[rsbac] Searching for documentation

[Amon Ott]

On Thursday 01 February 2007 15:38, Markus Wernig wrote:
> I'm considering switching from grsec to rsbac for some of my more 
> important servers and have started a test setup based on Ubuntu 6.06 
> LTS. Now I'm trying to configure RSBAC for system protection, 
service 
> encapsulation and would like to assign file system and process 
> manipulation restrictions to group roles and add users to those 
roles 
> ... but simply can't find a starting point. The handbook section at 
> rsbac.org seems to more explain the underlying theoretical concepts 
than 
> show how to implement them in a live system, and google searches so 
far 
> didn't yield results fit for my humble understanding. I would be 
very 

Unfortunately, these parts of the handbook still have to be written. 
Some hands-on examples are available at 
http://www.rsbac.org/wiki/experiences/telmich

> grateful if somebody could point me to documentation covering the 
> following questions:
> - How do I start configuring rsbac? Is rsbac_menu the only entering 
> point? Are there no configuration files? Just what do you do after 
> rebooting into softmode?

You can also use the RSBAC command line tools. The menus are only 
useful wrappers for them. Usually you start with setting necessary 
AUTH capabilities or use the AUTH learning facility, then go on with 
the simple steps mentioned in 
http://www.rsbac.org/documentation/rsbac_handbook/configuration_basics/administration_examples/rsbac_samples

> - What do the zillions of configuration options of rsbac_menu and 
> friends mean? Where are they documented? The "help" function of 
> rsbac_menu on my system does exactly the same as the "cancel" 
function.

You can try the dialog version at download.rsbac.org, which displays 
the help texts correctly. The options are mostly documented there and 
in the command line tool help screens.

> - How is configuration stored if changed by the rsbac_* and attr_* 
> family of commands? How does it survive a reboot?

All settings are kept in efficient lists in kernel memory and flushed 
to disk from there. Each partition has its own 
unaccessible /rsbac.dat directly, which contains the binary files. By 
design, noone shall edit the configuration, because then there is no 
control over the changes. RSBAC controls every single attribute value 
change you make.

> - How can I clone a hand-crafted configuration from one server to 
another?

Make a backup into a restore script. There is a backup_all script in 
the admin tools, which creates such a backup. You can edit it and 
remove backups for modules you do not use to save some backup time. 
At the new server, just boot in softmode, run the script as root and 
reboot to get all daemons restarted.

> - Are there any practical examples around anywhere?

Mostly at the above URL and some snippets in various mails in the list 
archives. We know we have to work on the handbook, but are all quite 
busy with many other things.

Amon.
-- 
http://www.rsbac.org - GnuPG: 2048g/5DEAAA30 2002-10-22