Important: You must be at least a bit familiar with the kernel building process to understand this section. There are many good how-to on the web and for your Linux distribution to help you.

So, please first read your Linux distribution manual about configuring and compiling your own kernel.

This paragraph simply aim to explain how to check that the archives you will download are correct, and as best as we can, authentic ones.

Every file release by the RSBAC team is checksummed and signed.

The checksums are there in case of file corruption during the download. If you are having troubles decompressing it, you can easily check that you archive is complete.

We provide both MD5 and SHA1 checksums. Simply compare the numbers provided with the ones inside of your_archive.tar.bz2.md5 or your_archive.tar.bz2.sha1sum

Note: please replace your_archive by the archive name, of course.

# md5sum your_archive.tar.tbz2

Alternative

# sha1sum your_archive.tar.bz2

Signing packages with our GPG keys proove to some extend the authenticity of the package. If signature fail, your archive is either corrupted either not legit.

You will need the gpg software installed to verify signatures. Make sure you downloaded your_archive.tar.bz2 and your_archive.tar.bz2.asc at the same location, then:

Note: please replace your_archive by the archive name, of course.

# gpg --verify your_archive.tar.bz2

Gpg will either output a good and confirmed verication, either tell you that something went wrong.

If something went wrong with either GPG or checksuming, please download the archive again, and if necessary, from another mirror.

Here we will speak about patching your kernel. If you have downloaded a pre-patched one, please skip to the kernel configuration.

You will need to download patches matching your kernel version from the kernel_patches section, apply them to your Linux source tree (you can get it from http://www.kernel.org or from your distribution)

Unbzip the patch:

# bzip2 -d linux-2.x.y-rsbac-x.y.z.patch.bz2

Then go into your kernel directory, and patch it:

# patch -p1 < ../linux-2.x.y-rsbac-x.y.z.patch

You will also have to unpack the RSBAC Base archive in your kernel directory.

This archive contains 3 directories:

• include/rsbac/
• Documentation/rsbac/
• rsbac/

Make sure you unpacked them correctly:

# tar xjf ../rsbac-common-x.y.z.tar.bz2

Get one from the classic kernels page and unpack the kernel of your choice to your /usr/src directory. Make sure the symlink /usr/src/linux is pointing to your new RSBAC kernel directory.

This is recommended over official kernels, as it includes every non-RSBAC related security fix, and PaX. However, this kernel is not supported and we might not be able to help you if you run into troubles. It might also not always be up to date as fast as classic kernels. Choice is yours :)

download the kernel you need (with or without PaX) and unpack it to your /usr/src directory. Make sure the symlink /usr/src/linux is pointing to your new RSBAC kernel directory.

Note: theses instructions are currently valid for RSBAC 1.2.x

Please go to your RSBAC kernel directory and run:

# make menuconfig

There is an additional section called “Rule Set Based Access Control (RSBAC)”. Enter this section, and activate the options you need. Each option is commented by selecting it and pushing the “help” button.

Here is the recommended RSBAC setup:

General RSBAC options:

[*] RSBAC proc support
[*] Check on init
[*] Support transactions
[*]   Randomize transaction numbers
[*] RSBAC debugging support
(400) RSBAC default security officer user ID

User management:

[*] User management
[*]     Use Crypto API Digest SHA1 (NEW)

Note: Be sure to enable “SHA1 digest algorithm” in the Crypto API under “Cryptographic options” of the general kernel configuration.

RSBAC networking options:

[*] RSBAC network support
[*]     Net device control
[ ]         Treat virtual devices as individuals
[*]         Individual network device logging
[*]     Net object control (sockets)
[*]         Control UNIX address family
[*]         Also intercept network object read and write
[*]         Individual network object logging

Decision module (policy) options:

[*] Support for Registration of decision modules (REG)
[*]     Build REG sample modules
----------------------------
[*] RSBAC support for DAZuko policy (For malware/antivirus scanning)
DAZ Policy Options  --->
     (604800)     Scanning result lifetime in seconds

Note: You also need to install a third-party application, capable of utilizing the DAZuko interface, like ClamAV. For other information on DAZuko, please consult www.dazuko.org.

For each different policy/module you support you should check it's protection for AUTH module and User Management module.

[*] RSBAC support for FF policy
[*] RSBAC support for RC policy
[*] RSBAC support for AUTH policy
AUTH Policy Options  --->
    [*]   AUTH learning mode support 

Note: Please turn learning option off on production kernels. It is only used while setting up your RSBAC system.

[*] RSBAC support for ACL policy
[*] RSBAC support for Linux Caps (CAP) policy
[*] RSBAC support for JAIL policy
[*] RSBAC support for PAX policy
[*] RSBAC support for System Resources (RES) policy

Softmode and switching:

[ ] RSBAC policies switchable
[*] RSBAC soft mode
[ ]     Toggle soft mode with SysRq-X
[*]     Individual module softmode support

Note: Please turn soft mode option off on production kernels.

Logging:

Check all except “Log to remote UDP network socket”, unless you want to log to remote machine.

RSBAC symlink redirection:

[*]   RSBAC symlink redirection
[*]       Add user ID number
[*]       Add RC role number

Other RSBAC options:

[*] Intercept sys_read and sys_write
[*] Intercept Semaphore IPC operations
[*] Control DAC process owner (seteuid, setfsuid)
[*] Hide processes in /proc
[*] Support freezing of RSBAC configuration
[*] RSBAC check sys_syslog

Note: If you plan to run a X server (such as X.org or XFree86), please enable the following.

[*] X support (normal user MODIFY_PERM access to ST_ioports)

If you wish to use PaX, or have a PaX enabled kernel (this is recommended), also go in the “Security options —> PaX” section, and enable direct MAC system integration.

Here is the recommended PaX setup:

[*] Enable various PaX features

PaX Control:

[*] Support soft mode (Turn that option off on a production kernel)
[ ] Use legacy ELF header marking
[ ] Use ELF program header marking
(direct) MAC system integration

Non-executable pages:

[*] Enforce non-executable pages (NEW)
[*] Paging based non-executable pages
[*] Segmentation based non-executable pages (NEW)
[*]     Restrict mprotect()
[ ]     Disallow ELF text relocations

Note: You usually want to select the PAGEEXEC method on x86 (since on newer PaXs), but revert to SEGMEXEC if you are having issues. The “Disallow ELF text relocations” option is disabled, because it breaks too much applications as of now.

Address Space Layout Randomization:

[*] Address Space Layout Randomization
[*]     Randomize user stack base
[*]     Randomize mmap() base

You can now save, compile and install your kernel, making sure you did follow all the recommendations and configuration needed for the Linux distribution you are running. If something goes wrong, please try to create your kernel again without RSBAC and make sure it works.

If everything works out, congratulations !
Do not reboot into RSBAC right now, and move to the next section of the handbook.

Table of Contents: RSBAC Handbook
Previous: Installing from Source
Next: Downloading and installing the administration tools