Previous Topic: Enable and Disable File Path Checking on Kernel Module LoadsNext Topic: Controlling Login Commands


Protecting Binary Files from the kill Command

You must protect mission‑critical processes, such as database servers or application daemons, against denial of service attacks. The native UNIX security system bases its process protection on the process user ID. This implies that under native UNIX, root can do anything to any process. CA ControlMinder adds to UNIX process protection by defining rules based on the executable file running in the process. CA ControlMinder process protection is independent of the user ID of the process. A record in the PROCESS class must define every process that CA ControlMinder will protect.

For example, to protect the ASCII viewer /bin/more from being killed, follow this procedure:

  1. Start selang.
  2. Enter the following selang command:
    newres PROCESS /bin/more defaccess(N) owner(nobody)
    

    This command defines /bin/more as a process to be protected from kill attempts; therefore the default access is none (N). The owner(nobody) setting ensures that even the user who defined this rule cannot kill the /bin/more process.

  3. Exit selang.
  4. Test the rules that Step 2 defined:
    1. Enter the command:
      /bin/more /tmp/seosd.trace
      
    2. Assuming the file /tmp/seosd.trace is large enough to keep /bin/more from exiting immediately, press Ctrl+Z to suspend the /bin/more process.
    3. Try to kill the suspended job by entering the command:
      kill %1
      

      Your attempt should fail, with CA ControlMinder displaying the “Permission denied” message.

To make an exception that permits a specific user to kill the /bin/more processes, enter the selang command:

authorize PROCESS /bin/more uid(username)

Note: Use the same procedure to protect other binary executables on your system from being killed.

CA ControlMinder protects regular kill signals (SIGTERM) and the kill signals that an application cannot mask (SIGKILL and SIGSTOP). It passes other signals, such as SIGHUP or SIGUSR1, to the process to determine whether to ignore or react to the kill signal.