| 1 |
That is how I (newbie) have been doing it.... install/get everything |
| 2 |
working as I like it, then use learning mode to both document and enforce |
| 3 |
how things relate. (the Policy file, built from learning mode, makes for |
| 4 |
interesting reading as documentation :-) ) |
| 5 |
|
| 6 |
Gradm/grsecurity works extremely well, but lacks a clear "getting started" |
| 7 |
paragraph IMHO. Don't give up....... it's quite manageable once you crack |
| 8 |
the access codes (e.g. "h" means hidden), and some of Gradm's caveats |
| 9 |
(e.g. nothing is allowed access to certain /dev/ files). So, for example, |
| 10 |
either you have |
| 11 |
|
| 12 |
/dev h (which simply hides all of /dev - no |
| 13 |
access needed) |
| 14 |
|
| 15 |
or |
| 16 |
|
| 17 |
/dev h |
| 18 |
/dev/tty r (hides all of /dev except allows |
| 19 |
reading tty) |
| 20 |
|
| 21 |
or else you allow access to all of /dev, but prohibit access to the |
| 22 |
critical areas, e.g. |
| 23 |
|
| 24 |
/dev |
| 25 |
/dev/grsec h |
| 26 |
/dev/mem h |
| 27 |
/dev/kmem h |
| 28 |
|
| 29 |
There are other critical "files", and you'll get good diagnostic messages |
| 30 |
when you run gradm -E. You simply edit policy and tweak away 'til it |
| 31 |
starts up clean. Do it a few times and it'll start making sense. |
| 32 |
|
| 33 |
These were the areas that confused me at first; I've not described them |
| 34 |
well, but maybe this'll get you by the first run. |
| 35 |
|
| 36 |
HTH, Newbie |
| 37 |
|
| 38 |
|
| 39 |
> The way I plan to do it (as I'm in the middle of this process myself) is |
| 40 |
> to install everything first, and then run the RSBAC learning mode |
| 41 |
> supplied with gradm, then tweak the profile it creates. |
| 42 |
> |
| 43 |
> Thanks, |
| 44 |
> Brian |
| 45 |
> |
| 46 |
> Mathieu CASTEL wrote: |
| 47 |
>> So I think I ll go for the RSBAC security, but I have a question....is |
| 48 |
>> it better to first install and configure all the services on the server |
| 49 |
>> and then add the rsbac or install a basic system and do the instal of |
| 50 |
>> RSBAC, and then the other services? |
| 51 |
|
| 52 |
-- |
| 53 |
gentoo-hardened@g.o mailing list |
Archives