I've been looking at all the threads regarding draksec, and msec, and so forth... All these questions are old, and the answers were answered before... A bit dusty, yet still doormant, in cooker cvs is a project that was designed to replace msec. BUS, which stands for Bastille Unix Security was an idea put in action via Yoann Vandoorselaere, Jay Beale (Bastille Linux), and myself. The backend is simply beautiful IMHO. Let me shortly explain (as best I can). The core of BUS is written in C, perl modules can be used for routines, and the configuration is done in xml. This makes up the backend. There are two main configuration files, actions.xml and secdb.xml.
secdb.xml: /* SNIP */ <include>isec.xml</include> <include>secure_inetd.xml</include> <include>pam.xml</include> /* SNIP */ A look at secdb/pam.xml: /* SNIP */ <variable name="pam_filesize"> <question>Would you like to set a maximum file size a user is allowed via PAM ? If so what shall be the maximum file size(default it 40000 == 40MB)?</question> <answer default="1" level="4,5">40000</answer> <answer type="number">Maxium File Size</answer> <answer level="0,1,2,3">no</answer> </variable> / * SNIP * / And finally, a look at actions.xml: /* SNIP */ <variable name="pam_filesize"> <answer value="40000"> <insert_line.pl file="/etc/security/limits.conf">* hard 40000 </insert_line.pl> </answer> <answer value="__answer__"> <insert_line.pl file="/etc/security/limits.conf">* hard __answer__ </insert_line.pl> </answer> </variable> /* SNIP */ (See the README for more info) Here's a screenshot of what a custom session looks like. This is a gtk+ frontend (pre-alpha beautifully written by Renaud Chaillat). (ncurses frontend, as well as the basic CLI frontend (done) were in place) Now of course, BUS, was being worked on not only to replace msec, but Bastille Linux as well, and not only for Linux, but Solaris, HP-UX, and so on... BUS is pretty friggin scalable, has rollbacks ( I think that was finished : p), etc... One particular thing that I always pointed out about BUS was that you didn't have to hack to your system, it learned your system on it's own (this is due to a lot of great code by Yoann, e.g., xml function check). What and what is not needed: I think the focus needs to be pinched a bit. That is, backing out a lot of operations that Bastille Linux did/does, and it be wrapped around operations that msec currently performs (most of those are already there : p). Regardless of whether anyone would like to wipe the dust off of BUS and put it back into spin... I think a good look over of BUS, it's arch, it's operational character, it's scablility, and so forth. However, if someone (Yoann? I know you're busy with prelude, but maybe?) want to dive into src/ and hack away, I'd be willing to take back up the "principal DB maintainer" title and clean up that config in a heart beat. Anywho... Food for thought : ) -- Bryan Paxton Public PGP key: http://www.deadhorse.net/bpaxton.gpg "Winning gives birth to hostility. Losing, one lies down in pain. The calmed lie down with ease, having set winning & losing aside." Dhp. 201
