Linux Archive

Linux Archive (http://www.linux-archive.org/)
-   Gentoo Hardened (http://www.linux-archive.org/gentoo-hardened/)
-   -   Beginner @ grsecurity rbac (http://www.linux-archive.org/gentoo-hardened/701365-beginner-grsecurity-rbac.html)

Darknight 09-07-2012 08:37 AM

Beginner @ grsecurity rbac
 
I want to start deploying rbac on already hardened servers, starting
with a server that handles only a few services to "see what happens".
I recompiled the kernel enabling rbac and I'm now ready to reboot.
But... will the default policy break my services until I come up with a
working policy, or at least until I start learning mode manually? Or is
the default policy liberal enough that it is more or less equivalent to
an "allow all" policy?
I'm still learning the syntax and semantics of the policy language so I
don't fully trust my own judgement at this point. ;)


Thanks in advance.

"Tóth Attila" 09-07-2012 10:44 AM

Beginner @ grsecurity rbac
 
I think default policy won't be enough for you.
You should first run RBAC in learning mode on your server for a while.
You can generate the learned rules based on the learning log.
You are also advised to go through the learned rules and make some
adjustments.
You can now enable RBAC, but you may still find some denials in your log.
You should accomodate the policy based on the remaining denials.

As the systems gets regularly updated some components will behave
differently, so the policy should incorporate these changes from time to
time.

Regards:
Dw.
--
dr Tóth Attila, Radiológus, 06-20-825-8057
Attila Toth MD, Radiologist, +36-20-825-8057

2012.Szeptember 7.(P) 10:37 időpontban Darknight ezt *rta:
> I want to start deploying rbac on already hardened servers, starting
> with a server that handles only a few services to "see what happens".
> I recompiled the kernel enabling rbac and I'm now ready to reboot.
> But... will the default policy break my services until I come up with a
> working policy, or at least until I start learning mode manually? Or is
> the default policy liberal enough that it is more or less equivalent to
> an "allow all" policy?
> I'm still learning the syntax and semantics of the policy language so I
> don't fully trust my own judgement at this point. ;)
>
> Thanks in advance.
>


All times are GMT. The time now is 03:31 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.