# # Subject modes: # # [h] This process is hidden and only viewable by processes with the v mode. # [v] This process can view hidden processes. # [p] This process is protected; it can only be killed by processes with # the k mode. # [k] This process can kill protected processes # [l] Enables learning mode for this process # [d] Protect the /proc//fd and /proc//mem entries for processes in this subject. # [b] Enable process accounting for processes in this subject. # [P] DISABLES the PAGEEXEC feature of PaX on this subject # [S] DISABLES the SEGMEXEC feature of PaX on this subject # [M] DISABLES the MPROTECT feature of PaX on this subject # [R] DISABLES the RANDMMAP feature of PaX on this subject # [G] ENABLES the EMUTRAMP feature of PaX on this subject # [X] ENABLES the RANDEXEC feature of PaX on this subject # [O] Override the mmap() and ptrace() checks for this subject # [A] Protect the shared memory of this subject. No other processes but # processes contained within this subject may access the shared memory # of this subject # [K] When processes belonging to this subject generate an alert, # kill the process # [C] When processes belonging to this subject generate an alert, # kill the process and all processes belonging to the IP of the attacker # (if there was an IP attached to the process) # [T] Ensures this process can never execute any trojaned code # [o] Override ACL inheritance for this process. # ---------------------------------------------------------------------------- # # Object modes: # # [r] This object can be opened for reading. # [w] This object can be opened for writing or appending. # [x] This object can be executed (or mmapd with PROT_EXEC into a task). # [a] This object can be opened for appending. # [h] This object is hidden. # [t] This object can be ptraced, but cannot modify the running task. # This is referred to as a read-only ptrace. # [s] Logs will be suppressed for denied access to this object. # [i] This mode only applies to binaries. When the object is executed, # it inherits the ACL of the subject in which it was contained. # [R] Audit successful reads to this object # [W] Audit successful writes to this object # [X] Audit successful execs of this object # [A] Audit successful appends to this object # [F] Audit successful finds of this object # [I] Audit successful ACL inherits of this object # ---------------------------------------------------------------------------- # A feature of the ACL system is the support of the wildcards * and ? in ACL # objects. The ?*? character matches zero or more characters, while ??? matches # exactly one character. Depending on how these globbing characters are used, # they have different effects. # ---------------------------------------------------------------------------- / { / /opt rx /home rw /mnt r /dev /dev/mem h /dev/kmem h /dev/port h /dev/null rw /dev/pts rw /dev/ptmx rw /dev/dsp rw /dev/mixer rw /dev/console rw /dev/log h /dev/zero rw /dev/random r /dev/urandom r /dev/input rw /dev/initctl rw /dev/psaux rw /dev/tty rw /dev/tty? rw /dev/tty1? rw /dev/vc rw /bin rx /sbin rx /lib rx /lib/security rx /usr rx /usr/lib rx /boot h # /boot r /etc/grsec h /etc rx /etc/init.d rx /etc/shadow- h /etc/shadow h /etc/postfix r /proc rw /proc/sys r /proc/kcore h /proc/interrupts h /proc/iomem h /proc/ioports h /proc/mounts h /proc/irq h /proc/bus h /proc/partitions h /proc/driver h /proc/scsi h /proc/net h /root r /root/.bash_history ra /root/.history ra /tmp rw /var rx /var/cache rw /var/run rw /var/tmp rw /var/log h /var/log/wtmp a /var/spool rw #/var/spool/postfix/lib rx /etc/ld.so.preload r /usr/portage rx #/usr/portage rwx #/usr/portage/distfiles rw #/mnt/.init.d rwx /etc/fstab h /etc/mtab h /etc/syslog-ng h /dev/?d?* h #/dev/?d?? h -CAP_ALL } /sbin/init ohdvk { /var/run/utmp rw /var/log/wtmp w /var/log /lib rx /etc/ld.so.preload hs /etc/ld.so.cache r /etc/ioctl.save r /etc/inittab r /etc /etc/grsec h /dev/log rw /dev/initctl w /dev/console rw /dev/vc rw /sbin/ x /bin x / -CAP_ALL +CAP_SYS_TTY_CONFIG +CAP_DAC_OVERRIDE +CAP_DAC_READ_SEARCH connect { disabled } bind { disabled } } /sbin/devfsd oX { /sbin/devfsd x /usr/share/zoneinfo r /sbin/insmod x /lib/dev-state w /lib rx /dev/mem h /dev/kmem h /dev/port h /dev rw / h -CAP_ALL +CAP_CHOWN +CAP_FOWNER +CAP_FSETID +CAP_MKNOD connect { disabled } bind { disabled } } /bin/login hodP { /var/mail /var/log/btmp rw /proc /home /root /var/run/utmp rw /var/log/wtmp w /var/log/lastlog rw /var/log/faillog rw /var/run/ rw /usr/share/zoneinfo r /usr/lib rx /lib rx /etc r /etc/grsec h /dev /dev/tty? rw /dev/tty?? rw /dev/pts* rw /dev/vc rw /dev/log rw /bin/bash x /bin/login x / hs -CAP_ALL +CAP_CHOWN +CAP_FOWNER +CAP_FSETID +CAP_SETGID +CAP_SETUID +CAP_SYS_TTY_CONFIG connect { disabled } bind { disabled } } /sbin/agetty ohdP { /usr/share/zoneinfo r /dev/vc rw /var/run/utmp rw /var/log/wtmp w /dev/tty? rw /dev/tty?? rw /dev /bin/login x /sbin/getty x / hs /etc r /etc/grsec h /lib rx -CAP_ALL +CAP_CHOWN +CAP_DAC_OVERRIDE connect { disabled } bind { disabled } } /usr/lib/misc/pt_chown Xo { / h /etc/grsec h /usr/lib/misc/pt_chown x /etc/group r /etc/ld.so.cache r /etc/ld.so.preload r /etc/nsswitch.conf r /lib rx -CAP_ALL +CAP_CHOWN +CAP_FOWNER +CAP_FSETID connect { disabled } bind { disabled } } /usr/sbin/syslog-ng XoAhpd { / hs /usr/sbin/syslog-ng x /dev /dev/log w /dev/vc /dev/vc/12 w /etc/ld.so.cache r /etc/ld.so.preload r /etc/syslog-ng r /lib rx /proc/kmsg rw /usr/share/zoneinfo r /var/log rw /var/run /var/run/syslog-ng.pid w -CAP_ALL +CAP_DAC_OVERRIDE connect { disabled } bind { disabled } } # Network services /usr/sbin/sshd bXodhAp { /usr/sbin/sshd x / h /tmp rw /usr/bin/sshd x /bin/bash x /bin/tcsh x /etc/grsec h /etc r /home r /lib rx /usr/lib rx /var/log/lastlog rw /var/mail /var/run/sshd /dev/ptmx rw /dev/pts rw /dev/pty* rw /dev/null rw /dev/tty rw /dev/ttyp* rw /dev/vc rw /dev/console w /dev/log rw /dev /proc /root r /root/.ssh rw /var/empty rw /var/log /var/log/wtmp w /var/run/utmp rw /var/run/sshd.pid rw /var/run -CAP_ALL +CAP_CHOWN +CAP_FOWNER +CAP_FSETID +CAP_SETGID +CAP_SETUID +CAP_SYS_CHROOT +CAP_SYS_RESOURCE +CAP_SYS_TTY_CONFIG connect { 0.0.0.0/0:53 dgram ip udp } bind { 0.0.0.0/0:22 stream ip tcp 0.0.0.0/0:222 stream ip tcp } } /usr/bin/ntpd XodhAp { /var/run/ntpd.pid w /var/run /var/log/ntpd.log a /var/log /var/lib/misc rw /usr/share/zoneinfo r /tmp rw /lib rx /etc r /etc/ntp.drift.TEMP rw /etc/ntp.drift rw /etc/grsec h /dev/null rw /dev/log w /usr/bin/ntpd x / h -CAP_ALL +CAP_NET_BIND_SERVICE +CAP_IPC_LOCK +CAP_SYS_TIME connect { 0.0.0.0/0:53 dgram udp } bind { 0.0.0.0/0:123 dgram udp 0.0.0.0:0 dgram ip } } /usr/sbin/named XodhAp { /usr/lib rx /proc/sys/kernel/version r /lib rx /etc r /etc/grsec h /dev/log rw /chroot/dns/var/run/named rw /chroot/dns/var/bind rw /chroot/dns/etc/localtime r /chroot/dns/etc/bind/rndc.key r /chroot/dns/etc/bind/named.conf r /chroot/dns/dev/random r /chroot/dns /usr/sbin/named x / h -CAP_ALL +CAP_DAC_READ_SEARCH +CAP_SETGID +CAP_SETUID +CAP_NET_BIND_SERVICE +CAP_SYS_CHROOT connect { 0.0.0.0/0:53 dgram udp 0.0.0.0/0:1-65535 dgram udp } bind { 127.0.0.1:953 stream tcp 0.0.0.0:0 dgram udp 0.0.0.0/0:53 stream tcp 0.0.0.0/0:53 dgram udp 127.0.0.1:53 stream tcp 127.0.0.1:53 dgram udp 0.0.0.0:0 dgram ip } } /bin/dmesg { +CAP_SYS_ADMIN }