Rule Set Based Access Control (RSBAC) for Linux - Quickstart
1.
Introduction
This guide will help you to install RSBAC on
Gentoo Linux. It is assumed that the users have read
the Introduction and the Overview already, so that they knows what is
RSBAC and its main concepts.
2.
Installation of the RSBAC enabled kernel
Emerging the RSBAC kernel
This step is pretty straight forward, thanks to the way Gentoo
handles kernel installations. Start by emerging the rsbac-sources
kernel from your portage.
Note: There are two rsbac-sources kernel available:
one is for the 2.4 kernel branch, the other is for the newer 2.6 kernel branch.
|
Code Listing 2.1: RSBAC kernel installation (using the default profile and 2.6 kernel) |
# emerge rsbac-sources
|
Code Listing 2.2: RSBAC kernel installation (using the 2.4 kernel, since Gentoo profile 2005.0) |
# rm /etc/make.profile
# ln -s /usr/portage/profiles/default-linux/x86/2005.0/2.4/ /etc/make.profile
# echo "sys-kernel/hardened-sources rsbac" >> /etc/portage/package.use
# emerge hardened-sources
|
Important: It is advised to enable softmode on your first RSBAC kernel. It
allows you to turn off the RSBAC enforcement in one reboot, for testing
or in case something goes wrong. Only turn it off once you are sure of
what you are doing, or of course, for a production kernel. |
Configuring the RSBAC kernel
We will now configure the kernel. It is recommended that you
enable the following options, in the "Rule Set Based Access Control
(RSBAC)" category:
Code Listing 2.3: Configuring and compiling the RSBAC kernel |
[*] RSBAC proc support
[*] Check on init
[*] Support transactions
[*] Randomize transaction numbers
[*] RSBAC debugging support
(400) RSBAC default security officer user ID
[*] User management
[*] Use Crypto API Digest SHA1 (NEW)
[*] RSBAC network support
[*] Net device control
[ ] Treat virtual devices as individuals
[*] Individual network device logging
[*] Net object control (sockets)
[*] Control UNIX address family
[*] Also intercept network object read and write
[*] Individual network object logging
[*] Support for Registration of decision modules (REG)
[*] Build REG sample modules
----------------------------
[*] RSBAC support for DAZuko policy
DAZ Policy Options --->
(604800) Scanning result lifetime in seconds
[*] RSBAC support for FF policy
[*] RSBAC support for RC policy
[*] RSBAC support for AUTH policy
AUTH Policy Options --->
[*] AUTH learning mode support
[*] RSBAC support for ACL policy
[*] RSBAC support for Linux Caps (CAP) policy
[*] RSBAC support for JAIL policy
[*] RSBAC support for PAX policy
[*] RSBAC support for System Resources (RES) policy
[ ] RSBAC policies switchable
[*] RSBAC soft mode
[*] Individual module softmode support
[*] RSBAC symlink redirection
[*] Add remote IP address
[*] Add user ID number
[*] Add RC role number
[*] Intercept sys_read and sys_write
[*] Intercept Semaphore IPC operations
[*] Control DAC process owner (seteuid, setfsuid)
[*] Hide processes in /proc
[*] Support freezing of RSBAC configuration
[*] RSBAC check sys_syslog
|
Note: If you plan to run a X Window server (such as X.org or XFree86),
please also enable "[*] X support (normal user MODIFY_PERM access
to ST_ioports)".
Please also see Using Xorg on Hardened Gentoo |
We will now configure PaX which is a complement of the RSBAC hardened
kernel. It is also recommended that you enable the following options,
in the "Security options ---> PaX" section.
Code Listing 2.4: Configuring PaX kernel options |
[*] Enable various PaX features
PaX Control --->
[*] Support soft mode
[ ] Use legacy ELF header marking
[ ] Use ELF program header marking
Use ELF program header marking MAC system integration (direct) --->
(X) hook
Non-executable pages --->
[*] Enforce non-executable pages (NEW)
[*] Paging based non-executable pages
[*] Segmentation based non-executable pages (NEW)
[*] Restrict mprotect()
[ ] Disallow ELF text relocations
Address Space Layout Randomization --->
[*] Address Space Layout Randomization
[*] Randomize user stack base
[*] Randomize mmap() base
|
Note: You should refer to the PaX website for more information
about PaX. |
Note: You must use the RSBAC admin utilities
to manage PaX, instead of chpax or paxctl with your RSBAC kernel.
You will be able to move to the PaX item and set the usual PaX flags.
|
Code Listing 2.5: Managing PaX flags |
# rsbac_fd_menu /path/to/the/target/item
or
# attr_set_file_dir FILE /path/to/the/target/item pax_flags [pmerxs]
|
You can now compile and install the kernel as you would do with a
normal one concerning the other options.
Important: It is strongly suggested to build a second kernel without
the softmode options, neither the AUTH option, in order to use in
a production environment. Only do that once you finished testing and
setting up policies, as it'll remove the possiblity of switching off
the access control system. |
3.
Installation of the RSBAC admin utilities
In order to administrate your RSBAC enabled Gentoo, some userspace
utilites are required. Those are included in the rsbac-admin package
and it needs to be installed.
Code Listing 3.1: Installing the RSBAC admin utilities |
# emerge rsbac-admin
|
Once emerged, the package will have created a new user account on your
system (secoff, with uid 400). He will become the security administrator
during the first boot. This is the only user, who is able to change the
RSBAC configuration. He will commonly be called the Security Officer.
Important: Please set-up a secure password for the secoff user.
|
Code Listing 3.2: Setting up a password for the Security Officer |
# passwd secoff
|
4.
First boot
At the first boot, login into the system won't be possible, due to the
AUTH module restricting the programs privileges. To overcome this
problem please boot into softmode using the following kernel parameter
(in your lilo or grub configuration):
Code Listing 4.1: Softmode kernel parameter |
rsbac_softmode |
The login application is managing user logins on the system. It
needs rights to setuid, which we will now give:
Login as the
Security Officer (secoff) and allow logins to be made by enterering the
following command:
Code Listing 4.2: Allowing users to login |
# rsbac_fd_menu /bin/login
or
# attr_set_fd AUTH FILE auth_may_setuid 1 /bin/login
|
As an alternative, if softmode isn't enabled, you can also use the
following kernel parameter in order to allow login at boot time:
Code Listing 4.3: Allowing users to login with a kernel parameter |
rsbac_auth_enable_login
|
5.
Learning mode and the AUTH module
Creating a policy for OpenSSH
Because there is almost no policy made yet (except the one generated
during the first boot), the AUTH module does not allows uid changes.
Thanks to the intelligent learning mode there is an easy way to
alleviate this new problem: The AUTH module can automagically generate the
necessary policy by watching services while they start up, and note the
uids they are trying to switch to. For example to teach the AUTH module
about the uids needed by sshd (OpenSSH daemon), do the following:
Important: Make sure that sshd or the daemon you will use the learn mode with isn't running already before enabling learn mode. |
Code Listing 5.1: Making a policy for sshd, using the learning mode |
# attr_set_file_dir AUTH FILE `which sshd` auth_learn 1
# /etc/init.d/sshd start
# attr_set_file_dir AUTH FILE `which sshd` auth_learn 0
|
Note: One should also login to the system before switching the learning
mode off, because sshd will also attempt to change it's uids when the
user will login in. |
Now sshd should be working as expected again, congratulations,
you made your first policy :) The same procedure can be used on every
other daemon you will need.
Note: As an alternative to enable the learning mode for each daemon
of application you will need, you might want to enable the global
learning mode (which will learn about everything running, globally,
as it name tells). |
You can enable the global learning mode by issuing this kernel
parameter at boot time:
Code Listing 5.2: Enabling the global learning mode |
rsbac_auth_learn
|
6.
Further information
It is also strongly suggested that you subscribe to the gentoo-hardened
mailing-list. It is generally a low traffic list,
and RSBAC announcements for Gentoo will be available
there. We also recommend you to subscribe to the RSBAC mailing-list.
Please also check the hardened FAQ as your questions might already be covered in this document.
The contents of this document, unless otherwise expressly stated, are licensed under the CC-BY-SA-2.5 license. The Gentoo Name and Logo Usage Guidelines apply.
|
