Table of Contents

Back to igraltist experiences

Requirements

RSBAC can use on every modern computer on which the linux kernel 2.4 or 2.6 runs >3.0. The kernel support for 2.4 and 2.6 is droped.

You can choose your favorite linux distribution.

My favorites are gentoo and debian.

I have tested it on an old cpu with 133Mhz and 64MB.
Also without problems on a modern amd dualcore cpu and intel quadcore cpu both have 8GB ram and other computers that runs linux.

Very few hard disk space would be needed. Roughly 10MB for the rsbac-admin tools and additional disk space for the rsbac kernel when they are installed.

Don't forget the disk space for the logfile!
This can grow very fast in some circumstances. It can be from few megabytes till to several gigabytes in one hour.

Top

Kernel installation

There are different ways to get the rsbac-kernel sources. Take a lock on the download site.

  1. If using gentoo-hardened: emerge -av rsbac-sources

Top

Kernel configuration

Kernel configuration is done usually by your distribution for you when you are using a distribution kernel.

RSBAC is not in any distribution pre configured. It has approximatly 100 options in the kernel configuration for softmode. This can leed on a new installation for an beginner when reading every help and searching for detail explainations to long time to configure. To short up this I have build some predefined RSBAC profile. There is a problem when using `make menuconfig` and you have an already running RSBAC kernel with kernel configuration in `/boot` that you can never choose a correct profile in this way. The loaded kernel configuration variables can't unset so far I know. Therefor I use just some linux tools and do not patch the rsbac-sources/rsbac/Kconfig. The profile can download here http://kasten-edv.de/download/rsbac/profile. From now an I assuming that the kernel source are prepared. # FIX: not working need script soon <code bash> #assuming this path is set as symlink to the rsbac sources cd /usr/src/linux # download profile softmode wget http://kasten-edv.de/download/rsbac/profile/base-entry-soft # its compressed so moved and uncompress it mv base-entry-soft base-entry-soft.gz gunzip base-entry-soft.gz # build config based on your running kernel config make oldconfig # clean if there any rsbac stuff grep -v “RSBAC” .config > my_config # append the profile cat base-entry-soft » my_config # use it as config mv my_config .config # don't call make menuconfig to just check it because some values are set in rsbac/Kconfig which I don't wont active at this moment # Fix: a script which replace the rsbac/Kconfig like: rsbac-profile base-soft # Then make menuconfig can call again and the steps above not needed

enablead the follow module:

# build and install the kernel
make && make install && make modules_install

Top

Configure bootloader

For full list of kernel parameters.

From the example above this should add to your using bootloader configuration file.

rsbac_softmode rsbac_cap_process_hiding rsbac_jail_log_missing rsbac_cap_log_missing

Example for grub1:

kernel /vmlinuz-3.2.12-rsbac root=/dev/sda2 ro rsbac_softmode rsbac_cap_process_hiding rsbac_jail_log_missing rsbac_cap_log_missing

Top

Install rsbac-admin

If you are using Gentoo hardened you can do:

emerge -av rsbac-admin

Or, you have to download the rsbac-admin which bring the userland tools for RSBAC. Choose the rsbac-admin version as the same which your rsbac-kernel support. Example for version 1.4.6:

wget http://www.rsbac.org/dl.php?file=code/1.4.6/rsbac-admin-1.4.6.tar.bz2

Unpack it and change to rsbac-admin directory. There you can call make. Read the help information and make your choice.

I think make build-all && make install would be sufficient.

From now on the system is ready to boot.

Reminder: Make sure you have enough space for the logfiles.

To see which programs are installed by rsbac-admin take a look to the online-manpages

Top

Install rsbac-tools

Some example which I will describe use some scripts from my repository. Its in alpha state but scripts are working. Its use the mercurial versions control system. The scripts itself are in python.

You can download or clone it.

# dowload it
wget http://hg.kasten-edv.de/rsbac-tools/archive/tip.tar.bz2

Unpack the sources and change into the directory.

# clone the rsbac-tools 
hg clone http://hg.kasten-edv.de/rsbac-tools
# install it
python setup.py install

This scripts are installed and used:

Programname Function
run-jail used to setup daemon in rsbac_jail with configuration files
run-jail-helper create or modify a configuration file for run-jail, add symlink
ps-jail display human readable rsbac jail information
updater-shell shell for admin user updater with predefined commands
shields switch different levels for FF module on or off
add-rsbac-um-user add an user when UM module is in use

Top

Uninstall

Just boot into your distribution kernel and remove the security user. Also all directory rsbac.dat can delete.

Top