1 unstable release
0.0.1 | Nov 6, 2024 |
---|
#90 in #access-control
215KB
5K
SLoC
bell
title: Bell Privilege Escalation System author: Bellande Architecture Mechanism Research Innovation Center version: 0.0.1 date: 2024
Website Crates
Installation
cargo add bell_system
Name: bell_system
Summary: Bell is a comprehensive privilege escalation system designed for secure command execution with granular access controls, robust auditing, and compliance features
Home-page: github.com/Architecture-Mechanism/bell
Author: Ronaldson Bellande
Author-email: ronaldsonbellande@gmail.com
License: GNU General Public License v3.0
Bell Privilege Escalation System
Bell is a comprehensive privilege escalation system designed for secure command execution with granular access controls, robust auditing, and compliance features
Table of Contents
- Overview
- Installation
- Usage
- Configuration
- Security Features
- OS-Specific Features
- Best Practices
- Troubleshooting
- API Reference
- License
Overview
Bell is an advanced privilege escalation system designed for secure enterprise environments. It integrates hardware security modules, multi-factor authentication, and comprehensive audit logging.
Key Features
- Multi-level privilege management
- Hardware Security Module (HSM) integration
- Two-factor authentication (TOTP)
- Network isolation capabilities
- Fine-grained access control
- Comprehensive audit logging
- Cross-platform support (Linux, MacOS, BellandeOS)
Architecture
+------------------+ +------------------+ +------------------+
| Bell Client | --> | Bell Core | --> | Security Layer |
+------------------+ +------------------+ +------------------+
| | |
v v v
+------------------+ +------------------+ +------------------+
| Auth Module | | HSM Module | | Audit Module |
+------------------+ +------------------+ +------------------+
Installation
Prerequisites
- Rust 1.70 or higher
- OpenSSL development libraries
- Hardware Security Module (optional)
- TOTP device/app for 2FA
git clone https://github.com/Architecture-Mechanism/bell.git cd bell-system
Build in release mode
cargo build --release
Run tests
cargo test --all-features
Install system-wide
sudo make install
System Requirements
Hardware Requirements
Component | Minimum Specification |
---|---|
CPU | x86_64 or ARM64 |
RAM | 512MB |
Disk Space | 1GB free |
Operating System Support
OS | Minimum Version |
---|---|
Linux | 4.19+ |
MacOS | 10.15+ |
BellandeOS | 0.1+ |
Running Commands
bell run --privilege-level <level> --command <command> --args <args...>
bell run --privilege-level admin --command "/usr/bin/systemctl" --args "restart" "nginx"
bell run --privilege-level root --command "/usr/bin/apt" --args "update"
User Management
Adding Users
bell user add <username> --privilege <level>
# Examples
bell user add johndoe --privilege admin
bell user add service-account --privilege user
Modifying Users
# Change password
bell user change-password <username>
# Change privilege
bell user change-privilege <username> <new-privilege>
# Remove user
bell user remove <username>
Group Management
# Add to group
bell user add-to-group <username> <group>
# Remove from group
bell user remove-from-group <username> <group>
# List group members
bell group list-members <group>
File Locations
/etc/bell/
├── config.bellande # Main configuration
├── users/ # User configurations
│ ├── admin.bellande
│ └── service.bellande
├── groups/ # Group configurations
│ ├── admins.bellande
│ └── services.bellande
└── security/ # Security policies
├── policy.bellande
└── rules.bellande
Section Management
# View active sessions
bell session list
# Terminate session
bell session terminate <session-id>
# Refresh session
bell session refresh
Log Management
# View logs
bell logs view --level error --since "1 hour ago"
# Export logs
bell logs export --format json --start "2024-01-01" --end "2024-01-31"
# Analyze logs
bell logs analyze --pattern "failed_auth" --report detailed
MacOS Intergration
# FileVault management
bell run --privilege-level admin --command "fdesetup" --args "status"
# SIP verification
bell run --privilege-level bell --command "csrutil" --args "status"
# Keychain access
bell run --privilege-level admin --command "security" --args "list-keychains"
Linux Security
# SELinux management
bell run --privilege-level admin --command "semanage" --args "login" "-l"
# AppArmor profiles
bell run --privilege-level root --command "aa-status"
# Kernel parameters
bell run --privilege-level bell --command "sysctl" --args "-a"
BellandeOS Features
# Security status
bell run --privilege-level bell --command "bellctl" --args "security" "status"
# Kernel protection
bell run --privilege-level admin --command "bellctl" --args "kernel" "protect"
# System integrity
bell run --privilege-level root --command "bellctl" --args "verify" "system"
Bellande Operating System Access
EXTENDED 5-LEVEL PERMISSION SYSTEM (77777)
========================================
BASIC PERMISSION VALUES
----------------------
Read (r) = 4
Write (w) = 2
Execute (x) = 1
PERMISSION NUMBER MEANINGS
------------------------
0 = --- = no access
1 = --x = execute only
2 = -w- = write only
3 = -wx = write and execute
4 = r-- = read only
5 = r-x = read and execute
6 = rw- = read and write
7 = rwx = read, write, and execute (full access)
POSITION MEANINGS (LEFT TO RIGHT)
-------------------------------
Position 1 (leftmost) = Owner/Bell
Position 2 = Root
Position 3 = Administration
Position 4 = Group
Position 5 (rightmost)= User
STANDARD PERMISSION: 77531
-------------------------
Owner (7) = rwx = 4+2+1 = 7
Root (7) = rwx = 4+2+1 = 7
Administration (5) = r-x = 4+0+1 = 5
Group (3) = -wx = 0+2+1 = 3
User (1) = --x = 0+0+1 = 1
DETAILED ACCESS LEVELS
--------------------
OWNER/BELL (Position 1)
- Value: 7 (rwx)
- Calculation: 4(read) + 2(write) + 1(execute) = 7
- Access:
* All system files and directories
* Core components
* Kernel level access
* Hardware level access
* Can override all permissions
* Complete system control
ROOT (Position 2)
- Value: 7 (rwx)
- Calculation: 4(read) + 2(write) + 1(execute) = 7
- Access:
* System files
* Configuration files
* Installation files
* Startup sequences
* Cannot access core components
* Cannot modify kernel
ADMINISTRATION (Position 3)
- Value: 5 (r-x)
- Calculation: 4(read) + 0(write) + 1(execute) = 5
- Access:
* Read system configurations
* Execute administrative tasks
* Manage users
* Cannot modify system files
* No core component access
* No kernel modifications
GROUP (Position 4)
- Value: 3 (-wx)
- Calculation: 0(read) + 2(write) + 1(execute) = 3
- Access:
* Modify group files
* Execute group programs
* Share within group
* No read outside group
* No system modifications
* Limited to group scope
USER (Position 5)
- Value: 1 (--x)
- Calculation: 0(read) + 0(write) + 1(execute) = 1
- Access:
* Execute allowed programs
* Access own directory
* Use basic utilities
* No system modifications
* No file modifications
* No read access outside home
COMMON PERMISSION COMBINATIONS
----------------------------
77000 - System Critical Files
Owner: 7 (rwx) = 4+2+1 : Full control
Root: 7 (rwx) = 4+2+1 : Full control
Admin: 0 (---) = 0+0+0 : No access
Group: 0 (---) = 0+0+0 : No access
User: 0 (---) = 0+0+0 : No access
Use: Core system files, kernel components
77530 - Administrative Tools
Owner: 7 (rwx) = 4+2+1 : Full control
Root: 7 (rwx) = 4+2+1 : Full control
Admin: 5 (r-x) = 4+0+1 : Read + Execute
Group: 3 (-wx) = 0+2+1 : Write + Execute
User: 0 (---) = 0+0+0 : No access
Use: System management tools, configuration files
75531 - Standard Applications
Owner: 7 (rwx) = 4+2+1 : Full control
Root: 5 (r-x) = 4+0+1 : Read + Execute
Admin: 5 (r-x) = 4+0+1 : Read + Execute
Group: 3 (-wx) = 0+2+1 : Write + Execute
User: 1 (--x) = 0+0+1 : Execute only
Use: Standard applications, user programs
PERMISSION GUIDELINES
-------------------
1. New Files/Directories
- Start restrictive (77000 for system)
- Add permissions as needed
- Document changes
2. Directory Requirements
- Need execute (x) to access
- Need read (r) to list contents
- Need write (w) to create/delete
3. Security Practices
- Use minimum needed permissions
- Regular permission checks
- Document all changes
- Monitor access patterns
4. Important Rules
- Higher positions override lower
- Cannot exceed upper level permissions
- Execute needed for directories
- Write permission alone is rarely used
EXAMPLES AND USE CASES
---------------------
77777 - NOT RECOMMENDED
- Gives full access to all levels
- Security risk
- Never use in production
77531 - STANDARD SECURE
- Owner: Full control
- Root: Full control
- Admin: Limited control
- Group: Write in scope
- User: Execute only
77000 - SYSTEM FILES
- Only Owner and Root access
- Maximum security
- Use for critical files
75531 - USER APPLICATIONS
- Limited Root access
- Admin can manage
- Group collaboration
- User can execute
Command Line
bell [OPTIONS] COMMAND [ARGS]
Commands:
run Execute privileged command
user User management
group Group management
session Session management
logs Log management
debug Debug tools
help Show help information
Options:
-d, --debug Enable debug mode
-c, --config Config file location
-q, --quiet Suppress output
-v, --version Show version
-h, --help Show help
License
Bell is distributed under the GNU General Public License v3.0, see LICENSE and NOTICE for more information.
Code of Conduct
Bell is distributed under the CODE_OF_CONDUCT and NOTICE for more information.
Dependencies
~49–66MB
~1.5M SLoC