Valid on Linux
eacpg_gen is also known as Policy Generator. This menu-driven utility provides an easy method to define a policy for CA ControlMinder applications. Policy Generator can be used on a test system that has no CA ControlMinder rules in it. It aims to protect enterprise applications and/or operating systems and their confidential data by applying security best practices around those critical electronic assets.
Application cells are created with a “default-deny” paradigm. These policies are similar to the concept of a UNIX chroot() jail. When such a policy is generated for an Internet-facing application, the risk of host compromise using that application is greatly reduced.
An application cell is an access control list (ACL) rule that blocks an application. For each application, eacpg_gen generates a number of application cells. The application cell enforces access to specific resources only. Any process protected with a cell policy cannot access resources it has not specifically been given access to in the policy. This keeps would-be attackers from writing to unauthorized areas of disk or executing unauthorized binaries.
Note: Verify that the secadmin and group secadmins exists in the database before you run this utility.
Policy generation has several key steps:
This command has the following format:
eacpg_gen \
[-u user] \ [-g group] \ [-p path] \ [-o owner] \ [-w wheel] \ [-m machine] \ [-a] \ [-s file] \ [-# step] \ [-x]
Specifies the user for the process to run as.
Specifies the group name that will own the process.
Specifies the full path to the program.
Specifies the policy owner.
Sets as 'secadmins' group (recommended).
Specifies the machine name.
Sets whether to apply the generated rules.
Specifies the full path and the file name to save the policy rules.
Should be set to 2.
Toggles between warn and fail mode.
Example: Run the Policy Generator
eacpg_gen
/work/WebServers/apache_1.3.26/bin/htppd
(Application inspection). The policy generator begins to collect data on the process you are creating a policy for.
./apachectl start
./apachectl stop
Note: At this point after you have started and stopped the application. It is best to start it again and allow for normal usage data to be collected. You can allow this inspection to take place for as long as you would like; the longer it runs the more data the policy generator can collect and the more accurate the resulting policy will be. When you feel you have collected enough data, continue to the next step.
Following is a sample screen showing a policy test on a file named evil.html.
Linux:/srv/www/htdocs: #telnet localhost 80 Trying ::1... telnet: connect to address ::1: Connection refused Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. GET /evil.html <!DOCTYPE HTML PUBLIC “-//IETF//DTD HTML 2.0//EN”> <HTML><HEAD> <TITLE>403 Forbidden</TITLE> <HEAD><BODY> <H1>Forbidden</H1> You don't have permission to access /evil.html on the server. <P> <HR> <ADDRESS>Apache/1.3.26 Server at linux.local Port 80</ADDRESS> </BODY></HTML> Connection closed by foreign host. Linux:/srv/www/htdocs# []
Now that the policy is applied, the file evil.html is no longer available. This is because it was outside the scope of our normal usage profile.
Copyright © 2013 CA Technologies.
All rights reserved.
|
|