Previous Topic: dmsmgr -sync Function—Synchronize a DMS or a DHNext Topic: eACoexist Utility—Detect and Register Coexisting Trusted Programs


eacpg_gen Utility—Define Best Practice Policies

Valid on Linux

eacpg_gen is also known as Policy Generator. This menu-driven utility provides an easy method to define a policy for CA ControlMinder applications. Policy Generator can be used on a test system that has no CA ControlMinder rules in it. It aims to protect enterprise applications and/or operating systems and their confidential data by applying security best practices around those critical electronic assets.

Application cells are created with a “default-deny” paradigm. These policies are similar to the concept of a UNIX chroot() jail. When such a policy is generated for an Internet-facing application, the risk of host compromise using that application is greatly reduced.

An application cell is an access control list (ACL) rule that blocks an application. For each application, eacpg_gen generates a number of application cells. The application cell enforces access to specific resources only. Any process protected with a cell policy cannot access resources it has not specifically been given access to in the policy. This keeps would-be attackers from writing to unauthorized areas of disk or executing unauthorized binaries.

Note: Verify that the secadmin and group secadmins exists in the database before you run this utility.

Policy generation has several key steps:

This command has the following format:

eacpg_gen \
[-u user] \
[-g group] \
[-p path] \
[-o owner] \
[-w wheel] \
[-m machine] \
[-a] \
[-s file] \
[-# step] \
[-x]
-u user

Specifies the user for the process to run as.

-g group

Specifies the group name that will own the process.

-p path

Specifies the full path to the program.

-o owner

Specifies the policy owner.

-w wheel

Sets as 'secadmins' group (recommended).

-m machine

Specifies the machine name.

-a

Sets whether to apply the generated rules.

-s file

Specifies the full path and the file name to save the policy rules.

-# step 1-2

Should be set to 2.

-x

Toggles between warn and fail mode.

Example: Run the Policy Generator

  1. (Initialization). Execute the policy generator:
    eacpg_gen
    
  2. Type y at the prompt to place the system into Warning Mode.
  3. Supply the policy generator with the full path to the executable, for example:
    /work/WebServers/apache_1.3.26/bin/htppd
    
  4. Accept the default user name.
  5. Accept the default group name.
  6. Type y at the prompt to verify that the information is correct.

    (Application inspection). The policy generator begins to collect data on the process you are creating a policy for.

  7. Verify the information on the screen and press Enter.
  8. (Application testing). Start the application. For example:
    ./apachectl start
    
  9. Stop the application. For example:
    ./apachectl stop
    

    Note: At this point after you have started and stopped the application. It is best to start it again and allow for normal usage data to be collected. You can allow this inspection to take place for as long as you would like; the longer it runs the more data the policy generator can collect and the more accurate the resulting policy will be. When you feel you have collected enough data, continue to the next step.

  10. (Policy generation). Save the policy to a file (enter filename.txt and press Enter).
  11. (Policy application). Type y to apply the policy.
  12. Type y to put the system into Fail mode and begin policy enforcement.
  13. (Policy testing). Test the policy.

    Following is a sample screen showing a policy test on a file named evil.html.

    Linux:/srv/www/htdocs: #telnet localhost 80 Trying ::1... telnet: connect to address ::1: Connection refused Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. GET /evil.html <!DOCTYPE HTML PUBLIC “-//IETF//DTD HTML 2.0//EN”> <HTML><HEAD> <TITLE>403 Forbidden</TITLE> <HEAD><BODY> <H1>Forbidden</H1> You don't have permission to access /evil.html on the server. <P> <HR> <ADDRESS>Apache/1.3.26 Server at linux.local Port 80</ADDRESS> </BODY></HTML> Connection closed by foreign host. Linux:/srv/www/htdocs# []

    Now that the policy is applied, the file evil.html is no longer available. This is because it was outside the scope of our normal usage profile.