Installing ACL with GrSecurity

PlatinumX · 09-13-2008, 12:04 PM

Hi all,

I am installing GrSecurity on a test server, and I would like to enable RBAC ACLs.

I patched the vanillia kernel and set up GrSecurity in medium mode.

Now, is my kernel able to handle RBAC ACL with gradm ?

Do I have to activate something on my kernel ?

Or can I already write and deploy ACL with gradm ?

Thanks

unSpawn · 09-16-2008, 01:27 AM

Quote:

Originally Posted by PlatinumX

Now, is my kernel able to handle RBAC ACL with gradm ?

Yes.

Quote:

Originally Posted by PlatinumX

can I already write and deploy ACL with gradm ?

Looks like me you could do with reading some GRSecurity docs?..

PlatinumX · 09-18-2008, 12:28 PM

Quote:

you could do with reading some GRSecurity docs?..

This is why I asked the question: through all documents I read, I never saw where to enable RBAC in the kernel.

unSpawn · 09-18-2008, 05:19 PM

Quote:

Originally Posted by PlatinumX

I never saw where to enable RBAC in the kernel.

Do you mean kernel config (under look under GRSecurity) or building rulesets (learning mode, grtool et cetera)?

PlatinumX · 09-25-2008, 04:00 PM

Quote:

Do you mean kernel config (under look under GRSecurity) or building rulesets (learning mode, grtool et cetera)?

I thought of kernel config, don't see where it is...

PlatinumX · 10-28-2008, 11:05 AM

I found it.
For info it is these options that enable RBAC:

# CONFIG_GRKERNSEC_ACL_HIDEKERN is not set
CONFIG_GRKERNSEC_ACL_MAXTRIES=3
CONFIG_GRKERNSEC_ACL_TIMEOUT=30

slimm609 · 10-28-2008, 12:02 PM

You should be able to set that as a option in make menuconfig

Once it is enabled

run gradm -P admin to set the admin password

use gradm -F -L /etc/grsec/learning.log to put it in learning mode

let that run for a few days and don't do anything that you wouldn't want root to be able to do. IE add users, del users, stop/start services, etc

Anything that you do during this time will be added to the policy so make sure you do things like browser the web(if thats what you want to do with the box) or dns lookups, or any other user stuff you want to do.

Then

run gradm -F -L /etc/grsec/learning.log -O /etc/grsec/learning.policy

edit the learning.policy by hand to fix anything that you might or might not want

then
mv learning.policy to policy

gradm -a admin

then gradm -E to enable the policy

PlatinumX · 10-31-2008, 09:52 AM

Thanks for all these infos.

I searched on Internet but I did not find any clear documentation explaning the syntax of the rules used by gradm.

For exemple, I don't want my private SSL key used by openSSH (sshd identity) to be readable by root.

I want it to be readable only by ssh identity.

You know the syntax to use to implement this control ?

Thanks

slimm609 · 10-31-2008, 10:38 AM

Quote:

Originally Posted by PlatinumX

Thanks for all these infos.

I searched on Internet but I did not find any clear documentation explaning the syntax of the rules used by gradm.

For exemple, I don't want my private SSL key used by openSSH (sshd identity) to be readable by root.

I want it to be readable only by ssh identity.

You know the syntax to use to implement this control ?

Thanks

That would be done in the policy not by gradm. You would have to find out what ssh identity needs access to an tune a policy for that setup.

There is a document on the grsecuity site that talks about writing policies. I will try to find it and post it when i get a chance

PlatinumX · 11-03-2008, 11:12 AM

Thanks, I am also looking to find docs

slimm609 · 11-05-2008, 09:36 PM

http://grsecurity.net/gracldoc.pdf

there is the document that helps with understanding the policies and how they work.

PlatinumX · 11-06-2008, 07:09 AM

Cool =)
I will work with this doc.
When my policy to protect certificates is ready, i will publish it