LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (http://www.linuxquestions.org/questions/linux-security-4/)
-   -   Installing ACL with GrSecurity (http://www.linuxquestions.org/questions/linux-security-4/installing-acl-with-grsecurity-669709/)

PlatinumX 09-13-2008 12:04 PM

Installing ACL with GrSecurity
 
Hi all,

I am installing GrSecurity on a test server, and I would like to enable RBAC ACLs.

I patched the vanillia kernel and set up GrSecurity in medium mode.

Now, is my kernel able to handle RBAC ACL with gradm ?

Do I have to activate something on my kernel ?

Or can I already write and deploy ACL with gradm ?

Thanks

unSpawn 09-16-2008 01:27 AM

Quote:

Originally Posted by PlatinumX (Post 3279337)
Now, is my kernel able to handle RBAC ACL with gradm ?

Yes.


Quote:

Originally Posted by PlatinumX (Post 3279337)
can I already write and deploy ACL with gradm ?

Looks like me you could do with reading some GRSecurity docs?..

PlatinumX 09-18-2008 12:28 PM

Quote:

you could do with reading some GRSecurity docs?..
This is why I asked the question: through all documents I read, I never saw where to enable RBAC in the kernel.

unSpawn 09-18-2008 05:19 PM

Quote:

Originally Posted by PlatinumX (Post 3284774)
I never saw where to enable RBAC in the kernel.

Do you mean kernel config (under look under GRSecurity) or building rulesets (learning mode, grtool et cetera)?

PlatinumX 09-25-2008 04:00 PM

Quote:

Do you mean kernel config (under look under GRSecurity) or building rulesets (learning mode, grtool et cetera)?
I thought of kernel config, don't see where it is...

PlatinumX 10-28-2008 11:05 AM

I found it.
For info it is these options that enable RBAC:

# CONFIG_GRKERNSEC_ACL_HIDEKERN is not set
CONFIG_GRKERNSEC_ACL_MAXTRIES=3
CONFIG_GRKERNSEC_ACL_TIMEOUT=30

slimm609 10-28-2008 12:02 PM

You should be able to set that as a option in make menuconfig

Once it is enabled

run gradm -P admin to set the admin password


use gradm -F -L /etc/grsec/learning.log to put it in learning mode

let that run for a few days and don't do anything that you wouldn't want root to be able to do. IE add users, del users, stop/start services, etc

Anything that you do during this time will be added to the policy so make sure you do things like browser the web(if thats what you want to do with the box) or dns lookups, or any other user stuff you want to do.

Then

run gradm -F -L /etc/grsec/learning.log -O /etc/grsec/learning.policy

edit the learning.policy by hand to fix anything that you might or might not want

then
mv learning.policy to policy

gradm -a admin

then gradm -E to enable the policy

PlatinumX 10-31-2008 09:52 AM

Thanks for all these infos.

I searched on Internet but I did not find any clear documentation explaning the syntax of the rules used by gradm.

For exemple, I don't want my private SSL key used by openSSH (sshd identity) to be readable by root.

I want it to be readable only by ssh identity.

You know the syntax to use to implement this control ?

Thanks

slimm609 10-31-2008 10:38 AM

Quote:

Originally Posted by PlatinumX (Post 3327366)
Thanks for all these infos.

I searched on Internet but I did not find any clear documentation explaning the syntax of the rules used by gradm.

For exemple, I don't want my private SSL key used by openSSH (sshd identity) to be readable by root.

I want it to be readable only by ssh identity.

You know the syntax to use to implement this control ?

Thanks

That would be done in the policy not by gradm. You would have to find out what ssh identity needs access to an tune a policy for that setup.

There is a document on the grsecuity site that talks about writing policies. I will try to find it and post it when i get a chance

PlatinumX 11-03-2008 11:12 AM

Thanks, I am also looking to find docs

slimm609 11-05-2008 09:36 PM

http://grsecurity.net/gracldoc.pdf

there is the document that helps with understanding the policies and how they work.

PlatinumX 11-06-2008 07:09 AM

Cool =)
I will work with this doc.
When my policy to protect certificates is ready, i will publish it


All times are GMT -5. The time now is 02:02 AM.