This guide will help you to install RSBAC on
Gentoo Linux. It is assumed that the users have read
the
This step is pretty straight forward, thanks to the way Gentoo handles kernel installations. Start by emerging the rsbac-sources kernel from your portage.
# emerge rsbac-sources
# rm /etc/make.profile # ln -s /usr/portage/profiles/default-linux/x86/2005.0/2.4/ /etc/make.profile # echo "sys-kernel/hardened-sources rsbac" >> /etc/portage/package.use # emerge hardened-sources
We will now configure the kernel. It is recommended that you enable the following options, in the "Rule Set Based Access Control (RSBAC)" category:
Under "General RSBAC options" [*] RSBAC proc support [*] Check on init [*] Support transactions [*] Randomize transaction numbers [*] RSBAC debugging support (400) RSBAC default security officer user IDUnder "User management" [*] User managementBe sure to enable SHA1 in the Crypto API Under "Cryptographic options" of the general kernel configuration, tick [*] SHA1 digest algorithm [*] Use Crypto API Digest SHA1 (NEW)Under "RSBAC networking options" [*] RSBAC network support [*] Net device control [ ] Treat virtual devices as individuals [*] Individual network device logging [*] Net object control (sockets) [*] Control UNIX address family [*] Also intercept network object read and write [*] Individual network object logging(Do not turn on "RSBAC Maintenance Kernel", use softmode instead) Under "Decision module (policy) options" [*] Support for Registration of decision modules (REG) [*] Build REG sample modules ---------------------------- [*] RSBAC support for DAZuko policy(For malware/antivirus scanning) DAZ Policy Options ---> (604800) Scanning result lifetime in secondsFor each different policy/module you support you should check it's protection for AUTH module and User Management module [*] RSBAC support for FF policy [*] RSBAC support for RC policy [*] RSBAC support for AUTH policyPlease turn learning option off on production kernels. It is only used while setting up your RSBAC system. AUTH Policy Options ---> [*] AUTH learning mode support [*] RSBAC support for ACL policy [*] RSBAC support for Linux Caps (CAP) policy [*] RSBAC support for JAIL policy [*] RSBAC support for PAX policy [*] RSBAC support for System Resources (RES) policyUnder "Softmode and switching" [ ] RSBAC policies switchable [*] RSBAC soft mode(Turn that off on production kernels) [*] Individual module softmode supportUnder "Logging": all except "Log to remote UDP network socket" unless you want to log to remote machine Under "RSBAC symlink redirection" [*] RSBAC symlink redirection [*] Add remote IP address [*] Add user ID number [*] Add RC role numberUnder "Other RSBAC options" [*] Intercept sys_read and sys_write [*] Intercept Semaphore IPC operations [*] Control DAC process owner (seteuid, setfsuid) [*] Hide processes in /proc [*] Support freezing of RSBAC configuration [*] RSBAC check sys_syslog
We will now configure PaX which is a complement of the RSBAC hardened kernel. It is also recommended that you enable the following options, in the "Security options ---> PaX" section.
[*] Enable various PaX features
PaX Control --->
[*] Support soft mode (Turn that option off on a production kernel)
[ ] Use legacy ELF header marking
[ ] Use ELF program header marking
Use ELF program header marking MAC system integration (direct) --->
(X) hook
Non-executable pages --->
[*] Enforce non-executable pages (NEW)
[*] Paging based non-executable pages
(You usually want to select the PAGEEXEC method on x86 since on newer PaXs,
revert to SEGMEXEC if you are having issues)
[*] Segmentation based non-executable pages (NEW)
[*] Restrict mprotect()
[ ] Disallow ELF text relocations (This option breaks too much applications as of now)
Address Space Layout Randomization --->
[*] Address Space Layout Randomization
[*] Randomize user stack base
[*] Randomize mmap() base
# rsbac_fd_menu /path/to/the/target/item or # attr_set_file_dir FILE /path/to/the/target/item pax_flags [pmerxs]
You can now compile and install the kernel as you would do with a normal one concerning the other options.
In order to administrate your RSBAC enabled Gentoo, some userspace utilites are required. Those are included in the rsbac-admin package and it needs to be installed.
# emerge rsbac-admin
Once emerged, the package will have created a new user account on your system (secoff, with uid 400). He will become the security administrator during the first boot. This is the only user, who is able to change the RSBAC configuration. He will commonly be called the Security Officer.
# passwd secoff
At the first boot, login into the system won't be possible, due to the
AUTH module
rsbac_softmode
The login application is managing user logins on the system. It needs rights to setuid, which we will now give:
Login as the Security Officer (secoff) and allow logins to be made by enterering the following command:
# rsbac_fd_menu /bin/login or # attr_set_fd AUTH FILE auth_may_setuid 1 /bin/login
As an alternative, if softmode isn't enabled, you can also use the following kernel parameter in order to allow login at boot time:
rsbac_auth_enable_login
Because there is almost no policy made yet (except the one generated during the first boot), the AUTH module does not allows uid changes.
Thanks to the intelligent learning mode there is an easy way to alleviate this new problem: The AUTH module can automagically generate the necessary policy by watching services while they start up, and note the uids they are trying to switch to. For example to teach the AUTH module about the uids needed by sshd (OpenSSH daemon), do the following:
Enable the learning mode for sshd # attr_set_file_dir AUTH FILE `which sshd` auth_learn 1Start the service # /etc/init.d/sshd startDisable the learning mode # attr_set_file_dir AUTH FILE `which sshd` auth_learn 0
Now sshd should be working as expected again,
You can enable the global learning mode by issuing this kernel parameter at boot time:
rsbac_auth_learn
It is also strongly suggested that you subscribe to the