[rsbac] How to restrict root access almost entirely?

[Stefan Ohletz]

Hi,

I think it has become clear to me how to use RC to protect the system 
from services running setuid root. What hasn't entirely become clear to 
me is how to protect the system from someone gaining root rights locally 
(in what way ever).

The basic idea is to restrict system access for root (and users who 
don't have admin rights) as much as possible. My approach and ideas so 
far look like the following:

1. Create a new account "admin" for administering the system.
2. Give admin the necessary rights to administer the system.
3. Take away most rights root had so far.

Trying to realize such steps with RSBAC, I first created the account 
"admin" and a role "Security Admin". Afterwards, I gave all the 
necessary rights to "admin" to access objects of type Security_FD, 
Security_Proc, and so on.

My first try was to restrict root access to /sbin/shutdown. Therefore I 
set its type to "Security_FD". As I soon realized, although root wasn't 
able to shutdown the system, admin was neither, because /sbin/shutdown 
has to be executed with uid 0. So I added admin to the wheel group, set 
the suid-bit on /sbin/shutdown and changed its group (and read/execute 
permissions) to wheel.

Now everything works, but is this approach secure?

Of course, I want to restrict access not only to shutdown, but also to 
passwd, chown, chmod, and many other system tools. Do I really need to 
set them all to "setuid root", change their group to wheel and give them 
FD-type "Security_FD"?

Moreover, I'm asking myself if there remains anything to do to hinder 
ordinary users (or root) to gain rights only admin should have. (I 
already restricted su, for example, to ordinary accounts by setting its 
AUTH capabilities.)

Thanks in advance for any comments or hints on my approach,

Stefan