[rsbac] Dummies starter guide

Amon Ott ott at compuniverse.de
Wed Mar 16 10:03:11 CET 2005 

On Mittwoch, 16. März 2005 00:26 quoth Vincent Danen:
> On Mar 15, 2005, at 11:13, Andrea Pasquinucci wrote:
> > * I have visions of desktop users thinking to enable RSBAC and having
> > * absolutely no clue on what they're doing (for Mandrake, anyways) so
> > I'd
> > * like to put something up that's super easy to understand and follow.
> >
> > The only way I can think of it is to keep the end-user completely out
> > of
> > it. If you don't understand what you are doing you end up believing to
> > be secure when you are wide open, even worse that to know to be
> > unsecure
> > or trust your luck. So, in my opinion the only way to go is a single
> > button saying "click to start RSBAC, you'll increase your security but
> > some things (hopefully few) will not work".
> >
> > How to do it is easy in principle but not at all in practice. Add to
> > each package the RSBAC rules necessary to make it work, if all kernels
> > are RSBAC enabled, every time you install a package, the correct rules
> > to make it work should be added. When the user clicks the above button
> > you go from soft_mode to enforcing_mode, end of the story.

> Not to mention me, who really knows nothing beyond the
> patching/compiling stage.  =)  I understand that this is how Adamantix
> does it, and I may have to look at their packages/setup in order to see
> how they're implementing it, but I think basically it still needs to be
> documented somehow... somewhere... for people who want to do something
> with it to be able to easily.

There are some simple things you can do, which already increase desktop user 
as well as server security without interaction. E.g,

- Start Mozilla etc. in an RSBAC jail without chroot - it will hide all other 
processes from Mozilla and disallow dirty networking tricks.

- Start all system daemons with rsbac_jail (some of them will need extra 
parameters, but that is quite easy to figure out). Limit their Linux 
capabilities with -C while you are at it.

- Limit the Linux capabilities of all suid root programs with CAP module, so 
passwd or ping cannot change firewall settings etc. The CAP Log Missing 
option will help you find missing caps quickly.

- Limit resources per user with RES module, use the RES default user for this. 
E.g. set the number of processes to 100 (or 200 for power users) to avoid 
problems with fork bombs or programs running wild. Similar limits for memory 
usage can stop memory leaking programs, but may make problems with huge 
OpenOffice documents etc.

- Compile clamav daemon with Clamuko support and configure it to register as 
on-access scanner with DAZ module. If it cannot register, because your kernel 
has no RSBAC/DAZ, it should still run fine.

- More daring: Use RSBAC User Management. It can completely replace 
passwd/shadow, but it hides the passwords from user space programs. Combine 
with AUTH module auth_may_setuid value 3 at /bin/login, /bin/su etc. to only 
allow setuid to authenticated uids.

Amon.

More information about the rsbac mailing list