Which security solution?

Hi,

I'm searching for a security solution. Since I like the
UNIX-permissions, selinux ist not my favorite. I also would
like to
activate those additional rules for several processes only.
I don't
want to have them systemwide. It's for keeping an eye on
those 
programms which are reachable from the internet.

>From my investigations, systrace or AppArmor would fit.
Both are not
available for Gentoo AFAIK. Is it possible to do this with 
- Grsecurity/RBAC?
- RSBAC?
- Selinux?
To be precise, the default rule shall be: Allow everything.

I simply want to keep programs like qmail-ldap, dovecot and
so on
within their allowed limits.

Regards,
    Aiko
-- 
:wq
-- 
gentoo-hardenedgentoo.org mailing list

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

> To be precise, the default rule shall be: Allow
everything. 
> I simply want to keep programs like qmail-ldap, dovecot
and so on
> within their allowed limits.

Hi Aiko,

I hope I understood correctly, but if all you want is to
ensure the
limits of a few processes there are afaik two easy methods
that do not
require systemwide settings.

1) You could try simply jail them into a chroot. This will
keep the apps
you want to have under greater control separated from the
rest of the
system and thus limits their damage-potential immensely.
Just make sure
that you chroot is secure and there is no way out. A great
tool to help
with this would be JailKit (http://olivier.ses
sink.nl/jailkit/)

2) You can use the hardened sources to get access to
GRSEC-enhancements.
The option you'll need is called
CONFIG_GRKERNSEC_AUDIT_GROUP. This will
allow you to specify a gid to monitor. Simply make all the
processes you
want to thoroughly audit members of a special group (e.g.
call it
"untrusted"). Then activate all the special
logging options you want.
This can be very comprehensive and produce a LOT of logs. So
be careful.
You could also activate CONFIG_GRKERNSEC_SOCKET and specify
another gid
to restrict the usage of sockets. However this appears to be
rather
unlikely since you said you want to tighten your grip on
applications
holding a port.

I think combining both of them would give you a good start
in hardening
your system the way you want it.

If I understood your request in a wrong way, please let me
know.

Many Greetings
Paul
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org


iD8DBQFGIo2IaHrXRd80sY8RCv5PAKCzYt49Z0sVi992HRrFrCYGHvsrOACf
fXBj
vbdfH7gTJbdHFf8Ee+vHx/w=
=QM0W
-----END PGP SIGNATURE-----
-- 
gentoo-hardenedgentoo.org mailing list

On Sun, 15 Apr 2007 21:59:09 +0200
Aiko Barz <aikochroot.de> wrote:

> To be precise, the default rule shall be: Allow
everything. 
> I simply want to keep programs like qmail-ldap, dovecot
and so on
> within their allowed limits.

This is exactly what the SELinux targeted policy is designed
to do.
-- 
gentoo-hardenedgentoo.org mailing list