Each policy is a selang script that includes comments that explain the policy's purpose and the rules it contains. Sample policy scripts are written to demonstrate best practices:
Sample policies are annotated to help you understand what each section of the sample policy is set to achieve.
Sample policies group related resources into a single container resource. Using this method, a common policy is applied to all the related resources once. Policy rules (ACLs) do not need to be applied to individual resources. For example, a policy can use a container to group all of the system's configuration files.
Policy containers use the following naming convention: POL_container_name. You can think of these containers as sub-policies. For example, OS sample policies use the POL_SYS_CONF container to protect OS configuration files.
To simplify user management, sample policies apply ACLs to roles. Each role uses a CA ControlMinder group of users that you can add real users to.
Policy roles use the following convention: ROL_role_name. For example, sample policies use the ROL_SYSTEM group for built-in system users like adm and lp. Many policies assign these users with wide-ranging permissions (for proper system operation) but also expire them so that users cannot use them to log in.
So that you have to apply minimum changes when you deploy them, sample policies make use of CA ControlMinder variables. Sample policies use built-in variables to protect local system resources, for example, a terminal rule for the local host. Sample policies also use user-defined variables to simplify policy changes. For example, a user-defined variable can contain the home directory of the administrative user. If the administrative user uses a different home directory, you only need to change it once for all affected rules to automatically change.
Example: Policy Script Comments
The following snippet from the Solaris SPARC 9 sample policy illustrates how sample policies are annotated. Using selang syntax rules, the lines that begin with a hash symbol (#) are comments.
# # * Home Directories Protection Policy * # ************************************** # # This policy uses the FILE class to protect the home # directories of sensitive users so that only the owner # of each directory can access it. # # Prerequisites: # None # # Roles: # None # # Containers: # POL_HOME_DIR - home directories of sensitive users # # define container POL_HOME_DIR # Protect home directories editres CONTAINER POL_HOME_DIR audit(<!POLICY_AUDIT_MODE>) owner(+nobody) comment("AC Sample - Protect home directories") authorize CONTAINER POL_HOME_DIR uid(* _undefined) access(NONE) editres ACVAR ("HOME_OS_ADMIN") value("/root") type(static) editusr (<!USER_OS_ADMIN>) # define specific FILE resources and connect them with POL_HOME_DIR editres FILE ("<!HOME_OS_ADMIN>/*") audit(<!POLICY_AUDIT_MODE>) owner(+nobody) defaccess(NONE) <!POLICY_WARNING_MODE> comment("AC Sample") authorize FILE ("<!HOME_OS_ADMIN>/*") uid(<!USER_OS_ADMIN>) access(ALL) chres CONTAINER POL_HOME_DIR mem+("<!HOME_OS_ADMIN>/*") of_class(FILE)
Example: Containers in Sample Policies
The following selang output shows the properties of the POL_SYS_FILES. An AIX sample policy contains this sub-policy that protects system files.
AC> sr container POL_SYS_FILES Data for CONTAINER 'POL_SYS_FILES' ------------------------------------------------------------------------ ACLs : Accessor Access ROL_SYSADMIN (GROUP ) All ROL_SYSTEM (GROUP ) All * (USER ) R, Chdir _undefined (USER ) R, Chdir Members : /boot/* (FILE ) /dev/kmem (FILE ) /dev/mem (FILE ) /dev/port (FILE ) Audit mode : Failure Owner : +nobody (USER ) Create time : 10-Dec-2008 10:32 Update time : 10-Dec-2008 10:35 Updated by : root (USER ) Comment : AC Sample - Protect OS system files
Example: Variables in Sample Policies
The following snippet from the Red Hat Enterprise Linux 5 sample policy illustrates how sample policies use variables. In this snippet, the sample policy defines possible names for the local host and the home directory of the administrative user root.
# # * AC Variables Definitions * # **************************** # # The rules in this section define variables that policies use. # Variables: # LOCALHOST : list of possible names for local host # POLICY_AUDIT_MODE : set policies audit mode # POLICY_DEFACCESS : set defaccess of policies` resources # editres ACVAR ("LOCALHOST") value("localhost") type(static) editres ACVAR ("LOCALHOST") value+("127.0.0.1") editres ACVAR ("LOCALHOST") value+("0.0.0.0") editres ACVAR ("POLICY_AUDIT_MODE") value("FAILURE") type(static) editres ACVAR ("POLICY_DEFACCESS") value("ALL") type(static)
Copyright © 2013 CA Technologies.
All rights reserved.
|
|