Features/FirewalldLockdown

From FedoraProject

< Features(Difference between revisions)
Jump to: navigation, search
(Detailed Description)
 
(27 intermediate revisions by 5 users not shown)
Line 10: Line 10:
 
== Current status ==
 
== Current status ==
 
* Targeted release: [[Releases/19 | Fedora 19 ]]  
 
* Targeted release: [[Releases/19 | Fedora 19 ]]  
* Last updated: 2013-01-28
+
* Last updated: 2013-08-07
* Percentage of completion: 0%
+
* Percentage of completion: 100%
 +
* The feature is limited to milestone 1 (base): configuration with files, no cli and no D-Bus interface
 +
* Milestone 2 (D-BUS, command line client) has been added to Fedora 19 with version 0.3.3.
 +
Milestone 3 (GUI) has been added to Fedora 19 with version 0.3.4 (as an update)
 +
* Firewalld milestones for rich language and lockdown features, the milestones 1 is part of Fedora 19, milestone 2 (base and cli) will be provided as an update for F-19. Milestone 3 (gui) is planned for F-20.
 +
** Milestone 1: Rich config language via config files; minimal lockdown ~ end of March
 +
** Milestone 2: New config language via D-BUS interfaces with command line client ~ end of May
 +
** Milestone 3: GUI early to mid July
  
 
== Detailed Description ==
 
== Detailed Description ==
Local applications or services are able to change the firewall configuration if they are running as root (example: libvirt). With this feature the administator can lock the firewall configuration so that either none or only applications that are in the allowed list are able to request firewall changes.  
+
Local applications or services are able to change the firewall configuration if they are running as root (example: libvirt). With this feature the administrator can lock the firewall configuration so that either none or only applications that are in the allowed list are able to request firewall changes.  
  
 
The lockdown feature is a very light version of user and application policies for firewalld and is turned off by default. Comprehensive user and application policies will be added later on.
 
The lockdown feature is a very light version of user and application policies for firewalld and is turned off by default. Comprehensive user and application policies will be added later on.
Line 25: Line 32:
  
 
== How To Test ==
 
== How To Test ==
Set the lock and use system-config-printer - it will try to open some ports.
+
1) Set Lockdown=yes in /etc/firewalld/firewalld.conf
 +
 
 +
2) Reload firewalld
 +
firewall-cmd --reload
 +
Now no user except root (i.e. user with id 0, which is on whitelist by default) can modify configuration via firewall-cmd.
 +
 
 +
3) Try to enable imaps service in default zone as common administrative user (i.e. user in group 'wheel' - usually the first user on system):
 +
firewall-cmd --add-service=imaps
 +
Results in: ''Error: ACCESS_DENIED: lockdown is enabled''
 +
 
 +
This is because neither the firewall-cmd command nor the user which runs it are on the whitelist.
 +
 
 +
4) Allow firewall-cmd. Now you need to run this as root, because root is on the whitelist:
 +
  firewall-cmd --add-lockdown-whitelist-command='/usr/bin/python /usr/bin/firewall-cmd*'
 +
 
 +
Or add this to /etc/firewalld/lockdown-whitelist.xml to the whitelist element:
 +
<command name="/usr/bin/python /usr/bin/firewall-cmd*"/>
 +
 
 +
5) Reload firewalld
 +
firewall-cmd --reload
 +
 
 +
6) Try to enable service imaps again in the default zone:
 +
firewall-cmd --add-service=imaps
 +
No error, because firewall-cmd is now on whitelist.
  
 
== User Experience ==
 
== User Experience ==
The lock down settings defaults to disabled. If enabling the user can be sure that there are no unwanted configuration changes for the firewall from local applications or services.
+
The lock down settings defaults to disabled. If enabled the user can be sure that there are no unwanted configuration changes for the firewall from local applications or services.
  
 
== Dependencies ==
 
== Dependencies ==
Line 37: Line 67:
  
 
== Documentation ==
 
== Documentation ==
TBD
+
With the lockdown feature changes to the firewall configuration can be blocked or limited to a white list. The white list is empty by default and can contain commands, users, user ids and selinux contexts. The lockdown access check is limited to D-Bus methods that are changing firewall rules. Query, list and get methods are not limited
 +
 
 +
=== Handle lockdown with the command line client ===
 +
 
 +
==== Lockdown Options ====
 +
Local applications or services are able to change the firewall configuration if they are running as root (example: libvirt) or are authenticated using PolicyKit. With this feature the administrator can lock the firewall configuration so that only applications on the lockdown whitelist are able to request firewall changes.
 +
 
 +
The lockdown access check limits D-Bus methods that are changing firewall rules. Query, list and get methods are not limited.
 +
 
 +
The lockdown feature is a very light version of user and application policies for firewalld and is turned off by default.
 +
 
 +
firewall-cmd --lockdown-on
 +
Enable lockdown.
 +
 
 +
firewall-cmd --lockdown-off
 +
Disable lockdown.
 +
 
 +
firewall-cmd --query-lockdown
 +
Query whether lockdown is enabled. Returns 0 if lockdown is enabled, 1 otherwise.
 +
 
 +
==== Lockdown Whitelist Options ====
 +
The lockdown whitelist can contain commands, contexts, users and user ids.
 +
 
 +
If a command entry on the whitelist ends with an asterisk '*', then all command lines starting with the command will match. If the '*' is not there the absolute command inclusive arguments must match.
 +
 
 +
Commands for user root and others is not always the same. Example: As root, /bin/firewall-cmd is used, as a normal user, /usr/bin/firewall-cmd is used on Fedora.
 +
 
 +
The context is the security (SELinux) context of a running application or service. To get the context of a running application use
 +
 
 +
ps -e --context
 +
 
 +
Warning: If the context is unconfined, then this will open access for more than the desired application.
 +
 
 +
firewall-cmd --list-lockdown-whitelist-commands
 +
List all command lines that are on the whitelist.
 +
 
 +
firewall-cmd --add-lockdown-whitelist-command=<command>
 +
Add the command <command> to the whitelist.
 +
 
 +
firewall-cmd --remove-lockdown-whitelist-command=<command>
 +
Remove the command <command> from the whitelist.
 +
 
 +
firewall-cmd --query-lockdown-whitelist-command=<command>
 +
Query whether the command <command> is on the whitelist. Returns 0 if true, 1 otherwise.
 +
 
 +
firewall-cmd --list-lockdown-whitelist-contexts
 +
List all contexts that are on the whitelist.
 +
 
 +
firewall-cmd --add-lockdown-whitelist-context=<context>
 +
Add the context <context> to the whitelist.
 +
 
 +
firewall-cmd --remove-lockdown-whitelist-context=<context>
 +
Remove the context <context> from the whitelist.
 +
 
 +
firewall-cmd --query-lockdown-whitelist-context=<context>
 +
Query whether the context <context> is on the whitelist. Returns 0 if true, 1 otherwise.
 +
 
 +
firewall-cmd --list-lockdown-whitelist-uids
 +
List all user ids that are on the whitelist.
 +
 
 +
firewall-cmd --add-lockdown-whitelist-uid=<uid>
 +
Add the user id <uid> to the whitelist.
 +
 
 +
firewall-cmd --remove-lockdown-whitelist-uid=<uid>
 +
Remove the user id <uid> from the whitelist.
 +
 
 +
firewall-cmd --query-lockdown-whitelist-uid=<uid>
 +
Query whether the user id <uid> is on the whitelist. Returns 0 if true, 1 otherwise.
 +
 
 +
firewall-cmd --list-lockdown-whitelist-users
 +
List all user names that are on the whitelist.
 +
 
 +
firewall-cmd --add-lockdown-whitelist-user=<user>
 +
Add the user name <user> to the whitelist.
 +
 
 +
firewall-cmd --remove-lockdown-whitelist-user=<user>
 +
Remove the user name <user> from the whitelist.
 +
 
 +
firewall-cmd --query-lockdown-whitelist-user=<user>
 +
Query whether the user name <user> is on the whitelist. Returns 0 if true, 1 otherwise.
 +
 
 +
=== With configuration files ===
 +
 
 +
Example:
 +
   
 +
<?xml version="1.0" encoding="utf-8"?>
 +
<whitelist>
 +
  <command name="/usr/bin/python /bin/firewall-cmd*"/>
 +
  <selinux context="system_u:system_r:NetworkManager_t:s0"/>
 +
  <user id="815"/>
 +
  <user name="user"/>
 +
</whitelist>
 +
 
 +
Important for the command tag is the path. As root, /bin/firewall-cmd is used, as a normal user, /usr/bin/firewall-cmd will be used. The '*' at the end of the name attribute of command means that all matches, that start with this string. If the '*' is not there the absolute command inclusive arguments must match.
 +
 
 +
To get the context of a running application use
 +
ps -e --context
 +
Then add the context of the application with <selinux context="<context>"/> to the white list to white list this application. '''Warning:''' If the context is unconfined, then this will open access for more than the desired application.
 +
 
 +
=== Default whitelist configuration ===
 +
 
 +
The default whitelist contains the NetworkManager context and the default context of libvirt.
 +
Also the user id 0 (i.e. root) and firewall-config command are in the list.
 +
 
 +
<?xml version="1.0" encoding="utf-8"?>
 +
<whitelist>
 +
  <command name="/usr/bin/python /usr/bin/firewall-config"/>
 +
  <selinux context="system_u:system_r:NetworkManager_t:s0"/>
 +
  <selinux context="system_u:system_r:virtd_t:s0-s0:c0.c1023"/>
 +
  <user id="0"/>
 +
</whitelist>
  
 
== Release Notes ==
 
== Release Notes ==
Line 45: Line 185:
 
* See [[Talk:Features/FirewalldLockdown]]
 
* See [[Talk:Features/FirewalldLockdown]]
  
[[Category:FeaturePageIncomplete]]
+
[[Category:FeatureAcceptedF19]]

Latest revision as of 13:01, 8 January 2014

Contents

[edit] firewalld Lockdown

[edit] Summary

This feature adds a simple configuration setting for firewalld to be able to lock down configuration changes from local applications.

[edit] Owner

[edit] Current status

  • Targeted release: Fedora 19
  • Last updated: 2013-08-07
  • Percentage of completion: 100%
  • The feature is limited to milestone 1 (base): configuration with files, no cli and no D-Bus interface
  • Milestone 2 (D-BUS, command line client) has been added to Fedora 19 with version 0.3.3.

Milestone 3 (GUI) has been added to Fedora 19 with version 0.3.4 (as an update)

  • Firewalld milestones for rich language and lockdown features, the milestones 1 is part of Fedora 19, milestone 2 (base and cli) will be provided as an update for F-19. Milestone 3 (gui) is planned for F-20.
    • Milestone 1: Rich config language via config files; minimal lockdown ~ end of March
    • Milestone 2: New config language via D-BUS interfaces with command line client ~ end of May
    • Milestone 3: GUI early to mid July

[edit] Detailed Description

Local applications or services are able to change the firewall configuration if they are running as root (example: libvirt). With this feature the administrator can lock the firewall configuration so that either none or only applications that are in the allowed list are able to request firewall changes.

The lockdown feature is a very light version of user and application policies for firewalld and is turned off by default. Comprehensive user and application policies will be added later on.

[edit] Benefit to Fedora

An easy way to lock the firewall configuration for local applications.

[edit] Scope

Only needs changes in firewalld and it's components.

[edit] How To Test

1) Set Lockdown=yes in /etc/firewalld/firewalld.conf

2) Reload firewalld

firewall-cmd --reload

Now no user except root (i.e. user with id 0, which is on whitelist by default) can modify configuration via firewall-cmd.

3) Try to enable imaps service in default zone as common administrative user (i.e. user in group 'wheel' - usually the first user on system):

firewall-cmd --add-service=imaps

Results in: Error: ACCESS_DENIED: lockdown is enabled

This is because neither the firewall-cmd command nor the user which runs it are on the whitelist.

4) Allow firewall-cmd. Now you need to run this as root, because root is on the whitelist:

 firewall-cmd --add-lockdown-whitelist-command='/usr/bin/python /usr/bin/firewall-cmd*'

Or add this to /etc/firewalld/lockdown-whitelist.xml to the whitelist element:

<command name="/usr/bin/python /usr/bin/firewall-cmd*"/>

5) Reload firewalld

firewall-cmd --reload

6) Try to enable service imaps again in the default zone:

firewall-cmd --add-service=imaps

No error, because firewall-cmd is now on whitelist.

[edit] User Experience

The lock down settings defaults to disabled. If enabled the user can be sure that there are no unwanted configuration changes for the firewall from local applications or services.

[edit] Dependencies

None.

[edit] Contingency Plan

This is a simple firewalld setting, which can be enabled or dropped easily.

[edit] Documentation

With the lockdown feature changes to the firewall configuration can be blocked or limited to a white list. The white list is empty by default and can contain commands, users, user ids and selinux contexts. The lockdown access check is limited to D-Bus methods that are changing firewall rules. Query, list and get methods are not limited

[edit] Handle lockdown with the command line client

[edit] Lockdown Options

Local applications or services are able to change the firewall configuration if they are running as root (example: libvirt) or are authenticated using PolicyKit. With this feature the administrator can lock the firewall configuration so that only applications on the lockdown whitelist are able to request firewall changes.

The lockdown access check limits D-Bus methods that are changing firewall rules. Query, list and get methods are not limited.

The lockdown feature is a very light version of user and application policies for firewalld and is turned off by default.

firewall-cmd --lockdown-on

Enable lockdown.

firewall-cmd --lockdown-off

Disable lockdown.

firewall-cmd --query-lockdown

Query whether lockdown is enabled. Returns 0 if lockdown is enabled, 1 otherwise.

[edit] Lockdown Whitelist Options

The lockdown whitelist can contain commands, contexts, users and user ids.

If a command entry on the whitelist ends with an asterisk '*', then all command lines starting with the command will match. If the '*' is not there the absolute command inclusive arguments must match.

Commands for user root and others is not always the same. Example: As root, /bin/firewall-cmd is used, as a normal user, /usr/bin/firewall-cmd is used on Fedora.

The context is the security (SELinux) context of a running application or service. To get the context of a running application use

ps -e --context

Warning: If the context is unconfined, then this will open access for more than the desired application.

firewall-cmd --list-lockdown-whitelist-commands

List all command lines that are on the whitelist.

firewall-cmd --add-lockdown-whitelist-command=<command>

Add the command <command> to the whitelist.

firewall-cmd --remove-lockdown-whitelist-command=<command>

Remove the command <command> from the whitelist.

firewall-cmd --query-lockdown-whitelist-command=<command>

Query whether the command <command> is on the whitelist. Returns 0 if true, 1 otherwise.

firewall-cmd --list-lockdown-whitelist-contexts

List all contexts that are on the whitelist.

firewall-cmd --add-lockdown-whitelist-context=<context>

Add the context <context> to the whitelist.

firewall-cmd --remove-lockdown-whitelist-context=<context>

Remove the context <context> from the whitelist.

firewall-cmd --query-lockdown-whitelist-context=<context>

Query whether the context <context> is on the whitelist. Returns 0 if true, 1 otherwise.

firewall-cmd --list-lockdown-whitelist-uids

List all user ids that are on the whitelist.

firewall-cmd --add-lockdown-whitelist-uid=<uid>

Add the user id <uid> to the whitelist.

firewall-cmd --remove-lockdown-whitelist-uid=<uid>

Remove the user id <uid> from the whitelist.

firewall-cmd --query-lockdown-whitelist-uid=<uid>

Query whether the user id <uid> is on the whitelist. Returns 0 if true, 1 otherwise.

firewall-cmd --list-lockdown-whitelist-users

List all user names that are on the whitelist.

firewall-cmd --add-lockdown-whitelist-user=<user>

Add the user name <user> to the whitelist.

firewall-cmd --remove-lockdown-whitelist-user=<user>

Remove the user name <user> from the whitelist.

firewall-cmd --query-lockdown-whitelist-user=<user>

Query whether the user name <user> is on the whitelist. Returns 0 if true, 1 otherwise.

[edit] With configuration files

Example:

<?xml version="1.0" encoding="utf-8"?>
<whitelist>
  <command name="/usr/bin/python /bin/firewall-cmd*"/>
  <selinux context="system_u:system_r:NetworkManager_t:s0"/>
  <user id="815"/>
  <user name="user"/>
</whitelist>

Important for the command tag is the path. As root, /bin/firewall-cmd is used, as a normal user, /usr/bin/firewall-cmd will be used. The '*' at the end of the name attribute of command means that all matches, that start with this string. If the '*' is not there the absolute command inclusive arguments must match.

To get the context of a running application use

ps -e --context 

Then add the context of the application with <selinux context="<context>"/> to the white list to white list this application. Warning: If the context is unconfined, then this will open access for more than the desired application.

[edit] Default whitelist configuration

The default whitelist contains the NetworkManager context and the default context of libvirt. Also the user id 0 (i.e. root) and firewall-config command are in the list.

<?xml version="1.0" encoding="utf-8"?>
<whitelist>
  <command name="/usr/bin/python /usr/bin/firewall-config"/>
  <selinux context="system_u:system_r:NetworkManager_t:s0"/>
  <selinux context="system_u:system_r:virtd_t:s0-s0:c0.c1023"/>
  <user id="0"/>
</whitelist>

[edit] Release Notes

Fedora 19 includes the latest firewalld version that supports the firewalld lockdown feature to be able to lock the firewall configuration for local applications.

[edit] Comments and Discussion