[rsbac] Searching for documentation
Amon Ott
ao at rsbac.org
Thu Feb 1 16:28:18 CET 2007
On Thursday 01 February 2007 15:38, Markus Wernig wrote:
> I'm considering switching from grsec to rsbac for some of my more
> important servers and have started a test setup based on Ubuntu 6.06
> LTS. Now I'm trying to configure RSBAC for system protection,
service
> encapsulation and would like to assign file system and process
> manipulation restrictions to group roles and add users to those
roles
> ... but simply can't find a starting point. The handbook section at
> rsbac.org seems to more explain the underlying theoretical concepts
than
> show how to implement them in a live system, and google searches so
far
> didn't yield results fit for my humble understanding. I would be
very
Unfortunately, these parts of the handbook still have to be written.
Some hands-on examples are available at
http://www.rsbac.org/wiki/experiences/telmich
> grateful if somebody could point me to documentation covering the
> following questions:
> - How do I start configuring rsbac? Is rsbac_menu the only entering
> point? Are there no configuration files? Just what do you do after
> rebooting into softmode?
You can also use the RSBAC command line tools. The menus are only
useful wrappers for them. Usually you start with setting necessary
AUTH capabilities or use the AUTH learning facility, then go on with
the simple steps mentioned in
http://www.rsbac.org/documentation/rsbac_handbook/configuration_basics/administration_examples/rsbac_samples
> - What do the zillions of configuration options of rsbac_menu and
> friends mean? Where are they documented? The "help" function of
> rsbac_menu on my system does exactly the same as the "cancel"
function.
You can try the dialog version at download.rsbac.org, which displays
the help texts correctly. The options are mostly documented there and
in the command line tool help screens.
> - How is configuration stored if changed by the rsbac_* and attr_*
> family of commands? How does it survive a reboot?
All settings are kept in efficient lists in kernel memory and flushed
to disk from there. Each partition has its own
unaccessible /rsbac.dat directly, which contains the binary files. By
design, noone shall edit the configuration, because then there is no
control over the changes. RSBAC controls every single attribute value
change you make.
> - How can I clone a hand-crafted configuration from one server to
another?
Make a backup into a restore script. There is a backup_all script in
the admin tools, which creates such a backup. You can edit it and
remove backups for modules you do not use to save some backup time.
At the new server, just boot in softmode, run the script as root and
reboot to get all daemons restarted.
> - Are there any practical examples around anywhere?
Mostly at the above URL and some snippets in various mails in the list
archives. We know we have to work on the handbook, but are all quite
busy with many other things.
Amon.
--
http://www.rsbac.org - GnuPG: 2048g/5DEAAA30 2002-10-22
More information about the rsbac
mailing list