| 1 |
Thanx for that url. |
| 2 |
|
| 3 |
However, I must say that its not good policy to discontinue support on |
| 4 |
one version, and using only a latter one that has so few or none |
| 5 |
documentation. |
| 6 |
|
| 7 |
I've read the docs supplied by spender, and I think they lack depth and |
| 8 |
have very few info... |
| 9 |
anyways, my 2.4.26-grsec2 is allready compiled and i'm going to try it |
| 10 |
out.... |
| 11 |
:) |
| 12 |
|
| 13 |
|
| 14 |
> I'm a slacker and writing docs is not something I enjoy doing for free. |
| 15 |
> So... this is all you get from me for now on the subject of creating |
| 16 |
> roles for your 2.x system |
| 17 |
> http://dev.gentoo.org/~solar/xml/grsecurity2.html |
| 18 |
> (...) |
| 19 |
> -- |
| 20 |
> Ned Ludd <solar@g.o> |
| 21 |
> Gentoo (hardened,security,infrastructure,embedded,toolchain) Developer |
| 22 |
> |
| 23 |
|
| 24 |
Now about grsec2, I was thinking about creating a "role" for |
| 25 |
system/software maintenance, something like upgrading software, |
| 26 |
changing config files, editing cron files.... since those are made |
| 27 |
under supervision of a admin... |
| 28 |
so that the ACL for the "regular & normal" funcioning would not involve |
| 29 |
those tasks, and only the regular tasks the server runs.. that normally |
| 30 |
aren't supervised.. one just leaves the machine running, doesn't stay |
| 31 |
there watching all the time :) |
| 32 |
|
| 33 |
is this the way the RBAC is supposed to be used? |
| 34 |
|
| 35 |
and for bigger systems one could/should have roles for: |
| 36 |
- backups and data recovery.. |
| 37 |
- operator actions has creating acounts, supplying new passwords... |
| 38 |
- software upgrades and mantainance for admins.. |
| 39 |
- auditing/log checking.... |
| 40 |
- and true admin/root mode for users != root (normally the core admins) |
| 41 |
- root just stays there...and can read the logs... start/stop services.. |
| 42 |
|
| 43 |
Is this the way grsec2 envisions? |
| 44 |
|
| 45 |
I'm thinking in those actions/roles since thats more or less what I |
| 46 |
have in a solaris university server with acounts for every student and |
| 47 |
course.. wich gives 6000 acounts... |
| 48 |
plus web serving, cvs server, mail server... ftp, ssh, the whole |
| 49 |
buttload one can imagine... |
| 50 |
|
| 51 |
and I'm allways looking/thinking in how could that be better managed |
| 52 |
with a hardened linux... |
| 53 |
|
| 54 |
Thanks for gentoo developers for supplying us with such a great distro! |
| 55 |
ps: grsec rocks! |
| 56 |
please reply to: miguel@×××××××××××.pt thanks! |
| 57 |
|
| 58 |
Miguel Figueiredo Mascarenhas de Sousa Filipe |
| 59 |
email: miguel@×××××××××××.pt (PORTUGAL) |
| 60 |
http://mega.ist.utl.pt/~miguel |
| 61 |
|
| 62 |
Equipa de Administracao de Sistemas |
| 63 |
Rede das Novas Licenciaturas (RNL) |
| 64 |
Instituto Superior Tecnico |
| 65 |
http://www.rnl.ist.utl.pt |
| 66 |
http://mega.ist.utl.pt |
| 67 |
|
| 68 |
|
| 69 |
Miguel Figueiredo Mascarenhas de Sousa Filipe |
| 70 |
email: miguel@×××××××××××.pt (PORTUGAL) |
| 71 |
http://mega.ist.utl.pt/~miguel |
| 72 |
|
| 73 |
Equipa de Administracao de Sistemas |
| 74 |
Rede das Novas Licenciaturas (RNL) |
| 75 |
Instituto Superior Tecnico |
| 76 |
http://www.rnl.ist.utl.pt |
| 77 |
http://mega.ist.utl.pt |
| 78 |
|
| 79 |
|
| 80 |
-- |
| 81 |
gentoo-hardened@g.o mailing list |
Archives