1 |
That is how I (newbie) have been doing it.... install/get everything |
2 |
working as I like it, then use learning mode to both document and enforce |
3 |
how things relate. (the Policy file, built from learning mode, makes for |
4 |
interesting reading as documentation :-) ) |
5 |
|
6 |
Gradm/grsecurity works extremely well, but lacks a clear "getting started" |
7 |
paragraph IMHO. Don't give up....... it's quite manageable once you crack |
8 |
the access codes (e.g. "h" means hidden), and some of Gradm's caveats |
9 |
(e.g. nothing is allowed access to certain /dev/ files). So, for example, |
10 |
either you have |
11 |
|
12 |
/dev h (which simply hides all of /dev - no |
13 |
access needed) |
14 |
|
15 |
or |
16 |
|
17 |
/dev h |
18 |
/dev/tty r (hides all of /dev except allows |
19 |
reading tty) |
20 |
|
21 |
or else you allow access to all of /dev, but prohibit access to the |
22 |
critical areas, e.g. |
23 |
|
24 |
/dev |
25 |
/dev/grsec h |
26 |
/dev/mem h |
27 |
/dev/kmem h |
28 |
|
29 |
There are other critical "files", and you'll get good diagnostic messages |
30 |
when you run gradm -E. You simply edit policy and tweak away 'til it |
31 |
starts up clean. Do it a few times and it'll start making sense. |
32 |
|
33 |
These were the areas that confused me at first; I've not described them |
34 |
well, but maybe this'll get you by the first run. |
35 |
|
36 |
HTH, Newbie |
37 |
|
38 |
|
39 |
> The way I plan to do it (as I'm in the middle of this process myself) is |
40 |
> to install everything first, and then run the RSBAC learning mode |
41 |
> supplied with gradm, then tweak the profile it creates. |
42 |
> |
43 |
> Thanks, |
44 |
> Brian |
45 |
> |
46 |
> Mathieu CASTEL wrote: |
47 |
>> So I think I ll go for the RSBAC security, but I have a question....is |
48 |
>> it better to first install and configure all the services on the server |
49 |
>> and then add the rsbac or install a basic system and do the instal of |
50 |
>> RSBAC, and then the other services? |
51 |
|
52 |
-- |
53 |
gentoo-hardened@g.o mailing list |