| 1 |
I think default policy won't be enough for you. |
| 2 |
You should first run RBAC in learning mode on your server for a while. |
| 3 |
You can generate the learned rules based on the learning log. |
| 4 |
You are also advised to go through the learned rules and make some |
| 5 |
adjustments. |
| 6 |
You can now enable RBAC, but you may still find some denials in your log. |
| 7 |
You should accomodate the policy based on the remaining denials. |
| 8 |
|
| 9 |
As the systems gets regularly updated some components will behave |
| 10 |
differently, so the policy should incorporate these changes from time to |
| 11 |
time. |
| 12 |
|
| 13 |
Regards: |
| 14 |
Dw. |
| 15 |
-- |
| 16 |
dr Tóth Attila, Radiológus, 06-20-825-8057 |
| 17 |
Attila Toth MD, Radiologist, +36-20-825-8057 |
| 18 |
|
| 19 |
2012.Szeptember 7.(P) 10:37 időpontban Darknight ezt írta: |
| 20 |
> I want to start deploying rbac on already hardened servers, starting |
| 21 |
> with a server that handles only a few services to "see what happens". |
| 22 |
> I recompiled the kernel enabling rbac and I'm now ready to reboot. |
| 23 |
> But... will the default policy break my services until I come up with a |
| 24 |
> working policy, or at least until I start learning mode manually? Or is |
| 25 |
> the default policy liberal enough that it is more or less equivalent to |
| 26 |
> an "allow all" policy? |
| 27 |
> I'm still learning the syntax and semantics of the policy language so I |
| 28 |
> don't fully trust my own judgement at this point. ;) |
| 29 |
> |
| 30 |
> Thanks in advance. |
| 31 |
> |
Archives