RSBAC/Quickstart

This document will guide you through the installation of the RSBAC on Gentoo Linux

Introduction
This guide will help you to install RSBAC on Gentoo Linux. It is assumed that the users have read the Introduction and the Overview already, so that they know what is RSBAC and its main concepts.

Emerging the RSBAC kernel
This step is pretty straight forward, thanks to the way Gentoo handles kernel installations. Start by emerging the kernel package with Portage:

Configuring the RSBAC kernel
We will now configure the kernel. It is recommended that you enable the following options, in the "Rule Set Based Access Control (RSBAC)" category:

{{Note|When planning to run a X Window server (such as X.org or XFree86), please also enable.

We will now configure PaX which is a complement of the RSBAC hardened kernel. It is also recommended that you enable the following options, in the "Security options ---> PaX" section.

{{KernelBox|title=Configuring PaX kernel options|1= [*] Enable various PaX features PaX Control ---> [*] Support soft mode ## (Turn that option off on a production kernel) [ ] Use legacy ELF header marking [ ] Use ELF program header marking Use ELF program header marking MAC system integration (direct) ---> (X) hook Non-executable pages ---> [*] Enforce non-executable pages (NEW) [*]  Paging based non-executable pages revert to SEGMEXEC if you are having issues)   [*]   Segmentation based non-executable pages (NEW)    [*] Restrict mprotect    [ ]   Disallow ELF text relocations ## (This option breaks too much applications as of now) Address Space Layout Randomization  --->    [*] Address Space Layout Randomization    [*]   Randomize user stack base    [*]   Randomize mmap base }}
 * 1) (You usually want to select the PAGEEXEC method on x86 since on newer PaXs,

{{Note|Refer to the PaX website for more information about PaX.}}

{{Note|Use the RSBAC admin utilities to manage PaX, instead of {{c|chpax}} or {{c|paxctl}} with the RSBAC kernel. You will be able to move to the PaX item and set the usual PaX flags.}}

{{RootCmd }}
 * rsbac_fd_menu /path/to/the/target/item
 * attr_set_file_dir FILE /path/to/the/target/item pax_flags [pmerxs]

You can now compile and install the kernel as you would do with a normal one concerning the other options.

{{Important|It is strongly suggested to build a second kernel without the softmode options, neither the AUTH option, in order to use in a production environment. Only do that once you finished testing and setting up policies, as it'll remove the possiblity of switching off the access control system.}}

Installation of the RSBAC admin utilities
In order to administrate your RSBAC enabled Gentoo, some userspace utilities are required. Those are included in the rsbac-admin package and it needs to be installed.

Once emerged, the package will have created a new user account on your system (secoff, with uid 400). He will become the security administrator during the first boot. This is the only user, who is able to change the RSBAC configuration. He will commonly be called the Security Officer.

First boot
At the first boot, login into the system won't be possible, due to the AUTH module restricting the programs privileges. To overcome this problem please boot into softmode using the following kernel parameter (in lilo or GRUB configuration):

The login application is managing user logins on the system. It needs rights to setuid, which we will now give:

Login as the Security Officer (secoff) and allow logins to be made by entering the following command:

As an alternative, if softmode is not enabled, use the following kernel parameter in order to allow login at boot time:

Creating a policy for OpenSSH
Because there is almost no policy made yet (except the one generated during the first boot), the AUTH module does not allows UID changes.

Thanks to the intelligent learning mode there is an easy way to alleviate this new problem: The AUTH module can automagically generate the necessary policy by watching services while they start up, and note the uids they are trying to switch to. For example to teach the AUTH module about the UIDs needed by (OpenSSH daemon), do the following:

Enable the learning mode for :

Start the service:

Disable the learning mode:

Now should be working as expected again, congratulations, you made your first policy :) The same procedure can be used on every other daemon you will need.

You can enable the global learning mode by issuing this kernel parameter at boot time:

Participation
It is also strongly suggested participants subscribe to the gentoo-hardened mailing-list. It is generally a low traffic list, and RSBAC announcements for Gentoo will be available there. Connecting to the channel on Freenode is also a good way to participate. We also recommend subscribing to the RSBAC mailing-list and interacting in the channel on Freecode. Please also check the hardened FAQ; there is a possibility questions might already be covered in this document.

Resources

 * RSBAC Official site