RSBAC: Extending Linux Security Beyond the Limits

wiki:experiences:igraltist:rc:create_rc_policy_from_scratch

2012-05-13T09:30:42+02:00

Back to igraltist's experiences /RSBAC RC Info Here I try to collect all information to setup sshd RC policies. I do use some linux tools which I don’t explain. Search for open files Each distribution use his own plan where to place an how to name files and directories.

wiki:experiences:igraltist:rc

2012-05-13T08:03:16+02:00

Back to igraltist's experiences /RSBAC RC RC Module RC Testsetup Default RSBAC with RC module is used this roles: * Gerneral_User 0 * Role_Admin 1 * System_Admin 2 * Auditor 3 to run the system. The permission for this roles are hardcoded in RSBAC code itself. Otherwise the system wont work. Bevor set any specific RC role for a service you can detach the default running ``Boot-Role``. For this you can create a Role ``Init``.

wiki:experiences:igraltist:rc:testing

2012-05-13T07:59:19+02:00

Back to igraltist's experiences / RC Modules Test Login Login To test if its works, login and type, rc_get_current_role it’s should show the assigned Role of the user. Next is to test if the correct filepermission is obtain when create a file in the user homedirectory.

wiki:experiences:igraltist

2012-05-13T07:55:10+02:00

This article describes the activation from RSBAC. It also contains other for me usefull stuff. Why I chose RSBAC? The first contact I have got through an article in the linux magazin. Since this time I am using RSBAC. Through this I have learned a lot and still be learning. Thanks to all people which have helped me a lot. Mainly on the irc chanel rsbac on freenode.

wiki:experiences:igraltist:kvm

2012-05-13T07:53:44+02:00

Back to igraltist's experiences/KVM on RSBAC Software packages The listed software packages are required: * iproute2 (getnoo => sys-apps/iproute2,) * brctl (gentoo => net-misc/bridge-utils,) * tunctl (gentoo => sys-apps/usermode-utilities,) * tightvnc (gentoo => net-misc/tightvnc,)

wiki:experiences:igraltist:run-jail

2012-05-13T07:49:10+02:00

Back to igraltist's experiences/RSBAC JAIL Visit the mericurial repository. Prepearation Three important necessary preparations are have to be done. * Enable jail support in the kernel. * Enable RSBAC Debug support (RSBAC ---> General Options ---> [*]RSBAC-Debugging), needed for developing the jail polices. * Enable debugging jail while runtime (echo debug_adf_jail 1 > /proc/rsbac-info/debug) or with kernel boot paramater (rsbac_adf_jail).

wiki:experiences:igraltist:run-jail:explain-jail-message

2012-05-13T07:42:37+02:00

Back to igraltist's run-jail First enable jail debugging, if it not done already. As security user open a second terminal and execut: echo debug_adf_jail 1 > /proc/rsbac-info/debug Then visit the log message via proc cat /proc/rsbac-info/rmsg

wiki:experiences:igraltist:um-gentoo

2012-05-13T07:02:11+02:00

Back to igraltist's experiences/RSBAC UM System preparation The description below take the case to only use authenticate against rsbac. Read this howto handbook user-managment and migrating users and groups to rsbac management. The point 9. is valid for a Debian system. On a Gentoo is the main file to edit ‘/etc/pam.d/system-auth’.

download - Remove git tarball links and pre section.

2011-12-13T15:12:08+02:00

All the RSBAC code is copyrighted (c) 1997-2011 by Amon Ott (except where explicitly stated otherwise in the code), and published under the GNU General Publishing License v2. Please consult the RSBAC copyright notice for details.

home:2011:12:13:150247 - created

2011-12-13T15:05:26+02:00

RSBAC 1.4.6 Tuesday, 13/December/2011 RSBAC 1.4.6 has been released for the kernel 3.1.5. Most important changes since 1.4.5: * Add RSBAC syscalls and tools parameters to get and set UM password history size per user * Security bugfix for sys_open() request types (see earlier post) * Add rsbac_jail parameter -K for allow_netlink flag * Add rsbac_usershow parameters to list users with shell or full name

site:sidebar - Kernels for 3.1.5

2011-12-13T14:01:14+02:00

Stable: 1.4.6 * 3.1.y Patched kernels Includes vanilla kernel with the RSBAC patch * 3.1.5 Enhanced kernels Combined patches with RSBAC and PaX, less well tested GIT RSBAC source code, can be unstable sometimes

download:quick - 1.4.6

2011-12-13T13:26:58+02:00

Quick Install Install from pre-patched sources: * Unpack pre-patched kernel source tree: tar xvjf linux-X.Y.Z-rsbac-A.B.C.tar.bz2 * cd linux-X.Y.Z-rsbac-A.B.C * make menuconfig * make bzImage modules modules_install * Install the new kernel arch//boot/bzImage with your favorite boot loader.

home:2011:11:30:095322 - created

2011-11-30T09:57:58+02:00

Security bugfix for RSBAC for kernels 2.6.35 and later Wednesday, 30/Nov/2011 Unfortunately, there is a severe bug in the code that determines the RSBAC request type in sys_open() calls. As a result from this bug, open access will be decided upon by RSBAC with wrong request type, a read open can happen unnoticed. A read() access after opening is intercepted as intended, because only the open interception is wrong.

wiki:experiences:igraltist:rc_old

2011-09-11T19:57:48+02:00

RC Module RC Testsetup Prepare the System to get more verbose description what is missing on RC you should set this debug options. Append in the ``/boot/grub/menu.lst`` for the used rsbac-kernel on line ``kernel`` rsbac_softmode rsbac_nosyslog rsbac_cap_process_hiding rsbac_debug_adf_auth rsbac_debug_adf_rc rsbac_debug_adf_jail rsbac_debug_adf_um rsbac_debug_jail_log_missing_rbsac_debug_cap_log_missing This can enter on grubs promt too.

home:2011:08:12:100054 - created

2011-08-12T10:01:55+02:00

New git repo for 3.0 Friday, 12/Aug/2011 RSBAC has been successfully ported to Linux kernel 3.0, you find a new git repo at . Please test it and report so that we can make a new 3.0 based release soon.

todo - Fix bugtracker link

2011-08-11T12:21:14+02:00

RSBAC Progression and Roadmap This page reflects our current work queue - if you miss anything here, it will probably not happen. Please discuss any wishes on the at or open a bug. The RSBAC development team. Planned for the next release 1.5 * CAP learning mode for single programs. (possibly 1.4 feature) * Persistent transactions, preserved between reboots. * RC learning mode - per role, with object types already set before learning. Learn only access rights. Use …

contact - Remove UML

2011-08-11T12:19:07+02:00

Mailing Lists Please join the RSBAC () by sending a mail to with ‘subscribe’ as single line in the body, if you want to discuss things and get informed about plans and changes. You can also consult our (secondary). Old articles from the old mailing-list (1998) are archived.

links - Remove outdated Cyperguard links

2011-08-11T12:17:59+02:00

Linux Distributions with RSBAC * Adamantix (started as Trusted Debian) * Gentoo Linux However various users provide support. * Mandriva * T2 * Annvix * ALT Linux Castle * Kaladix Linux * Sniffix, Bencsath Boldizsar made a Knoppix based live CD for RSBAC demonstration. Please read the description first before downloading * ArchLinux Supported through the AUR

home:2011:07:14:165049 - created

2011-07-14T16:53:23+02:00

New git repo for 2.6.39 Thursday, 14/Jul/2011 RSBAC has been successfully ported to 2.6.39.3, you find a new git repo at . Please test it and report so that we can make a new release soon.

wiki:experiences:igraltist:acl-su

2011-07-01T06:38:27+02:00

Back to igraltist's experiences/RSBAC ACL Problem description On standard linux system nothing prevented the root user switch to any other user. Solution with ACL Groups This is only example for ACL. The AUTH and or the RC module is much comfortable. All have to do as security user (uid 400).