README see at the bottom for license and disclaimer This kernel provides limited protection for normal workstation users. RSBAC modules compiled in are: - DAZ: Dazuko/Clamuko module: requires clamd (part of clam antivirus) and checks on access each file for viruses/worms etc. - PAX: protects against buffer overflow and similar attacks - RES: limits use of resources - FF: simple modules which allows to set rights on files controlled by the kernel This kernel depends on clamd for OnAccess antivirus scanning. See INSTALL file for installation instructions. WARNING: not all executables (programs) are able to run under the default PaX protections. See the INSTALL file for how to allow such programs to run (and PLEASE report them). WARNING: access to files requires more time than without DAZ, for single files there is practically no reduction but for big searches (like 'grep -r' and similar) the added time can be very significant - for good results, use on FAST CPU (let say approx. 2GHZ) with reasonable amount of RAM, i.e. at least 256MB ========================================================================= DESCRIPTION This (experimental) kernel does _not_ provide Mandatory Access Control (MAC) features, but aims to protect normal workstation users from - buffer overflows and similar (PaX) - exhaustion of resources (RES) - virus, worms and similar (DAZ + clamd) Each user can add simple MAC features using the FF module. ATTENTION: due to the absence of the AUTH module, root is allowed to become the user secoff without knowing secoff's password. This allows anyone who becomes root, to change the RSBAC configuration and in case to stop it all together. This is the choice for the moment, since the introduction of AUTH module requires either much manual intervention by the user, or extensive modifications of default configuration settings, too much work for the moment (so much work that it could lead to a new Linux distribution...) Any comments and contributions are of course WELCOME! ======================================================================== LICENSES AND DISCLAIMER (c) 2002-2005 Andrea Pasquinucci on the work done by me. All rights reserved. All lefts may or may not be reversed at my discretion on my work. Software is under GPLv2 as usual being the Linux kernel and Amon Ott RSBAC patch and admin tools. My contribution is packaging and creating the scripts in the rsbac-scripts rpm under the same license. Documentation is under the CreativeCommons Attribution-ShareAlike 2.0 license that can be found at http://creativecommons.org/licenses/by-sa/2.0/ A note on signatures on the rpm. I remind you that a signature just identifies the private key with which the signature has been done. You have no way of knowing who has done the signature, even less who has written the code. Anybody can create a PGP/GPG key writing my name in it, and you do not know who can have a copy of any private key I use. So it is up to you to give any meaning to the signature of an rpm package, but for sure it does _not_ implies any guarantee from me or anybody else. If you feel unsure about install something since you do not know who has written it and how (are there backdoors or something else?), well you are better writing your own Operating System and applications, that's the only way. This software is provided "as is" with no warranties whatsoever, expressed or implied. Any risk, damage or responsability of any possible kind in using this software is on you. The public PGP key used to sign the packages from 2005 is at http://www.ucci.it/urpm_pub_key.asc fingerprint = 569B 37F6 45A4 1A17 E06F CCBB CB51 2983 6494 0DA249E FB53 D39C 4EC8 Andrea Pasquinucci cesare-AT-ucci.it