How to configure sysmask for a software ----------------------------------------------------- Token configuration must be done when you are full root for sysmask, that is, logged in as root, with no sysmask token and empty mask. 1. Pick up the token level and number for the process (software). Assign an alias for the token, if it doesn't already have one. The token alias should be declared in /etc/sysmask/tokens. 2. Create the token directory. It is recommended that you copy the template directory. The latter is set up for configuration feedback that lets sysmask tell itself what are the accesses needed by the software. 3. If the rest of your system is under active sysmask protection, change the file /etc/sysmask/macros.in to put your new token under feedback mode. Commit the modification using sysmaskadm. 4. Launch the software under the token. It should work as usual. 5. Regularly launch sysmaskadm to check new feedback information. Legitimate accesses belonging to the software should be added to the active feedback list then committed, eventually after some manual editing. 6. When no new feedback information is received after a sufficient period of normal operation of the software, the protection status of the token can be switched to active. Now it is under sysmask protection. The change will be immediately taken into account; you don't need to restart the software. 7. You can also try to add some more restrictions to the token, such as the masks "orphan", "suid", "dev", "procfs", capacity masks, or resource limitations. However, these restrictions do not allow feedback, so you can only do it by trial and error, using repeated tests :( 8. If something goes wrong, check the log using sysmaskadm or smlog. When everything is running normally, you can remove the log mask in the mask file of the token to make it silent. Enjoy! ------------------------------------------------------- Feedback based configuration is very user-friendly, but it is far from optimal in terms of protection. In order to get optimal protection, manual adjustment is needed. Here is how you can configure the token without using feedback. It is more complicated but allows for more refined configuration. 1. Pick up the token level and number for the process (software). Assign a name for the token, if it doesn't already have one. The token name should be declared in /etc/sysmask/tokens. 2. Create the token directory. It is recommended that you copy the template directory. The latter is set up to give you information on what happens to the process without blocking it. 3. You may want to modify the definition in the mask file of the copied template directory. 4. Launch the software under the token, then read the log file /var/log/smkd.log. This file registers actions taken by the processes that would be covered by the default mask setup. 5. According to the information given in the log files, modify the general mask definition. Too restrictive definitions can be replaced by less restrictive ones. Also, try to add some useful second-set masks: orphan, dev, procfs. Note that the effects of these masks are not logged, so you have to do try and error when something goes wrong :( 6. In the mean time, use the same log information to locate the action of the processes that can be used to mark the end of the startup procedure. Use this action as a trigger: if it is a system call, the call can be use as the trigger value. If it is a file access, a special block can be inserted in the "open" file with the exact pathname of the file, and define mask actions for the block. Frequently usable triggering actions include network operations like connection, bind, listen or accept for networking softwares, or fork/clone for threaded processes. If you want to use file access as a trigger, the startup mask setup should include the necessary masks (ropen for read, wopen for write, exec for execution). For whatever is too restrictive for the program startup but not used in the normal work of the processes, put them into the triggered mask setup. Try to recover here as much as possible what was in the default mask setup, plus orphan, dev, procfs, that has to be dropped for the startup. 7. Restart the software, check the log file again. Modify and repeat if necessary, until everything is OK. You could also try to add whatever you want more to the masks. 8. Now add open2 and path masks to one of the mask set (startup or triggered; the latter is better), and restart the software. This time the log file registers all accesses to files. Allow access to them by inserting blocks into the "open" file, BEFORE the last block. Try several times if necessary, until no more debug messages are received for file accesses. Note that you need to restart the software only if you modify the mask file. Modifications to other files are taken into account immediately on runtime. 9. If necessary, do the same for exec and socket. You can do all three at the same time. However if you are sure that the program does not need network access, you can skip socket by setting socketcall mask from the beginning. The same for execve. 10. When all is done, launch the process under the new token, use "ps xam" to get its pids, and execute "sysmask -q pnnnn" to see what is its real sysmask status (where nnnn is to be replaced by the process pid). Some high-risk system calls are left over? Try to add them to the configuration. If not in the mask file, maybe in the open or exec file, after something is opened or executed. Take a look at the log file. No debug message should be received for the new token, except for things you deliberately want to deny access to. Please remember that at this stage, the token gives yet no protection at all. 11. Test the process for a sufficient amount of time, and check the log file regularly. When everything seems mature, you can activate the protection by commenting out the last blocks (those with a "/" matching rule). You can also achieve the same result by appending a "access=deny" line to the last block. If you think that you no longer need the log, remove the log mask, and add "sysmask" mask to disallow people to play with the protection.