2 Nov 2004 14:43
new features
Andrea Pasquinucci <cesare <at> ucci.it>
2004-11-02 13:43:38 GMT
2004-11-02 13:43:38 GMT
Hi, I have a proposal for a couple of new small features, they are not so clear in my mind, so please see if they could be useful or not. Actually I believe that it is possible to obtain similar results by using normal tools, but the way I think could be easier. I would like to add a couple of kernel parameters like: - rsbac_softmode_noback this will be like rsbac_softmode, that is boot in softmode, but once softmode has been turned off, it cannot be turned on again for the uptime of the machine - rsbac_secoff_disabled this is probably more tricky, any RSBAC configuration should be disallowed in secure mode, tools and /proc could be read_only but not allow to change any RSBAC configuration, moreover this should apply only when softmode is off, when softmode is on secoff should work as usual Notice that the functionality of the two parameters overlaps, if you use the second you do not need the first. Indeed if you boot with linux rsbac_softmode rsbac_secoff_disabled as soon as in the boot scripts you switch off softmode, you cannot switch it on again because all RSBAC tools do not work anymore. But if I need to do maintenance of the machine, I just boot without the rsbac_secoff_disabled parameter. This allows me to protect lilo.conf/grub.conf read_only with RSBAC and be sure that I can do maintenance only from the console. The rsbac_softmode_noback is a soft version of the second, in this case I can use the rsbac admin tools, except for "switch softmode on", this can allow to mantain a remote server in such a way that softmode can be allowed only with a reboot (first make lilo.conf/grub.conf writable with the RSBAC admin tools, then change lilo.conf/grub.conf, then reboot). I guess that a similar effect can be obtained with a careful configuration, but I fear that in most conditions secoff would be able to reverse the configuration and allow itself to switch softmode on without reboot, since the kernel has softmode configured in. Notice that in both cases I am considering machines which for some reasons must boot in softmode. Please let me know if I can obtained similar behaviour with what there is already, or if there are kernel parameters which can give the same effects. Andrea PS. Where can I find the complete current list of kernel parameters without need of reading the source ?
RSS Feed