LinuxQuestions.org
Visit the LQ Articles and Editorials section
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
LinkBack Search this Thread
Old 09-13-2008, 12:04 PM   #1
PlatinumX
Member
 
Registered: May 2008
Location: France
Distribution: Debian / Fedora / Gentoo
Posts: 178

Rep: Reputation: 15
Question Installing ACL with GrSecurity


Hi all,

I am installing GrSecurity on a test server, and I would like to enable RBAC ACLs.

I patched the vanillia kernel and set up GrSecurity in medium mode.

Now, is my kernel able to handle RBAC ACL with gradm ?

Do I have to activate something on my kernel ?

Or can I already write and deploy ACL with gradm ?

Thanks
 
Old 09-16-2008, 01:27 AM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 26,518
Blog Entries: 51

Rep: Reputation: 2598Reputation: 2598Reputation: 2598Reputation: 2598Reputation: 2598Reputation: 2598Reputation: 2598Reputation: 2598Reputation: 2598Reputation: 2598Reputation: 2598
Quote:
Originally Posted by PlatinumX View Post
Now, is my kernel able to handle RBAC ACL with gradm ?
Yes.


Quote:
Originally Posted by PlatinumX View Post
can I already write and deploy ACL with gradm ?
Looks like me you could do with reading some GRSecurity docs?..
 
Old 09-18-2008, 12:28 PM   #3
PlatinumX
Member
 
Registered: May 2008
Location: France
Distribution: Debian / Fedora / Gentoo
Posts: 178

Original Poster
Rep: Reputation: 15
Question

Quote:
you could do with reading some GRSecurity docs?..
This is why I asked the question: through all documents I read, I never saw where to enable RBAC in the kernel.
 
Old 09-18-2008, 05:19 PM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 26,518
Blog Entries: 51

Rep: Reputation: 2598Reputation: 2598Reputation: 2598Reputation: 2598Reputation: 2598Reputation: 2598Reputation: 2598Reputation: 2598Reputation: 2598Reputation: 2598Reputation: 2598
Quote:
Originally Posted by PlatinumX View Post
I never saw where to enable RBAC in the kernel.
Do you mean kernel config (under look under GRSecurity) or building rulesets (learning mode, grtool et cetera)?
 
Old 09-25-2008, 04:00 PM   #5
PlatinumX
Member
 
Registered: May 2008
Location: France
Distribution: Debian / Fedora / Gentoo
Posts: 178

Original Poster
Rep: Reputation: 15
Quote:
Do you mean kernel config (under look under GRSecurity) or building rulesets (learning mode, grtool et cetera)?
I thought of kernel config, don't see where it is...
 
Old 10-28-2008, 11:05 AM   #6
PlatinumX
Member
 
Registered: May 2008
Location: France
Distribution: Debian / Fedora / Gentoo
Posts: 178

Original Poster
Rep: Reputation: 15
I found it.
For info it is these options that enable RBAC:

# CONFIG_GRKERNSEC_ACL_HIDEKERN is not set
CONFIG_GRKERNSEC_ACL_MAXTRIES=3
CONFIG_GRKERNSEC_ACL_TIMEOUT=30
 
Old 10-28-2008, 12:02 PM   #7
slimm609
Member
 
Registered: May 2007
Location: Chas, SC
Distribution: slackware, gentoo, fedora, LFS, sidewinder G2, solaris, FreeBSD, RHEL, SUSE, Backtrack
Posts: 428

Rep: Reputation: 65
You should be able to set that as a option in make menuconfig

Once it is enabled

run gradm -P admin to set the admin password


use gradm -F -L /etc/grsec/learning.log to put it in learning mode

let that run for a few days and don't do anything that you wouldn't want root to be able to do. IE add users, del users, stop/start services, etc

Anything that you do during this time will be added to the policy so make sure you do things like browser the web(if thats what you want to do with the box) or dns lookups, or any other user stuff you want to do.

Then

run gradm -F -L /etc/grsec/learning.log -O /etc/grsec/learning.policy

edit the learning.policy by hand to fix anything that you might or might not want

then
mv learning.policy to policy

gradm -a admin

then gradm -E to enable the policy
 
Old 10-31-2008, 09:52 AM   #8
PlatinumX
Member
 
Registered: May 2008
Location: France
Distribution: Debian / Fedora / Gentoo
Posts: 178

Original Poster
Rep: Reputation: 15
Thanks for all these infos.

I searched on Internet but I did not find any clear documentation explaning the syntax of the rules used by gradm.

For exemple, I don't want my private SSL key used by openSSH (sshd identity) to be readable by root.

I want it to be readable only by ssh identity.

You know the syntax to use to implement this control ?

Thanks
 
Old 10-31-2008, 10:38 AM   #9
slimm609
Member
 
Registered: May 2007
Location: Chas, SC
Distribution: slackware, gentoo, fedora, LFS, sidewinder G2, solaris, FreeBSD, RHEL, SUSE, Backtrack
Posts: 428

Rep: Reputation: 65
Quote:
Originally Posted by PlatinumX View Post
Thanks for all these infos.

I searched on Internet but I did not find any clear documentation explaning the syntax of the rules used by gradm.

For exemple, I don't want my private SSL key used by openSSH (sshd identity) to be readable by root.

I want it to be readable only by ssh identity.

You know the syntax to use to implement this control ?

Thanks
That would be done in the policy not by gradm. You would have to find out what ssh identity needs access to an tune a policy for that setup.

There is a document on the grsecuity site that talks about writing policies. I will try to find it and post it when i get a chance
 
Old 11-03-2008, 11:12 AM   #10
PlatinumX
Member
 
Registered: May 2008
Location: France
Distribution: Debian / Fedora / Gentoo
Posts: 178

Original Poster
Rep: Reputation: 15
Thanks, I am also looking to find docs
 
Old 11-05-2008, 09:36 PM   #11
slimm609
Member
 
Registered: May 2007
Location: Chas, SC
Distribution: slackware, gentoo, fedora, LFS, sidewinder G2, solaris, FreeBSD, RHEL, SUSE, Backtrack
Posts: 428

Rep: Reputation: 65
http://grsecurity.net/gracldoc.pdf

there is the document that helps with understanding the policies and how they work.
 
Old 11-06-2008, 07:09 AM   #12
PlatinumX
Member
 
Registered: May 2008
Location: France
Distribution: Debian / Fedora / Gentoo
Posts: 178

Original Poster
Rep: Reputation: 15
Cool =)
I will work with this doc.
When my policy to protect certificates is ready, i will publish it
 
  


Reply

Tags
grsecurity, kernel


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
iptables acl versus cisco acl id_viorel Linux - Security 1 04-09-2008 05:00 AM
GRsecurity dbi Slackware 6 08-28-2006 11:50 PM
grsecurity and 2.6.11.7 houler Slackware 2 05-07-2005 02:21 AM
GRSecurity Obie Linux - Security 6 05-31-2004 08:27 PM
grsecurity acl config hardigunawan Linux - Security 3 01-17-2003 03:43 AM


All times are GMT -5. The time now is 02:18 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration