[prev in list] [next in list] [prev in thread] [next in thread]
List: rsbac
Subject: Re: [rsbac] default rsbac profile
From: Jens Kasten <jens () kasten-edv ! de>
Date: 2012-05-24 23:52:08
Message-ID: 0b90550bb0c4de8f8927487380c0c7df () kasten-edv ! de
[Download RAW message or body]
On attachment i have a bit modified version and a patch for
rsbac/Kconfig.
Its need this patch because default Softmode and RC is set.
Now I have with max. 5 config options my rsbac kernel config setup
finish.
Next is to build a profile for using RC.
I have test it and will send it to blueness to integrate in the
gentoo-hardened rsbac-sources.
Am 2012-05-24 08:32, schrieb Jens Kasten:
> Hi list,
>
> Here is a first try to build predefined profile for the rsabc kernel
> configuration.
> Copy the attachment to your path to
> linux-rsbac-source/rsbac/Kconfig.profile and modify
> linux-rsbac-source/rsbac/Kconfig.
>
> Insert into Kconfig on the very beginning after this:
>
> if RSBAC
>
> source rsbac/Kconfig.profile
>
>
> Thats all.
> Thanks for testing :)
--
Mit freundlichen Grüßen
Jens Kasten
http://www.kasten-edv.de
["Kconfig.diff" (text/plain)]
--- Kconfig.orign 2012-05-25 00:54:39.133850683 +0200
+++ Kconfig 2012-05-25 01:11:56.637850353 +0200
@@ -36,6 +36,8 @@ menuconfig RSBAC
if RSBAC
+source rsbac/Kconfig.profile
+
menu "General RSBAC options"
depends on RSBAC=y
@@ -763,7 +765,7 @@ endif
menuconfig RSBAC_RC
bool 'RC policy support'
- default y
+ default n
---help---
The Role Compatibility model is a powerful and flexible role based
model. It supports an unlimited number of roles and types. Types are
@@ -1633,7 +1635,7 @@ menu 'Softmode and switching'
depends on RSBAC
config RSBAC_SOFTMODE
- default y
+ default n
bool 'RSBAC soft mode'
---help---
This option enables RSBAC softmode support. In softmode, all
@@ -1684,7 +1686,7 @@ config RSBAC_SOFTMODE_SYSRQ
config RSBAC_SOFTMODE_IND
bool 'Individual module softmode support'
- default y
+ default n
depends on RSBAC_SOFTMODE
---help---
If on, you can toggle softmode individually for each module.
@@ -1698,7 +1700,7 @@ config RSBAC_SOFTMODE_IND
e.g. via switch_module command line tool.
config RSBAC_SWITCH
- default y
+ default n
bool 'RSBAC policies switchable'
---help---
If enabled, the configured policies can be switched on or off by
@@ -1733,7 +1735,7 @@ config RSBAC_SWITCH_BOOT_OFF
e.g. rc or auth. Module needs to be set switchable below.
config RSBAC_SWITCH_REG
- default y
+ default n
bool 'Switch REG modules'
depends on RSBAC_SWITCH
depends on RSBAC_REG
["Kconfig.profile" (text/plain)]
# menu for predefined profile
config RSBAC_SECURITY_LEVEL
bool "Security Level"
depends on RSBAC
default n
select RSBAC_PROC
select RSBAC_INIT_CHECK
select RSBAC_RCU_RATE
select RSBAC_LIST_STATS
select RSBAC_LIST_TRANS
select RSBAC_LIST_TRANS_RANDOM_TA
select RSBAC_DEBUG
select RSBAC_INIT_DELAY
select RSBAC_NET
select RSBAC_NET_DEV
select RSBAC_NET_DEV_VIRT
select RSBAC_IND_NETDEV_LOG
select RSBAC_NET_OBJ
select RSBAC_NET_OBJ_RW
select RSBAC_IND_NETOBJ_LOG
select RSBAC_REG
select RSBAC_AUTH
select RSBAC_AUTH_AUTH_PROT
select RSBAC_AUTH_OTHER_PROT
select RSBAC_AUTH_DAC_OWNER
select RSBAC_AUTH_GROUP
select RSBAC_AUTH_DAC_GROUP
select RSBAC_ACL
select RSBAC_ACL_AUTH_PROT
select RSBAC_ACL_GEN_PROT
select RSBAC_ACL_BACKUP
select RSBAC_ACL_NET_DEV_PROT
select RSBAC_ACL_NET_OBJ_PROT
select RSBAC_CAP
select RSBAC_CAP_PROC_HIDE
select RSBAC_CAP_AUTH_PROT
select RSBAC_JAIL
select RSBAC_JAIL_NET_ADJUST
select RSBAC_JAIL_NET_DEV_PROT
select RSBAC_RES
select RSBAC_FF
select RSBAC_FF_AUTH_PROT
select RSBAC_FF_GEN_PROT
select RSBAC_IND_LOG
select RSBAC_IND_USER_LOG
select RSBAC_IND_PROG_LOG
select RSBAC_LOG_PROGRAM_FILE
select RSBAC_LOG_FULL_PATH
select RSBAC_SYSLOG_RATE
select RSBAC_RMSG
select RSBAC_RMSG_NOSYSLOG
select RSBAC_SYM_REDIR
select RSBAC_SYM_REDIR_REMOTE_IP
select RSBAC_SYM_REDIR_UID
select RSBAC_ALLOW_DAC_DISABLE
select RSBAC_ALLOW_DAC_DISABLE_PART
select RSBAC_SECDEL
select RSBAC_RW
select RSBAC_IPC_SEM
select RSBAC_DAC_OWNER
select RSBAC_DAC_GROUP
select RSBAC_FREEZE
select RSBAC_IOCTL
select RSBAC_USER_CHOWN
select RSBAC_ENFORCE_CLOSE
select RSBAC_FAKE_ROOT_UID
select RSBAC_XSTATS
---help---
This menu entry offer a set off predefined profiles.
config RSBAC_INITRD_SUPPORT
depends on RSBAC_SECURITY_LEVEL
bool "Support initrd"
default n
select RSBAC_INIT_DELAY
---help---
If you are using an initrd than you have to enable this option.
Otherwise you will not able to boot your system.
config RSBAC_X_SUPPORT
depends on RSBAC_SECURITY_LEVEL
bool "Support X"
default n
select RSBAC_USER_MOD_IOPERM
---help---
If you are using the Xserver, usally on a workstatiion than you have to
enabled this option.
config RSBAC_PROFILE_BASIC
depends on RSBAC_SECURITY_LEVEL
depends on !RSBAC_SECURTY_BASIC_UM
bool "Basic entry profile"
default n
---help---
If you say Y here, then you get the basic predefined profile.
This is a good choice for starting using RSBAC.
Its enabled usefull and easy to use modules.
The follow modules are enabled:
Modules:
-ACL
-AUTH
-CAP
-FF
-JAIL
-PAX
-REG
if RSBAC_PROFILE_BASIC
choice
prompt "Choose mode:"
config RSBAC_PROFILE_BASIC_SOFT
bool "Soft"
select RSBAC_SOFTMODE
select RSBAC_SOFTMODE_IND
select RSBAC_SWITCH
select RSBAC_SWITCH_ON
select RSBAC_SWITCH_BOOT_OFF
select RSBAC_SWITCH_REG
select RSBAC_SWITCH_AUTH
select RSBAC_SWITCH_ACL
select RSBAC_SWITCH_CAP
select RSBAC_SWITCH_JAIL
select RSBAC_SWITCH_RES
select RSBAC_SWITCH_FF
select RSBAC_CAP_LOG_MISSING
select RSBAC_CAP_LEARN
select RSBAC_JAIL_LOG_MISSING
select RSBAC_ACL_LEARN
---help---
This enabled debug and auto learn for AUTH and CAP and ACL.
As kernel param you can set:
rsbac_auth_learn rsbac_cap_learn rsbac_acl_learn
rsbac_jail_log_missing rsbac_cap_log_missing
If you don't like a module you can disabled it with:
rsbac_switch_off_xxx
xxx = module name in lower letter
rsbac_switch_off_jail
config RSBAC_PROFILE_BASIC_SECURE
bool "Secure"
---help---
This enabled debug but auto learn is disabled for all.
As kernel param you can set:
rsbac_cap_process_hiding
This will enforce in secure mode that an unprivileged user only see his own processes.
This protection is provide by the CAP module.
endchoice
endif # RSBAC_PROFILE_BASIC
config RSBAC_PROFILE_BASIC_UM
depends on RSBAC_SECURITY_LEVEL
depends on !RSBAC_PROFILE_BASIC
select RSBAC_UM
select RSBAC_UM_ONETIME
select RSBAC_UM_VIRTUAL
select RSBAC_AUTH_UM_PROT
select RSBAC_ACL_UM_PROT
select RSBAC_FF_UM_PROT
bool "Basic entry profile with UM"
default n
---help---
If you say Y here, then you get the basic predefined profile.
This is a good choice for starting using RSBAC.
Its enabled usefull and easy to use modules.
Furthermore the UM module for user management is enabled.
You have to prepare the nsswitch.conf
The follow modules are enabled:
Modules:
-ACL
-AUTH
-CAP
-FF
-JAIL
-PAX
-REG
-UM
if RSBAC_PROFILE_BASIC_UM
choice
prompt "Choose mode:"
config RSBAC_PROFILE_BASIC_UM_SOFT
bool "Soft"
select RSBAC_SOFTMODE
select RSBAC_SOFTMODE_IND
select RSBAC_SWITCH
select RSBAC_SWITCH_ON
select RSBAC_SWITCH_BOOT_OFF
select RSBAC_SWITCH_REG
select RSBAC_SWITCH_AUTH
select RSBAC_SWITCH_ACL
select RSBAC_SWITCH_CAP
select RSBAC_SWITCH_JAIL
select RSBAC_SWITCH_RES
select RSBAC_SWITCH_FF
select RSBAC_CAP_LOG_MISSING
select RSBAC_CAP_LEARN
select RSBAC_JAIL_LOG_MISSING
select RSBAC_ACL_LEARN
---help---
This enabled debug and auto learn for AUTH and CAP and ACL.
As kernel param you can set:
rsbac_auth_learn rsbac_cap_learn rsbac_acl_learn
rsbac_jail_log_missing rsbac_cap_log_missing
config RSBAC_PROFILE_BASIC_UM_SECURE
bool "Secure"
select RSBAC_UM_EXCL
---help---
This enabled debug but auto learn is disabled for all.
Furthermore its enabled the UM exclusive option.
With this traditionell pam_unix will not work anymore.
So you can modify your configuration files in /etc/pam.d
to reflect this.
As kernel param you can set:
rsbac_cap_process_hiding
This will enforce in secure mode that an unprivileged user only see his own processes.
This protection is provide by the CAP module.
endchoice
endif # RSBAC_PROFILE_BASIC
_______________________________________________
rsbac mailing list
rsbac@rsbac.org
http://www.rsbac.org/mailman/listinfo/rsbac
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic