http://rsbac.gg3.net/ 2010-03-13T09:23:51+09:00 http://rsbac.gg3.net/ http://rsbac.gg3.net/lib/images/favicon.ico text/html 2010-03-06T00:39:30+09:00 kang http://rsbac.gg3.net/documentation/dev/scm/git?rev=1267803570&do=diff1267803570 Git Git is the version tracking system used by the Linux kernel and increasingly many others. Why? * it is fast * it is compact * it is fully distributed * it is widely supported * it let us import upstream changes directly A simple example: The current rsbac-2.6 svn/svk repository is 1.2G, the same git repository is 367M. text/html 2010-03-05T00:56:46+09:00 kang http://rsbac.gg3.net/download?rev=1267718206&do=diff1267718206 All the RSBAC code is copyrighted (c) 1997-2009 by Amon Ott <ao@rsbac.org> (except where explicitly stated otherwise in the code), and published under the GNU General Publishing License v2. Please consult the RSBAC copyright notice for details. text/html 2010-03-05T00:51:18+09:00 kang http://rsbac.gg3.net/site/sidebar?rev=1267717878&do=diff1267717878 Stable: 1.4.3 kernel: * 2.6.31+ Full RSBAC kernels Lazy of patching ? Get the already rsbac-patched kernel. Choose your flavor. Classic kernels Includes vanilla kernel with the RSBAC patch * 2.6.31 Enhanced kernels PaX+RSBAC kernels text/html 2010-03-02T21:37:59+09:00 kang http://rsbac.gg3.net/todo?rev=1267533479&do=diff1267533479 RSBAC Progression and Roadmap This page reflects our current work queue - if you miss anything here, it will probably not happen. Please discuss any wishes on the at <rsbac@rsbac.org> or open a bug. The RSBAC development team. Planned for the next release 1.5 * CAP learning mode for single programs. (possibly 1.4 feature) * Persistent transactions, preserved between reboots. * RC learning mode - per role, with object types already set before learning. Learn only access rights. Use … text/html 2010-02-27T03:15:38+09:00 Igraltist http://rsbac.gg3.net/wiki/experiences/igraltist/rc?rev=1267208138&do=diff1267208138 Back to igraltist's experiences / RC Modules RC Module RC Testsetup Prepare the System to get more verbose description what is missing on RC you should set this debug options. Append in the ``/boot/grub/menu.lst`` for the used rsbac-kernel on line ``kernel`` text/html 2010-02-27T01:53:06+09:00 kang http://rsbac.gg3.net/documentation/rsbac_handbook/configuration_basics?rev=1267203186&do=diff1267203186 Configuration You should now have a bootable and usable RSBAC system. You are probably able to boot with the rsbac_softmode boot parameter or rsbac_auth_enable_login (see First Boot) The next step is to understand what needs to be taken care of, i.e.: to be secured on your system. text/html 2010-02-26T03:50:50+09:00 Igraltist http://rsbac.gg3.net/wiki/experiences/igraltist/rc_old?rev=1267123850&do=diff1267123850 RC Module RC Testsetup Prepare the System to get more verbose description what is missing on RC you should set this debug options. Append in the ``/boot/grub/menu.lst`` for the used rsbac-kernel on line ``kernel`` rsbac_softmode rsbac_nosyslog rsbac_cap_process_hiding rsbac_debug_adf_auth rsbac_debug_adf_rc rsbac_debug_adf_jail rsbac_debug_adf_um rsbac_debug_jail_log_missing_rbsac_debug_cap_log_missing This can enter on grubs promt too. text/html 2010-02-26T03:48:54+09:00 Igraltist http://rsbac.gg3.net/wiki/experiences/igraltist?rev=1267123734&do=diff1267123734 This article describes how to run a VM on a host which has RSBAC + PaX enabled. My choice is KVM, because it is the easiest to use and already included in the mainline kernel. It performs so well that you can work on the guest system without even noticing that it is a VM. text/html 2010-02-21T02:50:24+09:00 Igraltist http://rsbac.gg3.net/wiki/experiences/igraltist/patches/r819?rev=1266688224&do=diff1266688224 This patch working on r819. <http://pax.grsecurity.org/test/pax-linux-2.6.32.8-test17.patch> diff -r -u rsbac_2.6.32.8-r819_pax/fs/exec.c rsbac_2.6.32.8-r819/fs/exec.c --- rsbac_2.6.32.8-r819_pax/fs/exec.c 2010-02-20 17:38:53.634180054 +0100 +++ rsbac_2.6.32.8-r819/fs/exec.c 2010-02-20 17:58:20.359693616 +0100 @@ -57,11 +57,24 @@ #include <linux/fs_struct.h> #include <linux/pipe_fs_i.h> +#include <linux/random.h> +#include <linux/seq_file.h> + +#ifdef CONFIG_PAX_REFCOUNT +#include <linux… text/html 2010-02-21T02:42:54+09:00 Igraltist http://rsbac.gg3.net/wiki/experiences/igraltist/patches?rev=1266687774&do=diff1266687774 This site contain the patches wich are need if PAX was applied to the rsbac-kernel-source.Iam using the schema r723 as example to associated it with the latest svn update number. Patches * r795 * r802 * r819 text/html 2009-12-03T20:43:17+09:00 kang http://rsbac.gg3.net/home/2009/12/03/123537?rev=1259840597&do=diff1259840597 OpenSource patches Thursday, 3/Dec/2009 m-privacy GmbH, the main company funding RSBAC development has opened a new open source website, containing patches and packages for various projects, which you might find interesting. Specially, you can currently find a few security related patches: text/html 2009-12-03T20:35:11+09:00 kang http://rsbac.gg3.net/links?rev=1259840111&do=diff1259840111 Linux Distributions with RSBAC * [[Adamantix]] (started as Trusted Debian) * [[<http://www.gentoo.org/proj/en/hardened/rsbac/>|Gentoo Linux]] However various users provide support. * Mandriva * T2 * Annvix * ALT Linux Castle * Kaladix Linux * Sniffix, Bencsath Boldizsar made a Knoppix based live CD for RSBAC demonstration. Please read the description first before downloading text/html 2009-12-03T20:33:05+09:00 kang http://rsbac.gg3.net/support?rev=1259839985&do=diff1259839985 Array GmbH Professional Support Please contact Amon Ott <ao@m-privacy.de> for RSBAC tutorials and workshops, custom setups, security consulting, software development and a handful of other services. Services are provided in English or German languages. text/html 2009-11-28T00:48:57+09:00 kang http://rsbac.gg3.net/home/2009/11/27/163138?rev=1259336937&do=diff1259336937 RSBAC 1.4.3 Friday, 27/Nov/2009 RSBAC 1.4.3 has been released for kernel 2.6.31.6. This release focus on adding new learning mode for the RC and CAP modules. We hope you will enjoy it! Most Important changes since 1.4.2: * Make RCU rate limit boot and runtime configurable * Move AUTH auth_program_file kernel-only attribute to GEN program_file * Implement CAP learning mode for user and program max_caps * Add global RC learning mode for role rights to types * Optionally put learnin… text/html 2009-11-27T21:18:33+09:00 kang http://rsbac.gg3.net/download/quick?rev=1259324313&do=diff1259324313 Quick Install Install from pre-patched sources: * Unpack pre-patched kernel source tree: tar xvjf linux-X.Y.Z-rsbac-va.b.c-bfN.tar.bz2 * cd linux-X.Y.Z-rsbac-va.b.c-bfN * Apply all bugfixes for this RSBAC release with higher number than N (from -bfN) in the same manner, e.g.: cat rsbac-bugfix-vX.Y.Z-M | patch -p1. * make menuconfig * touch Makefile * make dep bzImage modules modules_install * Install the new kernel arch/<arch-name>/boot/bzImage with your favourite boot loader. text/html 2009-11-12T22:22:56+09:00 ao http://rsbac.gg3.net/documentation/rsbac_handbook/appendixes/rsbac_reference/kernel_parameters?rev=1258032176&do=diff1258032176 Kernel Boot Parameters The RSBAC kernel accepts the following boot parameters: General * rsbac_no_defaults: suppress creation of default settings, useful for restore from existing backup. Warning: An unconfigured system will only come up in softmode or maint mode, and softmode will produce loads of logging (see rsbac_nosyslog option...). * rsbac_dac_disable (only, if enabled in kernel config): disable Linux DAC * rsbac_nosyslog: do not log to syslog for this boot time * rsbac_no_init… text/html 2009-11-12T20:01:55+09:00 ao http://rsbac.gg3.net/wiki/people_using_rsbac?rev=1258023715&do=diff1258023715 Note: this page is reviewed every now and then. Please respect the entries made by other people. Thank you. List of people using RSBAC Companies * m-privacy GmbH, Germany - Supports and help the development RSBAC. Selling RSBAC-enabled products. * Data Contact Kft., Hungary - RSBAC protected firewalls and servers. * BME Crysys Lab, Hungary - Teaching how access control schemes work, laboratory exercise. text/html 2009-10-29T08:21:19+09:00 Igraltist http://rsbac.gg3.net/wiki/experiences/igraltist/patches/r802?rev=1256772079&do=diff1256772079 Back to igraltist's experiences diff -u --recursive rsbac_2.6.31.5/fs/exec.c rsbac_2.6.31.5_r802/fs/exec.c --- rsbac_2.6.31.5/fs/exec.c 2009-10-28 23:55:52.844771089 +0100 +++ rsbac_2.6.31.5_r802/fs/exec.c 2009-10-28 23:43:38.169770699 +0100 @@ -55,12 +55,23 @@ #include <linux/kmod.h> #include <linux/fsnotify.h> #include <linux/fs_struct.h> +#include <linux/random.h> +#include <linux/seq_file.h> +#ifdef CONFIG_PAX_REFCOUNT +#include <linux/kallsyms.h> +#include <linux/kdebug.h> +#endif … text/html 2009-10-29T08:20:29+09:00 Igraltist http://rsbac.gg3.net/wiki/experiences/igraltist/patches/r795?rev=1256772029&do=diff1256772029 Back to igraltist's experiences diff -u --recursive rsbac_2.6.31.2_r795/fs/exec.c rsbac_2.6.31.2_pax_r795/fs/exec.c --- rsbac_2.6.31.2_r795/fs/exec.c 2009-10-11 20:58:27.280751933 +0200 +++ rsbac_2.6.31.2_pax_r795/fs/exec.c 2009-10-11 20:13:22.599876807 +0200 @@ -55,12 +55,23 @@ #include <linux/kmod.h> #include <linux/fsnotify.h> #include <linux/fs_struct.h> +#include <linux/random.h> +#include <linux/seq_file.h> +#ifdef CONFIG_PAX_REFCOUNT +#include <linux/kallsyms.h> +#include <linux/k… text/html 2009-10-29T08:17:53+09:00 Igraltist http://rsbac.gg3.net/wiki/experiences/igraltist/patches/r801?rev=1256771873&do=diff1256771873 diff -u --recursive rsbac_2.6.31.2_r795/fs/exec.c rsbac_2.6.31.2_pax_r795/fs/exec.c --- rsbac_2.6.31.2_r795/fs/exec.c 2009-10-11 20:58:27.280751933 +0200 +++ rsbac_2.6.31.2_pax_r795/fs/exec.c 2009-10-11 20:13:22.599876807 +0200 @@ -55,12 +55,23 @@ #include <linux/kmod.h> #include <linux/fsnotify.h> #include <linux/fs_struct.h> +#include <linux/random.h> +#include <linux/seq_file.h> +#ifdef CONFIG_PAX_REFCOUNT +#include <linux/kallsyms.h> +#include <linux/kdebug.h> +#endif #include <asm/uac…