Installing ACL with GrSecurity
Hi all,
I am installing GrSecurity on a test server, and I would like to enable RBAC ACLs. I patched the vanillia kernel and set up GrSecurity in medium mode. Now, is my kernel able to handle RBAC ACL with gradm ? Do I have to activate something on my kernel ? Or can I already write and deploy ACL with gradm ? Thanks |
Quote:
Quote:
|
Quote:
|
Quote:
|
Quote:
|
I found it.
For info it is these options that enable RBAC: # CONFIG_GRKERNSEC_ACL_HIDEKERN is not set CONFIG_GRKERNSEC_ACL_MAXTRIES=3 CONFIG_GRKERNSEC_ACL_TIMEOUT=30 |
You should be able to set that as a option in make menuconfig
Once it is enabled run gradm -P admin to set the admin password use gradm -F -L /etc/grsec/learning.log to put it in learning mode let that run for a few days and don't do anything that you wouldn't want root to be able to do. IE add users, del users, stop/start services, etc Anything that you do during this time will be added to the policy so make sure you do things like browser the web(if thats what you want to do with the box) or dns lookups, or any other user stuff you want to do. Then run gradm -F -L /etc/grsec/learning.log -O /etc/grsec/learning.policy edit the learning.policy by hand to fix anything that you might or might not want then mv learning.policy to policy gradm -a admin then gradm -E to enable the policy |
Thanks for all these infos.
I searched on Internet but I did not find any clear documentation explaning the syntax of the rules used by gradm. For exemple, I don't want my private SSL key used by openSSH (sshd identity) to be readable by root. I want it to be readable only by ssh identity. You know the syntax to use to implement this control ? Thanks |
Quote:
There is a document on the grsecuity site that talks about writing policies. I will try to find it and post it when i get a chance |
Thanks, I am also looking to find docs
|
http://grsecurity.net/gracldoc.pdf
there is the document that helps with understanding the policies and how they work. |
Cool =)
I will work with this doc. When my policy to protect certificates is ready, i will publish it |
All times are GMT -5. The time now is 06:27 AM. |