There are some simple things you can do, which already increase desktop and server security without much interaction:

• Start Mozilla, etc. in an RSBAC jail without chroot: it will hide all other processes from Mozilla and disallow dirty networking tricks. Try rsbac_jail -ldD /usr/bin/mozilla-suite

• Start all system daemons with rsbac_jail (some of them will need extra parameters, but that is quite easy to figure out). Limit their Linux capabilities with -C while you are at it.

• Use separate namespace for jailed daemons (-N switch) - this way they cannot see any filesystem tree part that was mounted after they were started. Take care about mounting everything needed for work before ! (2.6 feature only). Does not depend on using chroot or anything else.

• Limit the Linux capabilities of all suid root programs with CAP module, so passwd or ping cannot change firewall settings etc. The CAP Log Missing option (in kernel configuration) will help you find missing caps quickly. Menu: rsbac_fd_menu.

• Hide other users processes with rsbac_cap_process_hiding kernel parameter (must be enabled in kernel config).

• Limit resources per user with RES module, use the RES default user for this. For example, set the number of processes to 100 per user (or 200 for power users) to avoid problems with fork bombs or programs running wild. Menu: rsbac_user_menu.

• Similar limits for memory usage can stop memory leaking programs, but may make problems with huge OpenOffice documents etc. Those programs can get individual minimal settings to increase the user based values. Menu: rsbac_fd_menu.

• Compile clamav daemon with Clamuko support and configure it to register as on-access scanner with DAZ module. If it cannot register, because your kernel has no RSBAC/DAZ, it should still run fine. More info is available on the DAZ page.

• More daring: Use RSBAC User Management. It can completely replace passwd/shadow, but it hides the passwords from user space programs. Combine with AUTH module auth_may_setuid value 3 at /bin/login, /bin/su etc. to only allow setuid to authenticated uids.

Table of Contents: RSBAC Handbook
Back: Administration Examples