1 |
Thanx for that url. |
2 |
|
3 |
However, I must say that its not good policy to discontinue support on |
4 |
one version, and using only a latter one that has so few or none |
5 |
documentation. |
6 |
|
7 |
I've read the docs supplied by spender, and I think they lack depth and |
8 |
have very few info... |
9 |
anyways, my 2.4.26-grsec2 is allready compiled and i'm going to try it |
10 |
out.... |
11 |
:) |
12 |
|
13 |
|
14 |
> I'm a slacker and writing docs is not something I enjoy doing for free. |
15 |
> So... this is all you get from me for now on the subject of creating |
16 |
> roles for your 2.x system |
17 |
> http://dev.gentoo.org/~solar/xml/grsecurity2.html |
18 |
> (...) |
19 |
> -- |
20 |
> Ned Ludd <solar@g.o> |
21 |
> Gentoo (hardened,security,infrastructure,embedded,toolchain) Developer |
22 |
> |
23 |
|
24 |
Now about grsec2, I was thinking about creating a "role" for |
25 |
system/software maintenance, something like upgrading software, |
26 |
changing config files, editing cron files.... since those are made |
27 |
under supervision of a admin... |
28 |
so that the ACL for the "regular & normal" funcioning would not involve |
29 |
those tasks, and only the regular tasks the server runs.. that normally |
30 |
aren't supervised.. one just leaves the machine running, doesn't stay |
31 |
there watching all the time :) |
32 |
|
33 |
is this the way the RBAC is supposed to be used? |
34 |
|
35 |
and for bigger systems one could/should have roles for: |
36 |
- backups and data recovery.. |
37 |
- operator actions has creating acounts, supplying new passwords... |
38 |
- software upgrades and mantainance for admins.. |
39 |
- auditing/log checking.... |
40 |
- and true admin/root mode for users != root (normally the core admins) |
41 |
- root just stays there...and can read the logs... start/stop services.. |
42 |
|
43 |
Is this the way grsec2 envisions? |
44 |
|
45 |
I'm thinking in those actions/roles since thats more or less what I |
46 |
have in a solaris university server with acounts for every student and |
47 |
course.. wich gives 6000 acounts... |
48 |
plus web serving, cvs server, mail server... ftp, ssh, the whole |
49 |
buttload one can imagine... |
50 |
|
51 |
and I'm allways looking/thinking in how could that be better managed |
52 |
with a hardened linux... |
53 |
|
54 |
Thanks for gentoo developers for supplying us with such a great distro! |
55 |
ps: grsec rocks! |
56 |
please reply to: miguel@×××××××××××.pt thanks! |
57 |
|
58 |
Miguel Figueiredo Mascarenhas de Sousa Filipe |
59 |
email: miguel@×××××××××××.pt (PORTUGAL) |
60 |
http://mega.ist.utl.pt/~miguel |
61 |
|
62 |
Equipa de Administracao de Sistemas |
63 |
Rede das Novas Licenciaturas (RNL) |
64 |
Instituto Superior Tecnico |
65 |
http://www.rnl.ist.utl.pt |
66 |
http://mega.ist.utl.pt |
67 |
|
68 |
|
69 |
Miguel Figueiredo Mascarenhas de Sousa Filipe |
70 |
email: miguel@×××××××××××.pt (PORTUGAL) |
71 |
http://mega.ist.utl.pt/~miguel |
72 |
|
73 |
Equipa de Administracao de Sistemas |
74 |
Rede das Novas Licenciaturas (RNL) |
75 |
Instituto Superior Tecnico |
76 |
http://www.rnl.ist.utl.pt |
77 |
http://mega.ist.utl.pt |
78 |
|
79 |
|
80 |
-- |
81 |
gentoo-hardened@g.o mailing list |