Page 1 of 1

acls on a full production box?

PostPosted: Sun Nov 16, 2003 3:54 am
by Incognito

I really need some input on this but I would like to start using grsecurity w/ gradm on production boxes. Shared servers actually for a number of reasons.

1. limit as much access as possible to support personnel. Leaving them with only things they would need to access and use to diagnose/fix problems.

2. Pretty much number 1.

I'm admining boxes myself but I am not familiar at all with ACL's and gradm. If I invoke full learning through out the box of a shared server will it bork the box? I currently have apache run as nobody but all cgi and php scripts are run using suexec.

Any input and advice is much appreciated.


PostPosted: Mon Mar 01, 2004 4:03 pm
by Blue Lightning
Basically, all learning mode does is take note when the program tries to do anything that violates any of the rules you have set up, and then allows it to continue. So when in learning mode you don't really have any protection, but it shouldn't prevent anything from working. If you leave it in learning mode for a day or two you should find that it will have recorded most if not all of the things the program needs to be able to do.

Note that learning mode is applied on a per-executable basis (and can be inherited by child processes as well) rather than system-wide.

PostPosted: Mon Mar 01, 2004 4:06 pm
by Incognito
Wow that's incredible. So if I run learning mode for apache on a production server, it will pick up on all the necessary permissions for php, perl scripts including libraries they access and user's home directories?

PostPosted: Mon Mar 01, 2004 4:20 pm
by Blue Lightning
Yes. However, if Apache launches any external programs then actions they perform will not be counted (ACL inheritance is manual). Most of the time this is not a big problem - you just have to look for errors in the log for programs being run at the same time as the application you are trying to learn (sometimes you can see from the parent process which program you need to inherit from).

PostPosted: Mon Mar 01, 2004 6:22 pm
by cmouse
In production I'd go for a "good" basic ACL for the subject '/' and then extend and restrict without the 'o' flag. This way you'll ACL's stay small and it's rather easy to manage it. Of course it's not as secure as creating own ACL's for each process...