24 May 2012 08:32
default rsbac profile
Jens Kasten <jens <at> kasten-edv.de>
2012-05-24 06:32:29 GMT
2012-05-24 06:32:29 GMT
Hi list, Here is a first try to build predefined profile for the rsabc kernel configuration. Copy the attachment to your path to linux-rsbac-source/rsbac/Kconfig.profile and modify linux-rsbac-source/rsbac/Kconfig. Insert into Kconfig on the very beginning after this: if RSBAC source rsbac/Kconfig.profile Thats all. Thanks for testing :) -- Mit freundlichen Grüßen Jens Kasten http://www.kasten-edv.de
# menu for predefined profile
config RSBAC_SECURITY_LEVEL
bool "Security Level"
depends on RSBAC
default n
select RSBAC_PROC
select RSBAC_INIT_CHECK
select RSBAC_RCU_RATE
select RSBAC_LIST_STATS
select RSBAC_LIST_TRANS
select RSBAC_LIST_TRANS_RANDOM_TA
select RSBAC_DEBUG
select RSBAC_INIT_DELAY
select RSBAC_NET
select RSBAC_NET_DEV
select RSBAC_NET_DEV_VIRT
select RSBAC_IND_NETDEV_LOG
select RSBAC_NET_OBJ
select RSBAC_NET_OBJ_RW
select RSBAC_IND_NETOBJ_LOG
select RSBAC_REG
select RSBAC_AUTH
select RSBAC_AUTH_AUTH_PROT
select RSBAC_AUTH_DAC_OWNER
select RSBAC_AUTH_GROUP
select RSBAC_AUTH_DAC_GROUP
select RSBAC_ACL
select RSBAC_ACL_AUTH_PROT
select RSBAC_ACL_GEN_PROT
select RSBAC_ACL_BACKUP
select RSBAC_ACL_NET_DEV_PROT
select RSBAC_ACL_NET_OBJ_PROT
select RSBAC_CAP
select RSBAC_CAP_PROC_HIDE
select RSBAC_CAP_AUTH_PROT
select RSBAC_JAIL
select RSBAC_JAIL_NET_ADJUST
select RSBAC_JAIL_NET_DEV_PROT
select RSBAC_RES
select RSBAC_FF
select RSBAC_FF_AUTH_PROT
select RSBAC_FF_GEN_PROT
select RSBAC_IND_LOG
select RSBAC_IND_USER_LOG
select RSBAC_IND_PROG_LOG
select RSBAC_LOG_PROGRAM_FILE
select RSBAC_LOG_FULL_PATH
select RSBAC_SYSLOG_RATE
select RSBAC_RMSG
select RSBAC_RMSG_NOSYSLOG
select RSBAC_SYM_REDIR
select RSBAC_SYM_REDIR_REMOTE_IP
select RSBAC_SYM_REDIR_UID
select RSBAC_ALLOW_DAC_DISABLE
select RSBAC_ALLOW_DAC_DISABLE_PART
select RSBAC_SECDEL
select RSBAC_RW
select RSBAC_IPC_SEM
select RSBAC_DAC_OWNER
select RSBAC_DAC_GROUP
select RSBAC_FREEZE
select RSBAC_IOCTL
select RSBAC_USER_CHOWN
select RSBAC_ENFORCE_CLOSE
select RSBAC_FAKE_ROOT_UID
select RSBAC_XSTATS
---help---
This menu entry offer a set off predefined profiles.
config RSBAC_INITRD_SUPPORT
depends on RSBAC_SECURITY_LEVEL
bool "Support initrd"
default n
select RSBAC_INIT_DELAY
---help---
If you are using an initrd than you have to enable this option.
Otherwise you will not able to boot your system.
config RSBAC_X_SUPPORT
depends on RSBAC_SECURITY_LEVEL
bool "Support X"
default n
select RSBAC_USER_MOD_IOPERM
---help---
If you are using the Xserver, usally on a workstatiion than you have to
enabled this option.
config RSBAC_PROFILE_BASIC
depends on RSBAC_SECURITY_LEVEL
depends on !RSBAC_SECURTY_BASIC_UM
bool "Basic entry profile"
default n
---help---
If you say Y here, then you get the basic predefined profile.
This is a good choice for starting using RSBAC.
Its enabled usefull and easy to use modules.
The follow modules are enabled:
Modules:
-ACL
-AUTH
-CAP
-FF
-JAIL
-PAX
-REG
if RSBAC_PROFILE_BASIC
choice
prompt "Choose mode:"
config RSBAC_PROFILE_BASIC_SOFT
bool "Soft"
select RSBAC_SOFTMODE
select RSBAC_SOFTMODE_IND
select RSBAC_SWITCH
select RSBAC_SWITCH_ON
select RSBAC_SWITCH_BOOT_OFF
select RSBAC_SWITCH_REG
select RSBAC_SWITCH_AUTH
select RSBAC_SWITCH_ACL
select RSBAC_SWITCH_CAP
select RSBAC_SWITCH_JAIL
select RSBAC_SWITCH_RES
select RSBAC_SWITCH_FF
select RSBAC_CAP_LOG_MISSING
select RSBAC_CAP_LEARN
select RSBAC_JAIL_LOG_MISSING
select RSBAC_ACL_LEARN
---help---
This enabled debug and auto learn for AUTH and CAP and ACL.
As kernel param you can set:
rsbac_auth_learn rsbac_cap_learn rsbac_acl_learn
rsbac_jail_log_missing rsbac_cap_log_missing
If you don't like a module you can disabled it with:
rsbac_switch_off_xxx
xxx = module name in lower letter
rsbac_switch_off_jail
config RSBAC_PROFILE_BASIC_SECURE
bool "Secure"
---help---
This enabled debug but auto learn is disabled for all.
As kernel param you can set:
rsbac_cap_process_hiding
This will enforce in secure mode that an unprivileged user only see his own processes.
This protection is provide by the CAP module.
endchoice
endif # RSBAC_PROFILE_BASIC
config RSBAC_PROFILE_BASIC_UM
depends on RSBAC_SECURITY_LEVEL
depends on !RSBAC_PROFILE_BASIC
select RSBAC_UM
select RSBAC_UM_ONETIME
select RSBAC_UM_VIRTUAL
bool "Basic entry profile with UM"
default n
---help---
If you say Y here, then you get the basic predefined profile.
This is a good choice for starting using RSBAC.
Its enabled usefull and easy to use modules.
Furthermore the UM module for user management is enabled.
You have to prepare the nsswitch.conf
The follow modules are enabled:
Modules:
-ACL
-AUTH
-CAP
-FF
-JAIL
-PAX
-REG
-UM
if RSBAC_PROFILE_BASIC_UM
choice
prompt "Choose mode:"
config RSBAC_PROFILE_BASIC_UM_SOFT
bool "Soft"
select RSBAC_SOFTMODE
select RSBAC_SOFTMODE_IND
select RSBAC_SWITCH
select RSBAC_SWITCH_ON
select RSBAC_SWITCH_BOOT_OFF
select RSBAC_SWITCH_REG
select RSBAC_SWITCH_AUTH
select RSBAC_SWITCH_ACL
select RSBAC_SWITCH_CAP
select RSBAC_SWITCH_JAIL
select RSBAC_SWITCH_RES
select RSBAC_SWITCH_FF
select RSBAC_CAP_LOG_MISSING
select RSBAC_CAP_LEARN
select RSBAC_JAIL_LOG_MISSING
select RSBAC_ACL_LEARN
---help---
This enabled debug and auto learn for AUTH and CAP and ACL.
As kernel param you can set:
rsbac_auth_learn rsbac_cap_learn rsbac_acl_learn
rsbac_jail_log_missing rsbac_cap_log_missing
config RSBAC_PROFILE_BASIC_UM_SECURE
bool "Secure"
select RSBAC_UM_EXCL
---help---
This enabled debug but auto learn is disabled for all.
Furthermore its enabled the UM exclusive option.
With this traditionell pam_unix will not work anymore.
So you can modify your configuration files in /etc/pam.d
to reflect this.
As kernel param you can set:
rsbac_cap_process_hiding
This will enforce in secure mode that an unprivileged user only see his own processes.
This protection is provide by the CAP module.
endchoice
endif # RSBAC_PROFILE_BASIC
_______________________________________________ rsbac mailing list rsbac <at> rsbac.org http://www.rsbac.org/mailman/listinfo/rsbac
RSS Feed