[rsbac] Dummies starter guide

Wed Mar 16 00:26:47 CET 2005

On Mar 15, 2005, at 11:13, Andrea Pasquinucci wrote:

> * I have visions of desktop users thinking to enable RSBAC and having
> * absolutely no clue on what they're doing (for Mandrake, anyways) so 
> I'd
> * like to put something up that's super easy to understand and follow.
>
> The only way I can think of it is to keep the end-user completely out 
> of
> it. If you don't understand what you are doing you end up believing to
> be secure when you are wide open, even worse that to know to be 
> unsecure
> or trust your luck. So, in my opinion the only way to go is a single
> button saying "click to start RSBAC, you'll increase your security but
> some things (hopefully few) will not work".
>
> How to do it is easy in principle but not at all in practice. Add to
> each package the RSBAC rules necessary to make it work, if all kernels
> are RSBAC enabled, every time you install a package, the correct rules
> to make it work should be added. When the user clicks the above button
> you go from soft_mode to enforcing_mode, end of the story.
>
> This is the trivial and common idea. As far as I know, this is how the
> distributions are trying to incorporate Selinux, RSBAC, LIDS, 
> Grsecurity
> or whatever. That you manage to do it, this is entirely a different
> story. In my humble opinion, nobody has really succeeded yet for 
> desktop
> distributions without any user intervention.
>
> Good luck, and let us know how it goes!

This is good, and a very good idea, but it won't happen anytime soon 
and even then, the developers need to understand it so they can update 
their packages accordingly.  This won't happen quickly and I doubt the 
developers will be happy to have to struggle through documentation, so 
a "dummy's guide" would be useful for them as well.

Then there's the "power users" or "tinkering" folks who want to get 
their hands dirty as well.

Not to mention me, who really knows nothing beyond the 
patching/compiling stage.  =)  I understand that this is how Adamantix 
does it, and I may have to look at their packages/setup in order to see 
how they're implementing it, but I think basically it still needs to be 
documented somehow... somewhere... for people who want to do something 
with it to be able to easily.

Now, that's not to say that no good easy-to-follow docs don't already 
exist, but I haven't found them yet... which is what I'm looking for.

-- 
Annvix - Secure Linux Server: http://annvix.org/
"lynx -source http://linsec.ca/vdanen.asc | gpg --import"
{FEE30AD4 : 7F6C A60C 06C2 4811 FA1C  A2BC 2EBC 5E32 FEE3 0AD4}
-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 186 bytes
Desc: This is a digitally signed message part
Url : http://www.rsbac.org/pipermail/rsbac/attachments/20050315/8b529d95/PGP.bin