force rbac settings

Submit your RBAC policies or suggest policy improvements

force rbac settings

Postby xxx » Sun Jan 15, 2012 1:33 pm

Code: Select all
# gradm -E
Viewing access is allowed by role default to /dev/kmem.  This could allow an attacker to modify the code of your running kernel.

Viewing access is allowed by role default to /dev/mem.  This would allow an attacker to modify the code of programs running on your system.

Viewing access is allowed by role default to /dev/port.  This would allow an attacker to modify the code of programs running on your system.

Viewing access is allowed by role default to /proc/kcore.  This would allow an attacker to view the raw memory of processes running on your system.

Reading access is allowed by role default to /dev, the directory which holds system devices.

Read access is allowed by role default to /sys, the directory which holds entries that often leak information from the kernel.

Reading access is allowed by role default to /proc/slabinfo, an entry that provides useful information to an attacker for reliable heap exploitation in the kernel.

Reading access is allowed by role default to /proc/modules, an entry that provides useful kernel addresses to an attacker for reliable exploitation of the kernel.

Reading access is allowed by role default to /lib/modules, the directory which holds kernel kernel modules.  The ability to read these images provides an attacker with very useful information for launching "ret-to-libc" style attacks against the kernel.

Reading access is allowed by role default to /proc/kallsyms, a pseudo-file that holds a mapping between kernel addresses and symbols.  This information is very useful to an attacker in sophisticated kernel exploits.

Warning: object does not exist in role :::kernel:::, subject /lib/ld-linux.so.2 for the target of the symlink object /lib/ld-linux.so.2 specified on line 494 of /etc/grsec/policy.
There were 10 holes found in your RBAC configuration.  These must be fixed before the RBAC system will be allowed to be enabled.


is possible to force this settings? I just wanna use default system settings and only restrict that what i wanna by hand in policy
xxx
 
Posts: 7
Joined: Sun Jan 15, 2012 10:37 am

Re: force rbac settings

Postby spender » Mon Jan 16, 2012 7:33 pm

It can't be used in the way you want -- a way that would produce only a false sense of security. There are plenty of other "solutions" that could do what you want. For example, SELinux allows script kiddies to replace sshd binaries, undetectable by administrators for several months!

You're of course free to modify the source to gradm to remove the checks.

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm

Re: force rbac settings

Postby xxx » Mon Jan 16, 2012 10:39 pm

Hi, but this is my home server, where I dont use RBAC, only grsec kernel, I just wanna hide some files for testing/"security"/learning etc ;)
xxx
 
Posts: 7
Joined: Sun Jan 15, 2012 10:37 am


Return to RBAC policy development