acls on a full production box?

Submit your RBAC policies or suggest policy improvements

Moderators: spender, PaX Team

acls on a full production box?

Postby Incognito » Sun Nov 16, 2003 3:54 am

Hi,

I really need some input on this but I would like to start using grsecurity w/ gradm on production boxes. Shared servers actually for a number of reasons.

1. limit as much access as possible to support personnel. Leaving them with only things they would need to access and use to diagnose/fix problems.

2. Pretty much number 1.

I'm admining boxes myself but I am not familiar at all with ACL's and gradm. If I invoke full learning through out the box of a shared server will it bork the box? I currently have apache run as nobody but all cgi and php scripts are run using suexec.

Any input and advice is much appreciated.

Dean
Incognito
 
Posts: 11
Joined: Sat May 10, 2003 7:53 pm

Postby Blue Lightning » Mon Mar 01, 2004 4:03 pm

Basically, all learning mode does is take note when the program tries to do anything that violates any of the rules you have set up, and then allows it to continue. So when in learning mode you don't really have any protection, but it shouldn't prevent anything from working. If you leave it in learning mode for a day or two you should find that it will have recorded most if not all of the things the program needs to be able to do.

Note that learning mode is applied on a per-executable basis (and can be inherited by child processes as well) rather than system-wide.
Blue Lightning
 
Posts: 5
Joined: Mon Mar 01, 2004 3:44 pm

Postby Incognito » Mon Mar 01, 2004 4:06 pm

Wow that's incredible. So if I run learning mode for apache on a production server, it will pick up on all the necessary permissions for php, perl scripts including libraries they access and user's home directories?
Incognito
 
Posts: 11
Joined: Sat May 10, 2003 7:53 pm

Postby Blue Lightning » Mon Mar 01, 2004 4:20 pm

Yes. However, if Apache launches any external programs then actions they perform will not be counted (ACL inheritance is manual). Most of the time this is not a big problem - you just have to look for errors in the log for programs being run at the same time as the application you are trying to learn (sometimes you can see from the parent process which program you need to inherit from).
Blue Lightning
 
Posts: 5
Joined: Mon Mar 01, 2004 3:44 pm

Postby cmouse » Mon Mar 01, 2004 6:22 pm

In production I'd go for a "good" basic ACL for the subject '/' and then extend and restrict without the 'o' flag. This way you'll ACL's stay small and it's rather easy to manage it. Of course it's not as secure as creating own ACL's for each process...
cmouse
 
Posts: 98
Joined: Tue Dec 17, 2002 10:58 am
Location: Espoo, Finland


Return to RBAC policy development

cron