RSBAC/Quickstart

This document will guide you through the installation of the RSBAC on Gentoo Linux

Introduction
This guide will help you to install RSBAC on Gentoo Linux. It is assumed that the users have read the Introduction and the Overview already, so that they knows what is RSBAC and its main concepts.

Emerging the RSBAC kernel
This step is pretty straight forward, thanks to the way Gentoo handles kernel installations. Start by emerging the rsbac-sources kernel from your portage.

Configuring the RSBAC kernel
We will now configure the kernel. It is recommended that you enable the following options, in the "Rule Set Based Access Control (RSBAC)" category:

We will now configure PaX which is a complement of the RSBAC hardened kernel. It is also recommended that you enable the following options, in the "Security options ---> PaX" section.

You can now compile and install the kernel as you would do with a normal one concerning the other options.

Installation of the RSBAC admin utilities
In order to administrate your RSBAC enabled Gentoo, some userspace utilites are required. Those are included in the rsbac-admin package and it needs to be installed.

Once emerged, the package will have created a new user account on your system (secoff, with uid 400). He will become the security administrator during the first boot. This is the only user, who is able to change the RSBAC configuration. He will commonly be called the Security Officer.

First boot
At the first boot, login into the system won't be possible, due to the AUTH module restricting the programs privileges. To overcome this problem please boot into softmode using the following kernel parameter (in your lilo or grub configuration):

Softmode kernel parameter

The login application is managing user logins on the system. It needs rights to setuid, which we will now give:

Login as the Security Officer (secoff) and allow logins to be made by enterering the following command:

As an alternative, if softmode isn't enabled, you can also use the following kernel parameter in order to allow login at boot time:

Creating a policy for OpenSSH
Because there is almost no policy made yet (except the one generated during the first boot), the AUTH module does not allows uid changes.

Thanks to the intelligent learning mode there is an easy way to alleviate this new problem: The AUTH module can automagically generate the necessary policy by watching services while they start up, and note the uids they are trying to switch to. For example to teach the AUTH module about the uids needed by sshd (OpenSSH daemon), do the following:

Enable the learning mode for sshd:

Start the service

Disable the learning mode

Now sshd should be working as expected again, congratulations, you made your first policy :) The same procedure can be used on every other daemon you will need.

You can enable the global learning mode by issuing this kernel parameter at boot time:

Further information
It is also strongly suggested that you subscribe to the gentoo-hardened mailing-list. It is generally a low traffic list, and RSBAC announcements for Gentoo will be available there. We also recommend you to subscribe to the RSBAC mailing-list. Please also check the hardened FAQ as your questions might already be covered in this document.

Acknowledgements
We would like to thank the following authors and editors for their contributions to this guide:


 * Michal Purzynski
 * Guillaume Destuynder