# FreeBSD Extended worth using in my case



## skeleton616 (Jul 20, 2021)

Hello,

I've been messing around the different Mandatory Access Controls in FreeBSD lately and stumbled across the BSD Extended filesystem firewall. For my case I only have one user on my system so I was just wondering if it was worth using/looking into? I looked at the documentation for it and it is pretty bleak. Any help is appreciated it, thanks.


----------



## mer (Jul 20, 2021)

skeleton616 said:


> stumbled across the BSD Extended filesystem firewall.


Never of such a thing. 

SirDice ring any bells to you?

Perhaps some links to what you mean would help


----------



## SirDice (Jul 20, 2021)

mer said:


> @SirDice  ring any bells to you?


Nada, but I'm not that familiar with MAC either. Never used it.


----------



## skeleton616 (Jul 20, 2021)

mer said:


> Never of such a thing.
> 
> SirDice ring any bells to you?
> 
> Perhaps some links to what you mean would help







__





						Documentation for FreeBSD
					






					bsdbasement.com
				




Scroll down until you see section 5.2


----------



## SirDice (Jul 20, 2021)

Looks like a really old copy of the handbook.


----------



## mer (Jul 20, 2021)

skeleton616 thanks for the link.
My opinions, from someone not really using MAC stuff:
It depends.
If you want to try to understand how MAC better works (my understanding is that is similar to SELinux) and see how it can be used to protect your system, sure go ahead and use it on your system.
Since you say it's a single user system, it may not actually make your system more secure, but it would increase your knowledge of
how to secure a system.

The last sentence in sec 5.2:
"Extreme caution should be taken when working with this module as incorrect use could block access to certain parts of the file system"

If it were me I'd be inclined to try in a VM or on a spare machine.

Link to current version of the handbook:









						FreeBSD Handbook
					

A constantly evolving, comprehensive resource for FreeBSD users




					docs.freebsd.org


----------



## mark_j (Jul 20, 2021)

skeleton616 said:


> Hello,
> 
> I've been messing around the different Mandatory Access Controls in FreeBSD lately and stumbled across the BSD Extended filesystem firewall. For my case I only have one user on my system so I was just wondering if it was worth using/looking into? I looked at the documentation for it and it is pretty bleak. Any help is appreciated it, thanks.



It's not another firewall. It's using MAC to give you a finer/granular control of the file firewall system you're using.

Is it worth it for one user? Absolutely not. Like RBAC for Solaris, it's usefulness is in controlling user's (even root's) access to the system: devices, files, pipes etc.
Messing around with MAC is often a sure-fire way to lock yourself out... be careful.


----------



## SirDice (Jul 20, 2021)

Recent versions of the handbook has MAC as chapter 16: https://docs.freebsd.org/en/books/handbook/mac/


----------



## skeleton616 (Jul 20, 2021)

mark_j said:


> It's not another firewall. It's using MAC to give you a finer/granular control of the firewall system you're using.
> 
> Is it worth it for one user? Absolutely not. Like RBAC for Solaris, it's usefulness is in controlling user's (even root's) access to the system: devices, files, pipes etc.
> Messing around with MAC is often a sure-fire way to lock yourself out... be careful.


That's the kind of security model I use the most which is RBAC(I use Selinux). I only have one user but multiple roles so it controls user's access to the system but declaring what role has access to what instead of Root being all powerful just like you said. I was just curious to see if that BSD Extended could help me more in locking down certain things essentially. But since I only have one user it does seem silly to implement that but was just curious so I just decided to ask because their documentation sucks quite frankly.



I'm no expert but I have dabbled with the Biba policy and got it to work in BSD just fine so I'm no stranger when it comes to getting locked out. Just wish the documentation was better since this stuff has been around awhile. In fact I decided to document my findings when I messed with the Biba Access Control if anyone wants to take a look and give me pointers on how to document better:

https://github.com/dtdevore64/TrustedBSD-Installing-Biba-Policy


----------



## skeleton616 (Jul 20, 2021)

SirDice said:


> Recent versions of the handbook has MAC as chapter 16: https://docs.freebsd.org/en/books/handbook/mac/


Yeah I've checked it out. It has the same stuff as the previous version I posted, but thanks!


----------



## mark_j (Jul 20, 2021)

skeleton616 said:


> That's the kind of security model I use the most which is RBAC(I use Selinux). I only have one user but multiple roles so it controls user's access to the system but declaring what role has access to what instead of Root being all powerful just like you said. I was just curious to see if that BSD Extended could help me more in locking down certain things essentially. But since I only have one user it does seem silly to implement that but was just curious so I just decided to ask because their documentation sucks quite frankly.
> 
> 
> 
> ...


I agree the documentation is far from satisfactory in this regard. The authoring of the MAC seems to be written by someone who assumes a level of user knowledge and assumes some given facts, especially, how the MAC labels interact with the system and even WHY you should or should not use it.

I've not used selinux but I have used RBAC extensively and it is far superior to MAC - especially in maintenance (but I guess it's what you're used to). We use MAC on two servers at my work because of government mandates and I just don't go near them. 

I honestly can't see a reason why you would want to add such granularity to the file system firewall when you're the only user. Can you offer a case why?

The only one I can see, off hand, is say your machine is exposed to the internet (in the DMZ) and you want to protect the file system should some hacker get in and gain root. Also, as I said, playing with ugidfw(8) can leave you in a real state should you get it wrong.


----------



## skeleton616 (Jul 20, 2021)

mark_j said:


> I agree the documentation is far from satisfactory in this regard. The authoring of the MAC seems to be written by someone who assumes a level of user knowledge and assumes some given facts, especially, how the MAC labels interact with the system and even WHY you should or should not use it.
> 
> I've not used selinux but I have used RBAC extensively and it is far superior to MAC - especially in maintenance (but I guess it's what you're used to). We use MAC on two servers at my work because of government mandates and I just don't go near them.
> 
> ...


Yeah now that I think about it more I cannot offer a case on why I should implement it. I'm still new to BSD so I was just researching all the security benefits it has compared to just using a random Linux distribution. Just been playing around with the Biba/MLS models lately but will definitely not use in my day to day work. I strictly use RBAC and TE in Selinux on my daily machine and it is plenty.


----------



## astyle (Jul 20, 2021)

skeleton616 : Have you heard of honeypots? MAC in combination with logging should prove to be an educational time-waster


----------



## mer (Jul 20, 2021)

astyle said:


> skeleton616 : Have you heard of honeypots? MAC in combination with logging should prove to be an educational time-waster


Golden.


----------



## mark_j (Jul 21, 2021)

skeleton616 said:


> Yeah now that I think about it more I cannot offer a case on why I should implement it. I'm still new to BSD so I was just researching all the security benefits it has compared to just using a random Linux distribution. Just been playing around with the Biba/MLS models lately but will definitely not use in my day to day work. I strictly use RBAC and TE in Selinux on my daily machine and it is plenty.


There's nothing stopping you experimenting, but, in essence, it will only be you who you're experimenting on. If you're fine being the scientist and the lab rat, go for it! 

It's really, like all those role control systems, meaningful only in multi-user environments. That doesn't mean you shouldn't learn how to use it and implement it, just that testing it is a chore.

(It's much better testing on real people and experiencing their frustration because they can't even look at their own processes... 
<evil laugh>)


----------



## astyle (Jul 21, 2021)

mark_j said:


> (It's much better testing on real people and experiencing their frustration because they can't even look at their own processes...
> <evil laugh>)


Such a Daemon....


----------

