Info: Version 1.8.x is available.

Japanese Page

Last modified: $Date: 2015-08-31 22:19:51 +0900 (Mon, 31 Aug 2015) $

Tools Documentation


<<Tools for system administrators>>

<Policy Editor "ccs-editpolicy">

Edits the current policy in /proc/ccs/ directory.

You may give one of 'e' 'd' 'p' 'm' 'u' to the commandline to choose the initial screen. If not given, screen for domain listing is shown.

You can use keys listed below.

<Scroll>

Up-arrowScroll 1 line up.
Down-arrowScroll 1 line down.
PageUpScroll 1 page up.
PageDownScroll 1 page down.
Right-arrowScroll 1 column right.
Left-arrowScroll 1 column left.
HomeMove to the top of line.
EndMove to the bottom of line.

<Search>

f/FFind First
n/NFind Next
p/PFind Previous

<Edit>

a/AAdd an entry.
EnterEdit ACLs of a domain at the cursor position. (Valid only for screen for domain listing.)
SpaceInvert selection state of an entry at the cursor position.
c/CCopy selection state of an entry at the cursor position to all entries below the cursor position.
d/DDelete selected entries.
s/SSet profile number of selected entries. (Valid only for screen for domain listing.)
Set profile value for selected entries. (Valid only for screen for profile editing)
Set new quota value for selected entries. (Valid only for screen for memory usage)
InsertCopy an entry at the cursor position to history buffer.

<Misc>

q/QQuit
r/RRefresh
w/WSwitch to window list.

A tutorial is available at How to use Policy Editor.

<Policy Loader "ccs-loadpolicy">

Reloads the on-disk policy onto memory.

There are the following commandline parameters.

<Control Level Changer "ccs-setlevel">

Changes the current control level (i.e. writing to /proc/ccs/profile ) and displays the new control level.

You can give the new control level from commandline parameter.

<Profile Selector "ccs-setprofile">

Assigns a profile to domains.

You can give the new profile number and domainnames from the commandline parameter. The list of domainnames that the profile number assigned to has changed is printed.

<Process Info Viewer "ccs-pstree">

Lists the domainnames of currently running processes belong to and the profile numbers the domains currently assigned to.

This program shows the profile number, the name of process, PID, the domainname like "pstree" command.

<Policy Saver "ccs-savepolicy">

Saves the on-memory policy onto disk.

There are the following commandline parameters.

<Access Log Reading Daemon "ccs-auditd">

Reads from /proc/ccs/grant_log and /proc/ccs/reject_log and writes to the location given in the commandline parameters.

The first commandline parameter is the location of access granted log. The second one is the location of access rejected log. You may give /dev/null as the location. If you needn't to save access logs, you needn't to run this program.

This program runs as a daemon. You can start from /etc/rc.d/rc.local if you are using RedHat Linux. The number of logs that the kernel will keep is given using profile's PREFERENCE::audit={ max_grant_log=integer max_reject_log=integer } lines.

<Access Log Compressor "ccs-sortpolicy">

Remove duplicated entry from logs written by "ccs-auditd".

Reads logs written by "ccs-auditd" from standard input and sorts by domains and removes duplicated entries and writes to standard output.

<Temporal Pathnames Detector "ccs-findtemp">

Reads domain policy from standard input and checks the existence of pathnames, and dumps the nonexistent pathnames.

The nonexistent pathnames are likely used as temporary pathnames. So find the naming rules from similar nonexistent pathnames and append the pattern to /etc/ccs/exception_policy.conf and /proc/ccs/exception_policy .

You can pass the content of /etc/ccs/domain_policy.conf or /proc/ccs/domain_policy using redirection or pipes to the standard input of this program.

<Library Pathnames Updater "ccs-ld-watch">

Appends shared libraries to exception policy automatically using "allow_read" directive when the location of shared libraries in /etc/ld.so.cache has changed.

By running this program while updating packages, you can avoid errors "unable to start applications because shared libraries are unreadable" when the pathnames of shared libraries accessed by general programs has changed.

<Delayed Enforcing Mode Handler "ccs-queryd">

Detects policy violation and displays the access request. You can tell the system whether the access request should be granted (or granted and policy should be appended to grant the access request) or rejected after you validate the access request.

By running this program while updating packages, you can avoid errors due to insufficient permissions.

Never grant access requests unconditionally. The cause of policy violation is not always updating packages, but may by malicious requests by attackers. If you grant access requests caused by malicious requests by attackers, the system gets intruded.

<Policy Violation Notifyier "ccs-notifyd">

Detects policy violation and take some actions (e.g. send a mail) to notify it to the administrator.

By running this program from /etc/crontab , you can know the occurrence of policy violation in enforcing mode as soon as possible.

<Policy Syntax Checker "ccs-checkpolicy">

Reads policy files from standard input and checks syntaxes.

Prints errors with line numbers if any.

<Initial Policy Loader "ccs-init">

Loads policy files from /etc/ccs/ directory.

Put this program as /sbin/ccs-init , and this program will be invoked automatically when execution of /sbin/init is requested by initrd.

<ACL Searcher "ccs-domainmatch">

This is a "fgrep" for /proc/ccs/domain_policy .

<Pathname Pattern Replacer "ccs-patternize">

Reads domain policy from standard input and replaces pathnames with patterns if the pathname matches to patterns given at commandline and writes to standard output. Pathnames that contains execute permission and domainnames won't be patterned.

<Policy Template Generator "init_policy">

Generates templates for policy. You need to review the output because automatically generated policy may contain redundant or dangerous entries.

<A program that forcibly logs the user out "force-logout">

This program forcibly logs the current user out. You can use this program to chase the current user away.

<A program for auditing execute parameter "audit-exec-param">

This program writes parameters passed to execve() to syslog before actually executes the execve() request.

You can copy this program to somewhere before use (e.g. cp -p /usr/lib/ccs/audit-exec-param /bin/audit-exec-param). For example, to audit execve() parameters passed to Apache's CGI program, tell the kernel not to transit domains when executing /bin/audit-exec-param by adding "keep_domain /usr/lib/ccs/audit-exec-param from <kernel> /usr/sbin/httpd" in the exception policy, and add "execute_handler /bin/audit-exec-param" to the Apache's domain (e.g. "<kernel> /usr/sbin/httpd" domain).


<<Tools for reinforcing login authentications>>

<Restricted login shell for authentication "falsh">

A tiny shell that has no built-in command such as "kill". You can use this program for login shell ( the shell specified in the /etc/passwd file). You won't need this program if you don't want to reinforce login authentications.

You should make your own programs for additional authentications. You shouldn't use the following example programs without modifications.

<An example program for password authentication with timings "honey">

This program fails unless the correct password is typed with the correct time interval. Conventional authentication programs don't check the time interval of typing, but this program does to prevent password brute force attack.

<An example program for password authentication with time limit "candy">

This program fails unless the correct password is typed and this program was invoked within 10 seconds after the parent process was invoked. Conventional authentication programs don't check the time interval between the invocation time of parent process and the invocation time of child process, but this program does to prevent password brute force attack.

<An example program for lockfile authentication "groovy">

This program fails while the file /tmp/.lockme exists. This program prompts for password, but doesn't check for password. This program checks for the existence of the file /tmp/.lockme . This program prevents password brute force attack by keeping locked just before you run this program. This is a program for demonstration, and using a filename that are apparent to crackers. You must customize if you want to use.

<An example program for token authentication "gettoken / checktoken">

This program generates tokens based on the system time. The authentication will succeed if the output of "gettoken" is passwd to the input of "checktoken". These are programs for demonstration, and the algorithm is too poor. You must customize if you want to use.

<An example program for challenge-handshake authentication "chaplet">

This program displays strings as a challenge data. The authentication will succeed if you input only numerical letters from the challenge data as a response data. This is a program for demonstration, and the algorithm is too poor. You must customize if you want to use.

<An example program for password authentication with timings "timeauth">

This is a re-implementation of "honey". Create a script and specify this program as the interpreter for the script.

<An example program for one-time-password authentication using mail "mailauth">

This program generates one time password and sends it to the user using "mail". The authentication will succeed if the user input the password sent by "mail". To use this program, some mail server application is needed.

<A simple port forwarder "proxy">

This program is used by client side. This program explicitly binds to local port and connects to server so that the server side firewall (such as "iptables") can use packet filtering based on client side's port number.


Return to index page.

sflogo.php