# bell --- title: Bell Privilege Escalation System author: Bellande Architecture Mechanism Research Innovation Center version: 0.0.1 date: 2024 --- ## Website Crates - https://crates.io/crates/bell_system ### Installation - `cargo add bell_system` ``` Name: bell_system Summary: Bell is a comprehensive privilege escalation system designed for secure command execution with granular access controls, robust auditing, and compliance features Home-page: github.com/Architecture-Mechanism/bell Author: Ronaldson Bellande Author-email: ronaldsonbellande@gmail.com License: GNU General Public License v3.0 ``` # Bell Privilege Escalation System Bell is a comprehensive privilege escalation system designed for secure command execution with granular access controls, robust auditing, and compliance features ## Table of Contents 1. [Overview](#overview) 2. [Installation](#installation) 3. [Usage](#usage) 4. [Configuration](#configuration) 5. [Security Features](#security-features) 6. [OS-Specific Features](#os-specific-features) 7. [Best Practices](#best-practices) 8. [Troubleshooting](#troubleshooting) 9. [API Reference](#api-reference) 10. [License](#license) ## Overview Bell is an advanced privilege escalation system designed for secure enterprise environments. It integrates hardware security modules, multi-factor authentication, and comprehensive audit logging. ### Key Features * Multi-level privilege management * Hardware Security Module (HSM) integration * Two-factor authentication (TOTP) * Network isolation capabilities * Fine-grained access control * Comprehensive audit logging * Cross-platform support (Linux, MacOS, BellandeOS) ### Architecture ``` +------------------+ +------------------+ +------------------+ | Bell Client | --> | Bell Core | --> | Security Layer | +------------------+ +------------------+ +------------------+ | | | v v v +------------------+ +------------------+ +------------------+ | Auth Module | | HSM Module | | Audit Module | +------------------+ +------------------+ +------------------+ ``` ## Installation Prerequisites - Rust 1.70 or higher - OpenSSL development libraries - Hardware Security Module (optional) - TOTP device/app for 2FA git clone https://github.com/Architecture-Mechanism/bell.git cd bell-system # Build in release mode cargo build --release # Run tests cargo test --all-features # Install system-wide sudo make install ## System Requirements ### Hardware Requirements | Component | Minimum Specification | |-----------|---------------------| | CPU | x86_64 or ARM64 | | RAM | 512MB | | Disk Space | 1GB free | ### Operating System Support | OS | Minimum Version | |----|----------------| | Linux | 4.19+ | | MacOS | 10.15+ | | BellandeOS | 0.1+ | # Running Commands ``` bell run --privilege-level --command --args bell run --privilege-level admin --command "/usr/bin/systemctl" --args "restart" "nginx" bell run --privilege-level root --command "/usr/bin/apt" --args "update" ``` # User Management ## Adding Users ``` bell user add --privilege # Examples bell user add johndoe --privilege admin bell user add service-account --privilege user ``` ## Modifying Users ``` # Change password bell user change-password # Change privilege bell user change-privilege # Remove user bell user remove ``` ## Group Management ``` # Add to group bell user add-to-group # Remove from group bell user remove-from-group # List group members bell group list-members ``` ## File Locations ``` /etc/bell/ ├── config.bellande # Main configuration ├── users/ # User configurations │ ├── admin.bellande │ └── service.bellande ├── groups/ # Group configurations │ ├── admins.bellande │ └── services.bellande └── security/ # Security policies ├── policy.bellande └── rules.bellande ``` ## Section Management ``` # View active sessions bell session list # Terminate session bell session terminate # Refresh session bell session refresh ``` ## Log Management ``` # View logs bell logs view --level error --since "1 hour ago" # Export logs bell logs export --format json --start "2024-01-01" --end "2024-01-31" # Analyze logs bell logs analyze --pattern "failed_auth" --report detailed ``` ## MacOS Intergration ``` # FileVault management bell run --privilege-level admin --command "fdesetup" --args "status" # SIP verification bell run --privilege-level bell --command "csrutil" --args "status" # Keychain access bell run --privilege-level admin --command "security" --args "list-keychains" ``` ## Linux Security ``` # SELinux management bell run --privilege-level admin --command "semanage" --args "login" "-l" # AppArmor profiles bell run --privilege-level root --command "aa-status" # Kernel parameters bell run --privilege-level bell --command "sysctl" --args "-a" ``` ## BellandeOS Features ``` # Security status bell run --privilege-level bell --command "bellctl" --args "security" "status" # Kernel protection bell run --privilege-level admin --command "bellctl" --args "kernel" "protect" # System integrity bell run --privilege-level root --command "bellctl" --args "verify" "system" ``` ## Bellande Operating System Access ``` EXTENDED 5-LEVEL PERMISSION SYSTEM (77777) ======================================== BASIC PERMISSION VALUES ---------------------- Read (r) = 4 Write (w) = 2 Execute (x) = 1 PERMISSION NUMBER MEANINGS ------------------------ 0 = --- = no access 1 = --x = execute only 2 = -w- = write only 3 = -wx = write and execute 4 = r-- = read only 5 = r-x = read and execute 6 = rw- = read and write 7 = rwx = read, write, and execute (full access) POSITION MEANINGS (LEFT TO RIGHT) ------------------------------- Position 1 (leftmost) = Owner/Bell Position 2 = Root Position 3 = Administration Position 4 = Group Position 5 (rightmost)= User STANDARD PERMISSION: 77531 ------------------------- Owner (7) = rwx = 4+2+1 = 7 Root (7) = rwx = 4+2+1 = 7 Administration (5) = r-x = 4+0+1 = 5 Group (3) = -wx = 0+2+1 = 3 User (1) = --x = 0+0+1 = 1 DETAILED ACCESS LEVELS -------------------- OWNER/BELL (Position 1) - Value: 7 (rwx) - Calculation: 4(read) + 2(write) + 1(execute) = 7 - Access: * All system files and directories * Core components * Kernel level access * Hardware level access * Can override all permissions * Complete system control ROOT (Position 2) - Value: 7 (rwx) - Calculation: 4(read) + 2(write) + 1(execute) = 7 - Access: * System files * Configuration files * Installation files * Startup sequences * Cannot access core components * Cannot modify kernel ADMINISTRATION (Position 3) - Value: 5 (r-x) - Calculation: 4(read) + 0(write) + 1(execute) = 5 - Access: * Read system configurations * Execute administrative tasks * Manage users * Cannot modify system files * No core component access * No kernel modifications GROUP (Position 4) - Value: 3 (-wx) - Calculation: 0(read) + 2(write) + 1(execute) = 3 - Access: * Modify group files * Execute group programs * Share within group * No read outside group * No system modifications * Limited to group scope USER (Position 5) - Value: 1 (--x) - Calculation: 0(read) + 0(write) + 1(execute) = 1 - Access: * Execute allowed programs * Access own directory * Use basic utilities * No system modifications * No file modifications * No read access outside home COMMON PERMISSION COMBINATIONS ---------------------------- 77000 - System Critical Files Owner: 7 (rwx) = 4+2+1 : Full control Root: 7 (rwx) = 4+2+1 : Full control Admin: 0 (---) = 0+0+0 : No access Group: 0 (---) = 0+0+0 : No access User: 0 (---) = 0+0+0 : No access Use: Core system files, kernel components 77530 - Administrative Tools Owner: 7 (rwx) = 4+2+1 : Full control Root: 7 (rwx) = 4+2+1 : Full control Admin: 5 (r-x) = 4+0+1 : Read + Execute Group: 3 (-wx) = 0+2+1 : Write + Execute User: 0 (---) = 0+0+0 : No access Use: System management tools, configuration files 75531 - Standard Applications Owner: 7 (rwx) = 4+2+1 : Full control Root: 5 (r-x) = 4+0+1 : Read + Execute Admin: 5 (r-x) = 4+0+1 : Read + Execute Group: 3 (-wx) = 0+2+1 : Write + Execute User: 1 (--x) = 0+0+1 : Execute only Use: Standard applications, user programs PERMISSION GUIDELINES ------------------- 1. New Files/Directories - Start restrictive (77000 for system) - Add permissions as needed - Document changes 2. Directory Requirements - Need execute (x) to access - Need read (r) to list contents - Need write (w) to create/delete 3. Security Practices - Use minimum needed permissions - Regular permission checks - Document all changes - Monitor access patterns 4. Important Rules - Higher positions override lower - Cannot exceed upper level permissions - Execute needed for directories - Write permission alone is rarely used EXAMPLES AND USE CASES --------------------- 77777 - NOT RECOMMENDED - Gives full access to all levels - Security risk - Never use in production 77531 - STANDARD SECURE - Owner: Full control - Root: Full control - Admin: Limited control - Group: Write in scope - User: Execute only 77000 - SYSTEM FILES - Only Owner and Root access - Maximum security - Use for critical files 75531 - USER APPLICATIONS - Limited Root access - Admin can manage - Group collaboration - User can execute ``` # Command Line ``` bell [OPTIONS] COMMAND [ARGS] Commands: run Execute privileged command user User management group Group management session Session management logs Log management debug Debug tools help Show help information Options: -d, --debug Enable debug mode -c, --config Config file location -q, --quiet Suppress output -v, --version Show version -h, --help Show help ``` ## License Bell is distributed under the [GNU General Public License v3.0](https://www.gnu.org/licenses/gpl-3.0.en.html), see [LICENSE](https://github.com/Architecture-Mechanism/bell/blob/main/LICENSE) and [NOTICE](https://github.com/Architecture-Mechanism/bell/blob/main/LICENSE) for more information. ## Code of Conduct Bell is distributed under the [CODE_OF_CONDUCT](https://github.com/Architecture-Mechanism/bell/blob/main/CODE_OF_CONDUCT.md) and [NOTICE](https://github.com/Architecture-Mechanism/bell/blob/main/CODE_OF_CONDUCT.md) for more information.