1 unstable release

0.0.1 Nov 6, 2024

#90 in #access-control

GPL-3.0-or-later

215KB
5K SLoC

bell


title: Bell Privilege Escalation System author: Bellande Architecture Mechanism Research Innovation Center version: 0.0.1 date: 2024

Website Crates

Installation

  • cargo add bell_system
Name: bell_system
Summary: Bell is a comprehensive privilege escalation system designed for secure command execution with granular access controls, robust auditing, and compliance features
Home-page: github.com/Architecture-Mechanism/bell
Author: Ronaldson Bellande
Author-email: ronaldsonbellande@gmail.com
License: GNU General Public License v3.0

Bell Privilege Escalation System

Bell is a comprehensive privilege escalation system designed for secure command execution with granular access controls, robust auditing, and compliance features

Table of Contents

  1. Overview
  2. Installation
  3. Usage
  4. Configuration
  5. Security Features
  6. OS-Specific Features
  7. Best Practices
  8. Troubleshooting
  9. API Reference
  10. License

Overview

Bell is an advanced privilege escalation system designed for secure enterprise environments. It integrates hardware security modules, multi-factor authentication, and comprehensive audit logging.

Key Features

  • Multi-level privilege management
  • Hardware Security Module (HSM) integration
  • Two-factor authentication (TOTP)
  • Network isolation capabilities
  • Fine-grained access control
  • Comprehensive audit logging
  • Cross-platform support (Linux, MacOS, BellandeOS)

Architecture

+------------------+     +------------------+     +------------------+
|    Bell Client   | --> |    Bell Core    | --> |  Security Layer  |
+------------------+     +------------------+     +------------------+
         |                       |                        |
         v                       v                        v
+------------------+     +------------------+     +------------------+
|   Auth Module    |     |    HSM Module   |     |   Audit Module   |
+------------------+     +------------------+     +------------------+

Installation

Prerequisites

  • Rust 1.70 or higher
  • OpenSSL development libraries
  • Hardware Security Module (optional)
  • TOTP device/app for 2FA

git clone https://github.com/Architecture-Mechanism/bell.git cd bell-system

Build in release mode

cargo build --release

Run tests

cargo test --all-features

Install system-wide

sudo make install

System Requirements

Hardware Requirements

Component Minimum Specification
CPU x86_64 or ARM64
RAM 512MB
Disk Space 1GB free

Operating System Support

OS Minimum Version
Linux 4.19+
MacOS 10.15+
BellandeOS 0.1+

Running Commands

bell run --privilege-level <level> --command <command> --args <args...>
bell run --privilege-level admin --command "/usr/bin/systemctl" --args "restart" "nginx"
bell run --privilege-level root --command "/usr/bin/apt" --args "update"

User Management

Adding Users

bell user add <username> --privilege <level>

# Examples
bell user add johndoe --privilege admin
bell user add service-account --privilege user

Modifying Users

# Change password
bell user change-password <username>

# Change privilege
bell user change-privilege <username> <new-privilege>

# Remove user
bell user remove <username>

Group Management

# Add to group
bell user add-to-group <username> <group>

# Remove from group
bell user remove-from-group <username> <group>

# List group members
bell group list-members <group>

File Locations

/etc/bell/
├── config.bellande     # Main configuration
├── users/              # User configurations
│   ├── admin.bellande
│   └── service.bellande
├── groups/             # Group configurations
│   ├── admins.bellande
│   └── services.bellande
└── security/           # Security policies
    ├── policy.bellande
    └── rules.bellande

Section Management

# View active sessions
bell session list

# Terminate session
bell session terminate <session-id>

# Refresh session
bell session refresh

Log Management

# View logs
bell logs view --level error --since "1 hour ago"

# Export logs
bell logs export --format json --start "2024-01-01" --end "2024-01-31"

# Analyze logs
bell logs analyze --pattern "failed_auth" --report detailed

MacOS Intergration

# FileVault management
bell run --privilege-level admin --command "fdesetup" --args "status"

# SIP verification
bell run --privilege-level bell --command "csrutil" --args "status"

# Keychain access
bell run --privilege-level admin --command "security" --args "list-keychains"

Linux Security

# SELinux management
bell run --privilege-level admin --command "semanage" --args "login" "-l"

# AppArmor profiles
bell run --privilege-level root --command "aa-status"

# Kernel parameters
bell run --privilege-level bell --command "sysctl" --args "-a"

BellandeOS Features

# Security status
bell run --privilege-level bell --command "bellctl" --args "security" "status"

# Kernel protection
bell run --privilege-level admin --command "bellctl" --args "kernel" "protect"

# System integrity
bell run --privilege-level root --command "bellctl" --args "verify" "system"

Bellande Operating System Access

EXTENDED 5-LEVEL PERMISSION SYSTEM (77777)
========================================

BASIC PERMISSION VALUES
----------------------
Read (r)    = 4
Write (w)   = 2
Execute (x) = 1

PERMISSION NUMBER MEANINGS
------------------------
0 = --- = no access
1 = --x = execute only
2 = -w- = write only
3 = -wx = write and execute
4 = r-- = read only
5 = r-x = read and execute
6 = rw- = read and write
7 = rwx = read, write, and execute (full access)

POSITION MEANINGS (LEFT TO RIGHT)
-------------------------------
Position 1 (leftmost) = Owner/Bell
Position 2           = Root
Position 3           = Administration
Position 4           = Group
Position 5 (rightmost)= User

STANDARD PERMISSION: 77531
-------------------------
Owner (7)         = rwx = 4+2+1 = 7
Root (7)          = rwx = 4+2+1 = 7
Administration (5) = r-x = 4+0+1 = 5
Group (3)         = -wx = 0+2+1 = 3
User (1)          = --x = 0+0+1 = 1

DETAILED ACCESS LEVELS
--------------------
OWNER/BELL (Position 1)
- Value: 7 (rwx)
- Calculation: 4(read) + 2(write) + 1(execute) = 7
- Access:
  * All system files and directories
  * Core components
  * Kernel level access
  * Hardware level access
  * Can override all permissions
  * Complete system control

ROOT (Position 2)
- Value: 7 (rwx)
- Calculation: 4(read) + 2(write) + 1(execute) = 7
- Access:
  * System files
  * Configuration files
  * Installation files
  * Startup sequences
  * Cannot access core components
  * Cannot modify kernel

ADMINISTRATION (Position 3)
- Value: 5 (r-x)
- Calculation: 4(read) + 0(write) + 1(execute) = 5
- Access:
  * Read system configurations
  * Execute administrative tasks
  * Manage users
  * Cannot modify system files
  * No core component access
  * No kernel modifications

GROUP (Position 4)
- Value: 3 (-wx)
- Calculation: 0(read) + 2(write) + 1(execute) = 3
- Access:
  * Modify group files
  * Execute group programs
  * Share within group
  * No read outside group
  * No system modifications
  * Limited to group scope

USER (Position 5)
- Value: 1 (--x)
- Calculation: 0(read) + 0(write) + 1(execute) = 1
- Access:
  * Execute allowed programs
  * Access own directory
  * Use basic utilities
  * No system modifications
  * No file modifications
  * No read access outside home

COMMON PERMISSION COMBINATIONS
----------------------------
77000 - System Critical Files
Owner:  7 (rwx) = 4+2+1 : Full control
Root:   7 (rwx) = 4+2+1 : Full control
Admin:  0 (---) = 0+0+0 : No access
Group:  0 (---) = 0+0+0 : No access
User:   0 (---) = 0+0+0 : No access
Use: Core system files, kernel components

77530 - Administrative Tools
Owner:  7 (rwx) = 4+2+1 : Full control
Root:   7 (rwx) = 4+2+1 : Full control
Admin:  5 (r-x) = 4+0+1 : Read + Execute
Group:  3 (-wx) = 0+2+1 : Write + Execute
User:   0 (---) = 0+0+0 : No access
Use: System management tools, configuration files

75531 - Standard Applications
Owner:  7 (rwx) = 4+2+1 : Full control
Root:   5 (r-x) = 4+0+1 : Read + Execute
Admin:  5 (r-x) = 4+0+1 : Read + Execute
Group:  3 (-wx) = 0+2+1 : Write + Execute
User:   1 (--x) = 0+0+1 : Execute only
Use: Standard applications, user programs

PERMISSION GUIDELINES
-------------------
1. New Files/Directories
   - Start restrictive (77000 for system)
   - Add permissions as needed
   - Document changes

2. Directory Requirements
   - Need execute (x) to access
   - Need read (r) to list contents
   - Need write (w) to create/delete

3. Security Practices
   - Use minimum needed permissions
   - Regular permission checks
   - Document all changes
   - Monitor access patterns

4. Important Rules
   - Higher positions override lower
   - Cannot exceed upper level permissions
   - Execute needed for directories
   - Write permission alone is rarely used

EXAMPLES AND USE CASES
---------------------
77777 - NOT RECOMMENDED
- Gives full access to all levels
- Security risk
- Never use in production

77531 - STANDARD SECURE
- Owner: Full control
- Root: Full control
- Admin: Limited control
- Group: Write in scope
- User: Execute only

77000 - SYSTEM FILES
- Only Owner and Root access
- Maximum security
- Use for critical files

75531 - USER APPLICATIONS
- Limited Root access
- Admin can manage
- Group collaboration
- User can execute

Command Line

bell [OPTIONS] COMMAND [ARGS]

Commands:
  run                Execute privileged command
  user               User management
  group              Group management
  session            Session management
  logs               Log management
  debug              Debug tools
  help               Show help information

Options:
  -d, --debug        Enable debug mode
  -c, --config       Config file location
  -q, --quiet        Suppress output
  -v, --version      Show version
  -h, --help         Show help

License

Bell is distributed under the GNU General Public License v3.0, see LICENSE and NOTICE for more information.

Code of Conduct

Bell is distributed under the CODE_OF_CONDUCT and NOTICE for more information.

Dependencies

~49–66MB
~1.5M SLoC