[rsbac] sniffix- rsbac demo cd live image

Mon Jul 14 21:28:59 MEST 2003

Our new knoppix based live cd, 'sniffix' is distributed as
http://db.dc.hu/~boldi/sniffix.iso
http://db.dc.hu/~boldi/sniffix.txt

It is a simple modification of knoppix, some notes (draft docs) are in
the text file following here:

Sniffix.

Sniffix is a remastered knoppix distribution for demo/emergency purposes.
Remastered by:
Laboratory of Cryptography and Systems Security
Budapest University of Technology and Economics
Dept. of Telecommunications

(This document is only a short (draft) intro for geeks interested in
rsbac...)

What did I do with knoppix?

1. removed a bunch of unneccessary files
2. made a new kernel with rsbac 1.2.2pre release for testing / emergency
3. modified boot procedures, and started programs

A. Why?

Our goal is to make a bootable live cd with lots of tools, graphical
front-end etc for academic purposes. We wish to make 5-10 identical cd's,
put in 10 computers, start them, cut the line to the internet, and use
this 5-10 computer as a test lab for various reasons.

B. How?

Knoppix is good for booting up the computer. Auto setup for all the
hardware.
Good. But we need some more. We have to change the kernel. BTW it would be
great if we could run memtest86 from the same cd.

Persistent homedir? Booting from knoppix has a major disadvantage:
Everything
is lost if we reboot. (/home is in the ramdisk). This can be solved using
a
partition for the home dirs, with knoppix persistent homedir etc.

C. What's on the disk?

We used knoppix remastering howto to change the setup. For the new kernel
we
decided to use isolinux as the cdrom bootloader. On the 'master' directory
we put everything on the isolinux subdir (unpacked knoppix kernel,
miniroot.gz
as initrd boot stuff, our kernels, the memtest86 image, isolinux.cfg)
Looking in isolinux.cfg you can see the boot options.

-Booting:

During the boot knoppix image comes up with a prompt.
"1" (default, loaded with timeout) will load 2.4.20 + rsbac 1.2.2pre
kernel
"KO" will load the original knoppix kernel as a boot floppy, so a
"knoppix"
logo and prompt will come up.
"knoppix" etc. are the standard knoppix modes
"M" loads memtest86

After pressing "1" the kernel comes up with the rsbac_delay_init,
rsbac_softmode
where rsbac comes up only when the device 99:99 is mounted (never).
So to turn on rsbac we have to use /usr/local/bin/rsbac_init /dev/ram0 as
 the root device in knoppix is the initrd ramdrive. After initialization
rsbac is in soft mode, so no enforcement is active, You can set the
'default'
options, and turn on rsbac with switch_module SOFTMODE 0.

After booting the kernel a dialog (/etc/init.d/sniffix-dialog)
comes up. You can choose the role of this computer. It saves this to
/etc/sniffix.bootparam (on the initrd ramdisk), and other scripts such as
the
modified xsession uses this to decide what to load. (this scripts are
in /etc/rc2.d , /etc/rc5.d , /etc/init.d (the standard runlevel for
knoppix is
5))

"Server1" is a dhcp
server, it loads crontab, inetd with telnetd, starts sshd.
Dhcp is configured for 10.105.2.0/24 , and server 1 is 10.105.2.254.

"Server2" acts like server1 but also copies a crontab script for root.
This
will load periodically a netcat script that uses telnet to log into
server1
as a user. Our students will have to intercept the password of this
session by
sniffing the network with a "client-role" computer.

"client for rsbac" is the rsbac demo role for this computer
It does not load xsession currently, but initializes rsbac, then loads
previously set basic settings (setuid right for /usr/sbin/ssh, and for
 /bin/login, in the next version also for /bin/su) (*note* the basic shell
has compiled-in su , so you might have to type /bin/su for rsbac! )
After this you get a shell with rsbac on-line. You can make modification
as
You wish. Most of the modification will be lost at the next reboot
if you do not save them! (to speed up backup_all
/usr/local/bin/backup_all-noknoppix won't look in /usr and /var
(except /usr/sbin, etc. look in the script) )

Users:
u: crysys pw: proba (has sudo rights)
u: secoff pw: proba
...

1. Why is this useful for You?

1. You can load a test rsbac client live-image to simply test some rsbac
setup procedures without risking your live system (If you do not mount
hard drive partitions)

2. You can get some ideas how to make such demo cd for yourself.

Last words:

I publish this image as it might help to someone, but making a public
demo system is not our main goal: Our main goal is to use this for our
goals...

Thanks to Amon for the patches.

Contact:

Boldizsar Bencsath
Dept. of Telecommunications
Budapest University of Technology and Economics
H-1111 Budapest, Magyar tudósok körútja 2. I ép. E.429.
email: bencsath.boldizsar at mail2002.crysys.hit.bme.hu