Back
Top