1 |
I think default policy won't be enough for you. |
2 |
You should first run RBAC in learning mode on your server for a while. |
3 |
You can generate the learned rules based on the learning log. |
4 |
You are also advised to go through the learned rules and make some |
5 |
adjustments. |
6 |
You can now enable RBAC, but you may still find some denials in your log. |
7 |
You should accomodate the policy based on the remaining denials. |
8 |
|
9 |
As the systems gets regularly updated some components will behave |
10 |
differently, so the policy should incorporate these changes from time to |
11 |
time. |
12 |
|
13 |
Regards: |
14 |
Dw. |
15 |
-- |
16 |
dr Tóth Attila, Radiológus, 06-20-825-8057 |
17 |
Attila Toth MD, Radiologist, +36-20-825-8057 |
18 |
|
19 |
2012.Szeptember 7.(P) 10:37 időpontban Darknight ezt írta: |
20 |
> I want to start deploying rbac on already hardened servers, starting |
21 |
> with a server that handles only a few services to "see what happens". |
22 |
> I recompiled the kernel enabling rbac and I'm now ready to reboot. |
23 |
> But... will the default policy break my services until I come up with a |
24 |
> working policy, or at least until I start learning mode manually? Or is |
25 |
> the default policy liberal enough that it is more or less equivalent to |
26 |
> an "allow all" policy? |
27 |
> I'm still learning the syntax and semantics of the policy language so I |
28 |
> don't fully trust my own judgement at this point. ;) |
29 |
> |
30 |
> Thanks in advance. |
31 |
> |