1 |
On Thu, 2004-06-10 at 08:44, Miguel Sousa Filipe wrote: |
2 |
> Thanx for that url. |
3 |
> |
4 |
> However, I must say that its not good policy to discontinue support on |
5 |
> one version, and using only a latter one that has so few or none |
6 |
> documentation. |
7 |
|
8 |
Sorry but we develop this stuff for free and I/we have a limited number |
9 |
of developers working on this from a grsec angle. Actually it's really |
10 |
only me and I've got myself spread somewhat thin within the gentoo |
11 |
project now. One can of worms opens up another and before you know it |
12 |
your on about every core herd within gentoo etc. So it was ideal for me |
13 |
to kill off the old when spender decided to obsolete/deprecate 1.9.x in |
14 |
order to keep things reasonably maintainable. |
15 |
|
16 |
> |
17 |
> I've read the docs supplied by spender, and I think they lack depth and |
18 |
> have very few info... |
19 |
> anyways, my 2.4.26-grsec2 is allready compiled and i'm going to try it |
20 |
> out.... |
21 |
> :) |
22 |
> |
23 |
> |
24 |
> > I'm a slacker and writing docs is not something I enjoy doing for free. |
25 |
> > So... this is all you get from me for now on the subject of creating |
26 |
> > roles for your 2.x system |
27 |
> > http://dev.gentoo.org/~solar/xml/grsecurity2.html |
28 |
> > (...) |
29 |
> > -- |
30 |
> > Ned Ludd <solar@g.o> |
31 |
> > Gentoo (hardened,security,infrastructure,embedded,toolchain) Developer |
32 |
> > |
33 |
> |
34 |
> Now about grsec2, I was thinking about creating a "role" for |
35 |
> system/software maintenance, something like upgrading software, |
36 |
> changing config files, editing cron files.... since those are made |
37 |
> under supervision of a admin... |
38 |
> so that the ACL for the "regular & normal" funcioning would not involve |
39 |
> those tasks, and only the regular tasks the server runs.. that normally |
40 |
> aren't supervised.. one just leaves the machine running, doesn't stay |
41 |
> there watching all the time :) |
42 |
> |
43 |
> is this the way the RBAC is supposed to be used? |
44 |
> |
45 |
> and for bigger systems one could/should have roles for: |
46 |
> - backups and data recovery.. |
47 |
> - operator actions has creating acounts, supplying new passwords... |
48 |
> - software upgrades and mantainance for admins.. |
49 |
> - auditing/log checking.... |
50 |
> - and true admin/root mode for users != root (normally the core admins) |
51 |
> - root just stays there...and can read the logs... start/stop services.. |
52 |
> |
53 |
> Is this the way grsec2 envisions? |
54 |
> |
55 |
> I'm thinking in those actions/roles since thats more or less what I |
56 |
> have in a solaris university server with acounts for every student and |
57 |
> course.. wich gives 6000 acounts... |
58 |
> plus web serving, cvs server, mail server... ftp, ssh, the whole |
59 |
> buttload one can imagine... |
60 |
> |
61 |
> and I'm allways looking/thinking in how could that be better managed |
62 |
> with a hardened linux... |
63 |
> |
64 |
> Thanks for gentoo developers for supplying us with such a great distro! |
65 |
> ps: grsec rocks! |
66 |
> please reply to: miguel@×××××××××××.pt thanks! |
67 |
> |
68 |
> Miguel Figueiredo Mascarenhas de Sousa Filipe |
69 |
> email: miguel@×××××××××××.pt (PORTUGAL) |
70 |
> http://mega.ist.utl.pt/~miguel |
71 |
> |
72 |
> Equipa de Administracao de Sistemas |
73 |
> Rede das Novas Licenciaturas (RNL) |
74 |
> Instituto Superior Tecnico |
75 |
> http://www.rnl.ist.utl.pt |
76 |
> http://mega.ist.utl.pt |
77 |
> |
78 |
> |
79 |
> Miguel Figueiredo Mascarenhas de Sousa Filipe |
80 |
> email: miguel@×××××××××××.pt (PORTUGAL) |
81 |
> http://mega.ist.utl.pt/~miguel |
82 |
> |
83 |
> Equipa de Administracao de Sistemas |
84 |
> Rede das Novas Licenciaturas (RNL) |
85 |
> Instituto Superior Tecnico |
86 |
> http://www.rnl.ist.utl.pt |
87 |
> http://mega.ist.utl.pt |
88 |
> |
89 |
> |
90 |
> -- |
91 |
> gentoo-hardened@g.o mailing list |
92 |
-- |
93 |
Ned Ludd <solar@g.o> |
94 |
Gentoo (hardened,security,infrastructure,embedded,toolchain) Developer |