rsbac-scripts README v0.0

• First
• SCRIPTS
• Partitioning

FIRST

Edit and modify /etc/sysconfig/rsbac you can decide if to

• switch off softmode _before_ all services in the current runlevel (i.e. /etc/rc.d/rc3.d/) are started (this is the default if all parameters in /etc/sysconfig/rsbac are set to NO or unset)
• switch off softmode _after_ all services in the current runlevel (i.e. /etc/rc.d/rc3.d/) are started, i.e. DELAYED_SOFTMODE=YES
• do not swith off softmode at all, i.e. MANUAL_SOFTMODE=YES

MANUAL_SOFTMODE=YES has prevalence on DELAYED_SOFTMODE=YES

Notice that the kernel boots in softmode due to problems with initrd and RSBAC.

The default values of /etc/sysconfig/rsbac are DELAYED_SOFTMODE=NO and MANUAL_SOFTMODE=YES, so the most UNsecure boot we can offer, otherwise you could not be able to boot at all!

SCRIPTS

In the bin/ directory there are the scripts which set the RSBAC configuration. You can start all of them by doing

cd scripts/bin/
./runall start

the 'start' parameter will set all the RSBAC protections, the 'stop' parameter will reset to the default configuration

Each script has a name which starts with 2 digits. Please adopt the following conventions

• the scripts distributed have an even number
• your personal scripts have an odd number
• NEVER modify a script distributed
• if you want to modify a distributed script, copy it to a one with an odd number and modify the odd version; remember to disable the distributed script or both of them will be run by runall

Obviously you can run manually each script passing to it the start/stop parameter.

Each script has a corresponding (same name) configuration file in the etc/ directory and (hopefully) a documentation file in the doc/ directory.

In the configuration file there is at least one parameter, ENABLED which by default is set to "YES" in most cases (but there are special scripts where is set to "NO" so that you have to manually enable the script) if you set it to anything else, the script will not do anything when you run it. If the configuration file does not exists, the script will do nothing. If the main file(s) of the related service are not installed, the script does nothing. So if you install something new, run the appropriate scripts or, if in doubt, run all of them.

In the scripts/contribute/ directory there are similar scripts which can be alternatives to the ones in the main dirs, or for extra packages or yet to be tested at all.

PARTITIONING

Some advice on partitioning: it could be helpful to have the following partitions:

/
/home
/var

and optionally

/usr
/usr/local
/tmp
/boot
/opt
/misc

Otherwise it can be useful to make /tmp a soft link to /var/tmp and /opt /misc soft links to /usr/local

RSBAC is anyway independent by your partitioning scheme, protections on top directories will be applied checking first if it is a soft link or a true directory.