http://www.rsbac.org/ 2009-01-06T23:01:53+01:00 http://www.rsbac.org/ http://www.rsbac.org/lib/images/favicon.ico text/html 2009-01-06T23:00:53+01:00 http://www.rsbac.org/wiki/experiences/igraltist/run-jail?rev=1231279253&do=diff1231279253 Back to igraltist's experiences run-jail is a python-script. Two files are nessesary to using it. * run-jail.py * jail_configparser.py syntax for configfile ; example daemon ; date 0.0.0000 ; testet by "" "" () () () () explanation the syntax The jailconfigurationfile is seperated in 6 categories. text/html 2008-11-10T20:23:55+01:00 kang http://www.rsbac.org/wiki/experiences/tweety?rev=1226345035&do=diff1226345035 * Pros * Very powerful enhancement of LINUX kernel * Nice design, which allows bunch off cool features like transaction, secure_delete, fd hiding... * Cool community, still small but efficient and reactive * Cons * The lack of documentations for some modules * You need strong knowledge of UNIX system to setup well RSBAC policies * For a best enforcement, small changes must be done to distribution (like restoring dynamic fd (/proc, /dev, shm)) * Their isn’t any referenc… text/html 2008-11-10T15:47:43+01:00 kang http://www.rsbac.org/todo?rev=1226328463&do=diff1226328463 RSBAC Progression and Roadmap This page reflects our current work queue - if you miss anything here, it will probably not happen. Please discuss any wishes on the at <rsbac@rsbac.org> or open a bug. The RSBAC development team. Planned for the next release * Add RC role attribute indicating that one has to authenticate with her UM password before actively changing to that role and mechanism for doing it. * Add kexec call control with new kexec SCD type. * New JAIL switch for enclosi… text/html 2008-11-10T15:38:20+01:00 kang http://www.rsbac.org/home/2008/11/10/150108?rev=1226327900&do=diff1226327900 RSBAC 1.4.0-rc3 Monday, 10/November/2008 RSBAC 1.4.0-rc3 has been released for kernels 2.4.36 and 2.6.27. (Full announcement) * New interception review * Splitted 2.4 and 2.6 common code * Automount support converted for vfsmount usage * Long username support in VUM * Many bugs fixed text/html 2008-11-09T16:17:10+01:00 ao http://www.rsbac.org/site/sidebar?rev=1226243830&do=diff1226243830 Stable: 1.3.7 for kernels: * 2.4.36 * 2.6.23.14 Devel 1.4: 1.4.0-rc3 for kernels: * 2.4.36.9 * 2.6.27.5 Full RSBAC kernels Lazy of patching ? Get the already rsbac-patched kernel. Choose your flavor. Classic kernels Includes vanilla kernel with the RSBAC patch text/html 2008-10-29T17:47:18+01:00 http://www.rsbac.org/wiki/experiences/igraltist/jail_explain_message?rev=1225298838&do=diff1225298838 Wed Oct 29 16:27:01 2008 :<6>0000000106|rsbac_adf_request(): request CONNECT, pid 3902, ppid 3443, prog_name apache2, prog_file /usr/sbin/apache2, uid 33, remote ip 192.168.1.5, target_type UNIXSOCK, tid Device 254:01 Inode 146921 Path /var/run/mysqld/mysqld.sock, attr process, value 4025(mysqld,parent=3988(mysqld_safe)), result NOT_GRANTED by JAIL add categorie jail: allow-external-ipc or for rsbac_jail: -i text/html 2008-10-26T15:26:59+01:00 kang http://www.rsbac.org/wiki/syntax?rev=1225031219&do=diff1225031219 DokuWiki supports some simple markup language, which tries to make the datafiles to be as readable as possible. This page contains all possible syntax you may use when editing the pages. Simply have a look at the source of this page by pressing the Edit this page button at the top or bottom of the page. If you want to try something, just use the playground page. The simpler markup is easily accessible via quickbuttons, too. text/html 2008-08-18T14:27:25+01:00 http://www.rsbac.org/wiki/experiences/igraltist/kvm_guest_jail?rev=1219062445&do=diff1219062445 Back to igraltist's experiences Based on the run-jail script and kvm-admin i do this. kvm-jail-config ; ; RSBAC JAIL definition for kvm ; 20080507 ; ; Tested by igraltist ; "" "0.0.0.0" (allow-dev-read allow-dev-write allow-ipc-syslog allow-ipc-parent allow-inet-raw allow-all-net-family) (net-raw setgid setuid dac-override net-admin dac-read-search sys-resource sys-module) () (rlimit) text/html 2008-08-11T10:45:40+01:00 http://www.rsbac.org/wiki/experiences/igraltist?rev=1218444340&do=diff1218444340 Running a VM on a host wich has RSBAC + PaX as kernelfeatures. My choose is the KVM, because ist the easiest for use and already included in the the mainline kernel. Its has enough performace to work on the guest without knowing that it’s a virtualized machine. text/html 2008-08-11T00:41:10+01:00 http://www.rsbac.org/wiki/experiences/igraltist/kvm?rev=1218408070&do=diff1218408070 Back to igraltist's experiences software packages The follow softwarepackages is required: * iproute2 * brctl * tunctl * tightvnc (for example this vncserver) * subversion ( optinal can be on the workstation ) Other packages should be on default installation. text/html 2008-07-15T17:29:42+01:00 http://www.rsbac.org/wiki/experiences/igraltist/jail_syslog-ng?rev=1216135782&do=diff1216135782 --- syslog-ng_org 2008-07-14 02:42:13.000000000 +0200 +++ syslog-ng 2008-07-14 02:42:33.000000000 +0200 @@ -36,7 +36,7 @@ checkconfig || return 1 ebegin "Starting syslog-ng" [ -n "${SYSLOG_NG_OPTS}" ] && SYSLOG_NG_OPTS="-- ${SYSLOG_NG_OPTS}" - start-stop-daemon --start --quiet --exec /usr/sbin/syslog-ng ${SYSLOG_NG_OPTS} + run-jail syslog-ng start-stop-daemon --start --quiet --exec /usr/sbin/syslog-ng ${SYSLOG_NG_OPTS} eend $? "Failed to start syslog-ng" } text/html 2008-07-14T08:39:29+01:00 http://www.rsbac.org/wiki/experiences/igraltist/jail_rsync?rev=1216017569&do=diff1216017569 ; ; RSBAC JAIL definition for rsync ; 20080507 ; ; Tested by igraltist "" "0.0.0.0" (allow-external-ipc allow-dev-read allow-dev-write allow-ipc-parent) () () (rlimit) rsync This is execute now: rsbac_jail -i -d -D -P -M rlimit rsync rsync version 3.0.2 protocol version 30 text/html 2008-07-14T08:35:56+01:00 http://www.rsbac.org/wiki/experiences/igraltist/jail_wget?rev=1216017356&do=diff1216017356 ; ; RSBAC JAIL definition wget ; ; "" "0.0.0.0" (allow-dev-write allow-dev-read) () () () wget rsbac.org This is execute now: rsbac_jail -D -d wget rsbac.org --2008-07-14 08:35:32-- http://rsbac.org/ text/html 2008-07-14T08:34:30+01:00 http://www.rsbac.org/wiki/experiences/igraltist/jail_ping?rev=1216017270&do=diff1216017270 ; ; RSBAC JAIL definition ping ; 2.10.06 ; "" "0.0.0.0" ;"192.168.1.1" (allow-dev-write allow-dev-read allow-inet-raw) () () () ping rsbac.org This is execute now: rsbac_jail -D -d -r ping rsbac.org PING rsbac.org (81.169.183.215) 56(84) bytes of data. text/html 2008-07-14T05:13:05+01:00 http://www.rsbac.org/wiki/experiences/igraltist/jail_squid?rev=1216005185&do=diff1216005185 --- squid_org 2008-07-14 05:09:33.000000000 +0200 +++ squid 2008-07-05 16:35:50.000000000 +0200 @@ -98,7 +98,7 @@ maxfds umask 027 cd $cdr - start-stop-daemon --quiet --start \ + run-jail squid start-stop-daemon --quiet --start \ --pidfile $PIDFILE \ --chuid $CHUID \ --exec $DAEMON -- $SQUID_ARGS < /dev/null text/html 2008-07-14T05:00:41+01:00 http://www.rsbac.org/wiki/experiences/igraltist/jail_portmap?rev=1216004441&do=diff1216004441 --- portmap_org 2008-07-14 04:58:03.000000000 +0200 +++ portmap 2008-07-05 03:36:52.000000000 +0200 @@ -11,7 +11,7 @@ start() { ebegin "Starting portmap" - start-stop-daemon --start --quiet --exec /sbin/portmap -- ${PORTMAP_OPTS} + run-jail portmap start-stop-daemon --start --quiet --exec /sbin/portmap -- ${PORTMAP_OPTS} local ret=$? eend ${ret} # without, if a service depending on portmap is started too fast, text/html 2008-07-14T04:56:12+01:00 http://www.rsbac.org/wiki/experiences/igraltist/jail_dmeventd?rev=1216004172&do=diff1216004172 --- dmeventd_org 2008-07-14 04:53:34.000000000 +0200 +++ dmeventd 2008-07-05 03:27:51.000000000 +0200 @@ -9,7 +9,7 @@ start() { ebegin "Starting dmeventd" - start-stop-daemon --start --exec /sbin/dmeventd --pidfile /var/run/dmeventd.pid + run-jail dmeventd start-stop-daemon --start --exec /sbin/dmeventd --pidfile /var/run/dmeventd.pid eend $? } text/html 2008-07-14T04:52:29+01:00 http://www.rsbac.org/wiki/experiences/igraltist/jail_powernowd?rev=1216003949&do=diff1216003949 --- powernowd_org 2008-07-14 04:49:20.000000000 +0200 +++ powernowd 2008-07-05 03:38:09.000000000 +0200 @@ -7,7 +7,7 @@ start() { ebegin "Starting powernowd" - /usr/sbin/powernowd -q ${POWERNOWD_OPTS} + run-jail powernowd /usr/sbin/powernowd -q ${POWERNOWD_OPTS} eend $? } text/html 2008-07-14T04:46:36+01:00 http://www.rsbac.org/wiki/experiences/igraltist/jail_postfix?rev=1216003596&do=diff1216003596 --- postfix_org 2008-07-14 04:43:40.000000000 +0200 +++ postfix 2008-07-14 02:05:07.000000000 +0200 @@ -12,7 +12,8 @@ start() { ebegin "Starting postfix" - postfix /usr/sbin/postfix start >/dev/null 2>&1 + run-jail postfix /usr/sbin/postfix start + #>/dev/null 2>&1 eend $? } @@ -24,6 +25,7 @@ reload() { ebegin "Reloading postfix" - postfix /usr/sbin/postfix reload >/dev/null 2>&1 + run-jail postfix /usr/sbin/postfix reload + #>/dev/null 2>&1 eend $? } text/html 2008-07-14T04:39:06+01:00 http://www.rsbac.org/wiki/experiences/igraltist/jail_apache2?rev=1216003146&do=diff1216003146 This is the modified apache2 init-script --- apache2_orginal 2008-07-01 14:33:17.000000000 +0200 +++ apache2 2008-07-02 18:11:08.000000000 +0200 @@ -115,6 +115,8 @@ fi done fi + echo "sleeping a bit, otherwise the port is blocking from dieing apache" + sleep 2 } # Stupid hack to keep lintian happy. (Warrk! Stupidhack!). @@ -126,7 +128,9 @@ #ssl_scache shouldn't be here if we're just starting up. [ -f /var/run/apache2/ssl_scache ] && rm -f /var/run/apache2/*ssl_…