[rsbac] New to RSBAC - pls help with initial policies setup conf.

Javier Juan Martínez Cabezón tazok at rsbac.org
Wed Mar 22 18:47:53 CET 2017 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 22/03/17 17:13, Lokesh Ubuntu wrote:
> Hello All, Am new to RSBAC and likely understand built available 
> options and now looking for help in writing and applying polices 
> and couldn't found much by googling, pls help me on 'whr to start?'
> 'How polices works?' and 'Polices writing sample/docs?'.
> 
> Thanks in advance!
> 
> Regards, Lokesh _______________________________________________ 
> rsbac mailing list rsbac at rsbac.org 
> http://www.rsbac.org/mailman/listinfo/rsbac
> 

Have you seen our handbook? as a starting point is good enough. Each
module (a.k.a decision module or ADF module) needs each one their own
policy. It would be a good idea to tell us what are you going to build
and which security requirements do you have.

 I suggest you to activate only AUTH, UM, RES, RC CAP and JAIL and to
use recent git kernel that implement W^X.

Initially you could start assigning to each init.d service each own
rc_forced_role and grant each binary implied in them their own
rc_type, not long ago I sent here an script to create initial roles
and types if you have low roles/types requirements it shall be good
enough for you it could have "logic bugs and other ones" as why the
hell my type numbers are multiple of four (and things like this), but
enough to run (sorry).

Login, and daemons and memory resident software (as tripwire) shall
run with their own role.

You can use AUTH, CAP and RC learning mode and make a regular use of
your system to allow rsbac to learn needed rights. After that I would
make a policy backup (with -p) and analize your policy and revoke all
unwanted rights (a.k.a request).

If you don't undestand something about our handbook or theory please ask

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJY0rjGAAoJEFfmTgt/w77fiaoP/3nJ2dmzHV6GglW58mnbR8GY
daPq+OsCSSjUqNpHCgtd370rShwOcOiZcMQgg3kezW5Ox/UeSgRDO82m2v1z967j
SIUxNJPJoiBENFqH8Q1R9F9r9/DSUC1S8rBOlLH1hCbt8BCHpmCjj8vgTdhJww78
sdcb5MHs6YZqna4C5uxNB9HtQ1NWUvmw0Ui+Dz7av2HigOrZ2ldRV05dQlJiDY2q
NmjTtaj/4nlrNQYTyN3tSvLMs3lDVMYjleDg3SmQ3UWOuAAvOgVOi9nrXYEHmyI7
UNRqMjmbGc5POYYXc8mW3B/xmtS+k+A8+lBj84piVSmwSoJ5+0r3s5AQ+KP1zuKh
+AehaNoR7hR+HHqtG2YYU4u0PbzTkskpIoCEDrTVUqUI8t7W2AC9718J8h7M5PcC
r1oAFQ+QJoFsM8JdiVq3ZCWSuDvoE7pe0dzW3k5shrm7zI9LqLRtftShzQmYBJdO
w87RBDbiRxNhE3SQBWq9sE6Yvklx0dLzWfZzwpjx2vzGWpjY9KYryIA/byWkHQL/
rl5QCUuxeAI7j26l+uDd8IFNBF1mM6LTSmyLD6jw/MU4LjMj/yMzXm8VAizMpJlC
3a75/OIvDBnOhk0lpoVEqE9FwqEk4/ljmKA5Cgm1YhC+bhrlY9doJmkawNTP1hRK
07XIVb8uUpvVRo1Q+H6H
=bDzV
-----END PGP SIGNATURE-----

More information about the rsbac mailing list