Configuring RSBAC kernel options

Importing an existing kernel configuration

If you have an existing configuration for a working kernel, and you should if you've been following the instructions so far, you can copy it to the RSBAC sources directory and import it using the following commands:

lisa ~ # cd /usr/src
lisa src # cp linux/.config linux-2.6.14-rsbac-r1/
lisa src # rm linux
lisa src # ln -s linux-2.6.14-rsbac-r1 linux
lisa src # cd linux
lisa linux # make oldconfig

You will be asked a lot of RSBAC related questions during the import process. The default values are acceptable in all cases as we shall be checking them later. You should make sure that you understand the implications of the answers that you give to all non-RSBAC related questions as they will only be mentioned here if they are known to cause conflicts.

Configuring standard security options

Before we configure RSBAC we should ensure that the standard Linux security options are correctly configured.

Security options
[ ] [] [] [*] [ ] [ ]	PaX ---> Enable access key retention support Enable different security models Socket and Networking Security Hooks Default Linux Capabilities BSD Secure Levels NSA SELinux Support

Configuring RSBAC options

Now that we have a working kernel configuration which we know will boot our system it is time to configure the RSBAC options. As this is a guide to RSBAC we shall start by enabling a simple set of modules which we can use as a gentle introduction. As the guide progresses we shall add more modules to our configuration as we introduce them.

Start by running the kernel configuration menu as usual

lisa linux # make menuconfig

and navigate to the Rule Set Based Access Control (RSBAC) menu. It should look like the example given below.

Rule Set Based Access Control (RSBAC)
[] --- [ ] --- --- [] [] [] [] [] [] []	Rule Set Based Access Control (RSBAC) General RSBAC options ---> User Management ---> RSBAC networking options ---> ------------------------- RSBAC Maintenance Kernel (Use with care!) ------------------------- Decision module (policy) options ---> ------------------------- Softmode and switching ---> Logging ---> RSBAC symlink redirection Add remote IP address Add user ID number Add RC role number Allow disabling of Linux filesystem access control Allow full disabling (DANGEROUS!) Allow partial (dir tree based) disabling Other RSBAC options --->

We shall explain the implications of disabling Linux filesystem access controls in the relevant section. You may decide to leave these options disabled on a production system but for the purposes of this tutorial they should be enabled.

Once the main RSBAC options have been configured we can configure the General RSBAC options which are found in a sub-section of that name

General RSBAC options
[ ] [] [] [ ] [ ] (5) [] (3600) [] [*] [ ] (400) [ ] (4)	Initialize RSBAC in separate kernel thread RSBAC proc support Check on init Disable RSBAC writing to disk Allow attribute writing on MSDOS filesystems RSBAC auto write to disk interval in seconds Support transactions Maximum transaction time in seconds Randomize transaction numbers RSBAC debugging support Provide DEV and USER backup files RSBAC default security officer user ID Delayed init for initial ramdisk Number of GEN process lists

and so on for each sub-section in turn

User Management
[] [] (2000) (2000) [ ] (6) [*]	User Management Use Crypto API Digest SHA1 Minimum auto user ID Minimum auto group ID Exclusive user management Minimum password length Require non-alphabetic character in password

Exclusive user management can be activated only after existing users and groups have been migrated.

RSBAC networking options
[] [] [ ] [] [] [] [] [*]	RSBAC network support Net device control Treat virtual devices as individuals Individual network device logging Net object control Control UNIX address family Also intercept network object read and write Individual network object logging

If you have a multi-homed host and you wish to be able to control each virtual network device independently you will also need to enable the "Treat Virtual devices as individuals" option.

Decision module (policy) options
[ ] --- [] [ ] [] [ ] [*] [ ] [ ] [ ] [ ] [ ] [ ]	Support for Registration of decision modules (REG) ------------------------- RSBAC support for AUTH policy AUTH Policy Options ---> RSBAC support for RC policy RSBAC support for ACL policy ACL Policy Options ---> RSBAC support for MAC policy RSBAC support for PAX policy PAX Policy Options ---> RSBAC support for DAZuko policy RSBAC support for Linux Caps (CAP) policy RSBAC support for JAIL policy RSBAC support for System Resources (RES) policy RSBAC support for FF policy RSBAC support for PM policy

AUTH Policy Options
[] [ ] [] [] [] [] [] [ ]	AUTH module and attribute protection Protect switching of other modules AUTH protection for User Management AUTH support for effective and fs owner control Always allow setting to same id AUTH support for Linux group control AUTH support for effective and fs group control AUTH learning mode support

ACL Policy Options
[ ] [] [] [] [ ] [ ] [] [*]	Allow masking out of SUPERVISOR right ACL protection for AUTH module ACL protection for User Management ACL protection for GENeral attributes Provide ACL backup files ACL learning mode support ACL network device protection ACL network object protection

PAX Policy Options
[ ]	Change PAX default flags (PeMRxS)

Softmode and switching
[] [] [*] [ ]	RSBAC soft mode Toggle soft mode with SysRq-X Individual module softmode support RSBAC policies switchable

RSBAC soft mode should be disabled on a production system. It should only be used while configuring RSBAC to ensure that you can gain access to the system should a configuration error be made. As there are no policies by default this option is required during initial configuration.

Logging
[] [] [] [] [] (1024) [] [] [] (1000) [] [] --- [ ]	Individual file/dir/dev object logging Individual user logging Individual program logging Log program file Log full path Maximum path length (256 - 4000) Pseudonymous logging support Pseudonymize filesystem objects Syslog rate limit Default allowed message lines per second RSBAC own logging facility Allow to disable logging to syslog ------------------------- Log to remote UDP network socket

Other RSBAC options
[ ] [] [] [] [] [] [] [ ] [] [] [ ] [ ] [ ] [] []	Support secure_delete Intercept sys_read and sys_write Intercept Semaphore IPC operations Control DAC process owner (seteuid, setfsuid) Control DAC process group (setegid, setfsgid) Hide processes in /proc Support freezing of RSBAC configuration Also freeze User Management RSBAC check sys_syslog Generic check in sys_ioctl Make RSBAC data files visible No decision on net mounts X support (normal user MODIFY_PERM access to ST_ioports) Faked root uid RSBAC extra statistics

The location of some options may be different if you are using a kernel version other than that specified here. We try to keep this guide updated for the latest stable version of RSBAC sources but as you can see there are a lot of options so this is a lot of work!

Configuring PaX integration

When using RSBAC and PaX together it is critical that you tell PaX that RSBAC will be providing the binary flags instead of using legacy ELF header or program ELF header marking.

Check that the following PaX Control options are configured as shown below.

PaX Control
[ ] [ ] [ ]	Support soft mode Use legacy ELF header marking Use ELF program header marking MAC system integration (direct) --->