That is how I (newbie) have been doing it.... install/get everything
working as I like it, then use learning mode to both document and enforce
how things relate. (the Policy file, built from learning mode, makes for
interesting reading as documentation :-) )
Gradm/grsecurity works extremely well, but lacks a clear "getting started"
paragraph IMHO. Don't give up....... it's quite manageable once you crack
the access codes (e.g. "h" means hidden), and some of Gradm's caveats
(e.g. nothing is allowed access to certain /dev/ files). So, for example,
either you have
/dev h (which simply hides all of /dev - no
access needed)
or
/dev h
/dev/tty r (hides all of /dev except allows
reading tty)
or else you allow access to all of /dev, but prohibit access to the
critical areas, e.g.
/dev
/dev/grsec h
/dev/mem h
/dev/kmem h
There are other critical "files", and you'll get good diagnostic messages
when you run gradm -E. You simply edit policy and tweak away 'til it
starts up clean. Do it a few times and it'll start making sense.
These were the areas that confused me at first; I've not described them
well, but maybe this'll get you by the first run.
HTH, Newbie
The way I plan to do it (as I'm in the middle of this process myself) is
to install everything first, and then run the RSBAC learning mode
supplied with gradm, then tweak the profile it creates.
Thanks,
Brian
Mathieu CASTEL wrote:
So I think I ll go for the RSBAC security, but I have a question....is
it better to first install and configure all the services on the server
and then add the rsbac or install a basic system and do the instal of
RSBAC, and then the other services?
--
[email protected] mailing list
