aca

Trap file system related library calls, such as open/read/write/exec, allow, disallow, and audit the calls and specify actions that can or cannot be performed on a file using shell style file patterns to match files. It also specifies an auditing level.

aca( control_type, filespec, action permissions and auditing [, tag]);
controle_type Currently always set to file filespec. Shell style file specification which matches one or more files.
filespec

The shell style specification includes wildcards * and ?, character classes where [ and ] delineate a class, and ! being the first character in the class negates the other characters in the class, ranges in a class where - between two characters define the range. A - at the beginning or end of a class matches the -, and a ] at the beginning of a class matches a ]. (See 'man 7 glob' on Linux.) Wildcards, ranges, and classes may appear within any path or file name portion of the filespec, however it must start with a /. For example, */whoami will not work.

Filespecs that begin with a slash / will match all slashes only with a slash (for example, will not match with wildcard expression such as *, ?, or [...]). Fully specifying all the slashes in a path protects against, for example, /usr/*/bin/date from matching /usr/local/directory1/evil/date.

Filespecs that begin with * will allow wildcards to match any slash in the path. This allows for example, */reboot to match /usr/bin/reboot, /usr/sbin/reboot, /bin/reboot, /sbin/reboot, and /usr/local/bin/reboot.

The special filespec unmatched is used to match all files not matched by other filespecs that have been defined.

Prior to version 10.3.0, default was used with filespec in the policy. In version 10.3.0 and later, unmatched is used in place of default. For backward compatibility, default will continue to work.

/tmp/banned/* matches files and sub-directories within /tmp/banned, However, access to the directory itself still works. /tmp/banned/ disables the whole directory and all contents.

Other than "unmatched", the ACA filespec definitions are processed in the order they were defined, and the first match is used; subsequent matches are ignored.

For more information, please see Important Considerations.

action permissions and auditing
  • One or more of the following action names, separated by the pipe | symbol.
  • Spaces are not allowed in permissions.
  • The appearance of an action name enables that action.
  • Preceding the action name with a ! is used to disallow the action.
  • Each action name may be followed by an optional loglevel, specified as :log=[0-9] before the pipe.
  • The final |log=level applies to action names that do not have individual loglevels. This allows different loglevels for each action name for a given filespec.
Tag An optional text string used to arbitrarily group, organize, or identify output in the ACA reports.

 

Action Description
all Allow all permissions. The all permission must precede any other permissions.
read

For a normal file, this allows read(). For a directory with read and execute bits set for the runuser, this allows chdir() and opendir(). Note that this affects the ability to open a file or directory with read permissions, however read()s are not intercepted nor audited.

Prior to version 9.4, stat() calls were trapped and audited as part of the "read" permissions.

Starting in 9.4, stat() calls are no longer trapped nor audited.

write For a normal file, this allows open() with create or update, and write(). For a directory, this allows mkdir(). Note that this affects the ability to open a file with write permissions, however write()s are not intercepted nor audited.
unlink For a normal file, this allows unlink(). For a directory, this allows rmdir().
mknod This allows mknod()
exec Allows execution of non-setuid programs that use shared libraries.
execsetuid Allows execution of setuid binaries on platforms that support LD_PRELOAD with setuid binaries. Not supported on AIX and HP-UX.
execstatic Allows execution of statically linked binaries (disables ACA for that process and any children)
disable Disables ACA, upon an exec, for the specified file pattern; and any children of that process. The disable permission should not be used with the unmatched filespec.
chmod Allows changing of rwx permissions and the sticky bit.
chmodpriv Allows changing of setuid and setgid permissions
chown Allows changing of setuid and setgid permissions
link Allows creation of hard and soft links using link()
owner Allows above operation only if runuser is the file owner
log=level Audits access at the specified level (0-9)
  • Loglevel zero , or no log=level specified, specifies that no auditing (logging) of the call is performed.
  • Loglevel 1 performs the minimal auditing, recording only the call, permission, and path.
  • LogLevel 2 indicates that exec calls will additionally log the argv, and open calls for read, write, or both will additionally log the device/inode/mode/uid/gid of the file.
  • LogLevel 3 indicates that exec calls will additionally log the environment supplied.

ACA can derive a shell’s command history by logging additional information. This is enabled with the procedure enablesessionhistory().

Interactions of exec, execstatic, execsetuid:

  • exec means execution of a dynamically linked non-setuid not setgid binary is allowed.
  • execstatic means execution of a statically linked non-setuid not setgid binary is allowed.
  • execsetuid means execution of a dynamically linked setuid/setgid binary is allowed but not a nonsetuid/setgid binary.
  • execstatic|execsetuid means any setuid binary or any static binary including a setuid static binary, a setuid dynamic binary, or a static binary.

    In other words, this allows execution of any non-dynamic binary.

  • exec|execstatic|execsetuid allows any execution.

AIX and HP-UX do not support LD_PRELOAD or equivalent for setuid/setgid programs.  Similarly, Linux does not support LD_PRELOAD for programs with capabilities assigned.  Beginning in PMUL 21.1.0, when an ACA controlled process (e.g. a shell) attempts to exec a setuid/setgid or capabilities-enabled binary (on the affected operating system), a warning is issued to the user, and (if configured) sent to the log server’s eventdestination for errlog.  ACA is disabled, and the setuid/setgid/capability program is executed.  PMUL ACA Policy should be written to disable ACA,  or deny execution for each specific setuid/setgid/capability binary, thus avoiding the warning message, and assuring proper security for setuid/setgid/capability binaries.

Example to deny execution:
aca("file","/bin/su","all|!execsetuid|!exec|log=2");
Example to allow execution with ACA disabled:
aca("file","/bin/su","execsetuid|disable|log=2");

None

aca( "file", "unmatched", "all|log=1");

Allows all access to all files not matched by other AC rules, auditing every action at level 1.

aca("file", "/bin/*", "!all"); Disables access of files and subdirectories within /bin, however access to /bin for ls, etc, is still allowed
aca("file", "/bin/", "!all"); Disables all access of /bin and its files and subdirectories. ls, etc, are also not allowed. Auditing is not enabled.
aca("file", "/bin/*", "!all|exec:log=2"); Allows exec for all files in /bin. Disallows all other actions for those files. Audits the execs at level 2
aca("file", "/bin/umount", "!all|log=9"); Ignored due to above /bin/* pattern
aca('file','unmatched','all:
log=1|exec:log=2|execstatic:log=2|
execsetuid:log=2','DEFAULT');
 
aca('file','/sbin/*','all: log=1|!write:log=2|exec:log=2|execstatic: log=2|execsetuid:log=2', 'Protect sbin files');  
aca("file", "/sbin/lvm", "all|disable|log=2"); Disable ACA for Linux lvm (note there are more to disable)
aca("file", "/sbin/service", "all|disable|log=2"); Disable ACA for Linux daemon mechanism
aca("file", "/etc/init.d/*", "all|disable|log=2"); ; Disable ACA for Linux daemon mechansim
aca("file", "...", "...log=2"); When an audit log is requested but not set in the rule, a message is displayed that an iolog must be set in the rule.