=>  RSBAC Handbook

RSBAC Handbook

Preface

Introduction

Architecture

User Management

Security Modules

Installation

Configuration

Maintenance

Appendixes

=>  Releases

Stable: 1.4.6

  • 3.1.y

Patched kernels
Includes vanilla kernel with the RSBAC patch

  • 3.1.5

Enhanced kernels
Combined patches with RSBAC and PaX, less well tested

GIT
RSBAC source code, can be unstable sometimes

=>  Events

No events planned

Easy Samples to Get You Started

There are some simple things you can do, which already increase desktop and server security without much interaction:

JAIL Solutions

  • Start Mozilla, etc. in an RSBAC jail without chroot: it will hide all other processes from Mozilla and disallow dirty networking tricks. Try rsbac_jail -ldD /usr/bin/mozilla-suite
  • Start all system daemons with rsbac_jail (some of them will need extra parameters, but that is quite easy to figure out). Limit their Linux capabilities with -C while you are at it.
  • Use separate namespace for jailed daemons (-N switch) - this way they cannot see any filesystem tree part that was mounted after they were started. Take care about mounting everything needed for work before ! (2.6 feature only). Does not depend on using chroot or anything else.

CAP Solutions

  • Limit the Linux capabilities of all suid root programs with CAP module, so passwd or ping cannot change firewall settings etc. The CAP Log Missing option (in kernel configuration) will help you find missing caps quickly. Menu: rsbac_fd_menu.
  • Hide other users processes with rsbac_cap_process_hiding kernel parameter (must be enabled in kernel config).

RES Solutions

  • Limit resources per user with RES module, use the RES default user for this. For example, set the number of processes to 100 per user (or 200 for power users) to avoid problems with fork bombs or programs running wild. Menu: rsbac_user_menu.
  • Similar limits for memory usage can stop memory leaking programs, but may make problems with huge OpenOffice documents etc. Those programs can get individual minimal settings to increase the user based values. Menu: rsbac_fd_menu.

DAZ Solutions

  • Compile clamav daemon with Clamuko support and configure it to register as on-access scanner with DAZ module. If it cannot register, because your kernel has no RSBAC/DAZ, it should still run fine. More info is available on the DAZ page.

UM Solutions

  • More daring: Use RSBAC User Management. It can completely replace passwd/shadow, but it hides the passwords from user space programs. Combine with AUTH module auth_may_setuid value 3 at /bin/login, /bin/su etc. to only allow setuid to authenticated uids.


Table of Contents: RSBAC Handbook
Back: Administration Examples

 

documentation/rsbac_handbook/configuration_basics/administration_examples/rsbac_samples.txt · Last modified: 2006/10/13 11:05 by ao
This website is kindly hosted by m-privacy