http://www.rsbac.org/ 2008-08-18T14:28:33+02:00 http://www.rsbac.org/ http://www.rsbac.org/lib/images/favicon.ico text/html 2008-08-18T14:27:25+02:00 http://www.rsbac.org/wiki/experiences/igraltist/kvm_guest_jail?rev=1219062445&do=diff1219062445 Back to igraltist's experiences Based on the run-jail script and kvm-admin i do this. kvm-jail-config ; ; RSBAC JAIL definition for kvm ; 20080507 ; ; Tested by igraltist ; "" "0.0.0.0" (allow-dev-read allow-dev-write allow-ipc-syslog allow-ipc-parent allow-inet-raw allow-all-net-family) (net-raw setgid setuid dac-override net-admin dac-read-search sys-resource sys-module) () (rlimit) text/html 2008-08-11T10:45:40+02:00 http://www.rsbac.org/wiki/experiences/igraltist?rev=1218444340&do=diff1218444340 Running a VM on a host wich has RSBAC + PaX as kernelfeatures. My choose is the KVM, because ist the easiest for use and already included in the the mainline kernel. Its has enough performace to work on the guest without knowing that it’s a virtualized machine. text/html 2008-08-11T00:43:18+02:00 http://www.rsbac.org/wiki/experiences/igraltist/run-jail?rev=1218408198&do=diff1218408198 Back to igraltist's experiences run-jail is a python-script. Two files are nessesary to using it. * run-jail.py * jail_configparser.py syntax for configfile ; example daemon ; date 0.0.0000 ; testet by "" "0.0.0.0" () () () () explanation the syntax The jailconfigurationfile is seperated in 6 categories, but only 4 working in the moment. text/html 2008-08-11T00:41:10+02:00 http://www.rsbac.org/wiki/experiences/igraltist/kvm?rev=1218408070&do=diff1218408070 Back to igraltist's experiences software packages The follow softwarepackages is required: * iproute2 * brctl * tunctl * tightvnc (for example this vncserver) * subversion ( optinal can be on the workstation ) Other packages should be on default installation. text/html 2008-07-22T16:55:18+02:00 kang http://www.rsbac.org/site/sidebar?rev=1216738518&do=diff1216738518 Stable: 1.3.7 for kernels: * 2.4.36 * 2.6.23.14 Devel 1.4: 1.4.0-pre1 for kernels: * 2.4.35.4 * 2.6.23.9 Full RSBAC kernels Lazy of patching ? Get the already rsbac-patched kernel. Choose your flavor. Classic kernels Includes vanilla kernel with the RSBAC patch text/html 2008-07-15T17:29:42+02:00 http://www.rsbac.org/wiki/experiences/igraltist/jail_syslog-ng?rev=1216135782&do=diff1216135782 --- syslog-ng_org 2008-07-14 02:42:13.000000000 +0200 +++ syslog-ng 2008-07-14 02:42:33.000000000 +0200 @@ -36,7 +36,7 @@ checkconfig || return 1 ebegin "Starting syslog-ng" [ -n "${SYSLOG_NG_OPTS}" ] && SYSLOG_NG_OPTS="-- ${SYSLOG_NG_OPTS}" - start-stop-daemon --start --quiet --exec /usr/sbin/syslog-ng ${SYSLOG_NG_OPTS} + run-jail syslog-ng start-stop-daemon --start --quiet --exec /usr/sbin/syslog-ng ${SYSLOG_NG_OPTS} eend $? "Failed to start syslog-ng" } text/html 2008-07-14T08:39:29+02:00 http://www.rsbac.org/wiki/experiences/igraltist/jail_rsync?rev=1216017569&do=diff1216017569 ; ; RSBAC JAIL definition for rsync ; 20080507 ; ; Tested by igraltist "" "0.0.0.0" (allow-external-ipc allow-dev-read allow-dev-write allow-ipc-parent) () () (rlimit) rsync This is execute now: rsbac_jail -i -d -D -P -M rlimit rsync rsync version 3.0.2 protocol version 30 text/html 2008-07-14T08:35:56+02:00 http://www.rsbac.org/wiki/experiences/igraltist/jail_wget?rev=1216017356&do=diff1216017356 ; ; RSBAC JAIL definition wget ; ; "" "0.0.0.0" (allow-dev-write allow-dev-read) () () () wget rsbac.org This is execute now: rsbac_jail -D -d wget rsbac.org --2008-07-14 08:35:32-- http://rsbac.org/ text/html 2008-07-14T08:34:30+02:00 http://www.rsbac.org/wiki/experiences/igraltist/jail_ping?rev=1216017270&do=diff1216017270 ; ; RSBAC JAIL definition ping ; 2.10.06 ; "" "0.0.0.0" ;"192.168.1.1" (allow-dev-write allow-dev-read allow-inet-raw) () () () ping rsbac.org This is execute now: rsbac_jail -D -d -r ping rsbac.org PING rsbac.org (81.169.183.215) 56(84) bytes of data. text/html 2008-07-14T05:13:05+02:00 http://www.rsbac.org/wiki/experiences/igraltist/jail_squid?rev=1216005185&do=diff1216005185 --- squid_org 2008-07-14 05:09:33.000000000 +0200 +++ squid 2008-07-05 16:35:50.000000000 +0200 @@ -98,7 +98,7 @@ maxfds umask 027 cd $cdr - start-stop-daemon --quiet --start \ + run-jail squid start-stop-daemon --quiet --start \ --pidfile $PIDFILE \ --chuid $CHUID \ --exec $DAEMON -- $SQUID_ARGS < /dev/null text/html 2008-07-14T05:00:41+02:00 http://www.rsbac.org/wiki/experiences/igraltist/jail_portmap?rev=1216004441&do=diff1216004441 --- portmap_org 2008-07-14 04:58:03.000000000 +0200 +++ portmap 2008-07-05 03:36:52.000000000 +0200 @@ -11,7 +11,7 @@ start() { ebegin "Starting portmap" - start-stop-daemon --start --quiet --exec /sbin/portmap -- ${PORTMAP_OPTS} + run-jail portmap start-stop-daemon --start --quiet --exec /sbin/portmap -- ${PORTMAP_OPTS} local ret=$? eend ${ret} # without, if a service depending on portmap is started too fast, text/html 2008-07-14T04:56:12+02:00 http://www.rsbac.org/wiki/experiences/igraltist/jail_dmeventd?rev=1216004172&do=diff1216004172 --- dmeventd_org 2008-07-14 04:53:34.000000000 +0200 +++ dmeventd 2008-07-05 03:27:51.000000000 +0200 @@ -9,7 +9,7 @@ start() { ebegin "Starting dmeventd" - start-stop-daemon --start --exec /sbin/dmeventd --pidfile /var/run/dmeventd.pid + run-jail dmeventd start-stop-daemon --start --exec /sbin/dmeventd --pidfile /var/run/dmeventd.pid eend $? } text/html 2008-07-14T04:52:29+02:00 http://www.rsbac.org/wiki/experiences/igraltist/jail_powernowd?rev=1216003949&do=diff1216003949 --- powernowd_org 2008-07-14 04:49:20.000000000 +0200 +++ powernowd 2008-07-05 03:38:09.000000000 +0200 @@ -7,7 +7,7 @@ start() { ebegin "Starting powernowd" - /usr/sbin/powernowd -q ${POWERNOWD_OPTS} + run-jail powernowd /usr/sbin/powernowd -q ${POWERNOWD_OPTS} eend $? } text/html 2008-07-14T04:46:36+02:00 http://www.rsbac.org/wiki/experiences/igraltist/jail_postfix?rev=1216003596&do=diff1216003596 --- postfix_org 2008-07-14 04:43:40.000000000 +0200 +++ postfix 2008-07-14 02:05:07.000000000 +0200 @@ -12,7 +12,8 @@ start() { ebegin "Starting postfix" - postfix /usr/sbin/postfix start >/dev/null 2>&1 + run-jail postfix /usr/sbin/postfix start + #>/dev/null 2>&1 eend $? } @@ -24,6 +25,7 @@ reload() { ebegin "Reloading postfix" - postfix /usr/sbin/postfix reload >/dev/null 2>&1 + run-jail postfix /usr/sbin/postfix reload + #>/dev/null 2>&1 eend $? } text/html 2008-07-14T04:39:06+02:00 http://www.rsbac.org/wiki/experiences/igraltist/jail_apache2?rev=1216003146&do=diff1216003146 This is the modified apache2 init-script --- apache2_orginal 2008-07-01 14:33:17.000000000 +0200 +++ apache2 2008-07-02 18:11:08.000000000 +0200 @@ -115,6 +115,8 @@ fi done fi + echo "sleeping a bit, otherwise the port is blocking from dieing apache" + sleep 2 } # Stupid hack to keep lintian happy. (Warrk! Stupidhack!). @@ -126,7 +128,9 @@ #ssl_scache shouldn't be here if we're just starting up. [ -f /var/run/apache2/ssl_scache ] && rm -f /var/run/apache2/*ssl_… text/html 2008-07-14T04:37:13+02:00 http://www.rsbac.org/wiki/experiences/igraltist/jail_pdnsd?rev=1216003033&do=diff1216003033 ; ; RSBAC JAIL definition for pdnsd ; 20081407 ; ; Tested by: ; Jens Kasten (igraltist) on gentoo ; "" "0.0.0.0" (allow-dev-read allow-dev-write allow-inet-raw allow-ipc-syslog allow-ipc-parent) (setgid setuid net-bind-service net-raw sys-ptrace sys-resource) (sysctl) (rlimit priority) text/html 2008-07-14T04:36:02+02:00 http://www.rsbac.org/wiki/experiences/igraltist/jail_shorewall?rev=1216002962&do=diff1216002962 ; ; RSBAC JAIL definition for shorewall ; 20080707 ; ; Tested by: ; igraltist on gentoo ; "" "0.0.0.0" (allow-dev-read allow-dev-write allow-dev-get-status allow-all-net-family allow-inet-raw allow-ipc-syslog allow-ipc-parent) (net-admin sys-resource setuid setgid net-raw) (firewall) (firewall net-id sysctl rlimit) text/html 2008-07-14T04:33:36+02:00 http://www.rsbac.org/wiki/experiences/igraltist/jail_vixie-cron?rev=1216002816&do=diff1216002816 --- vixie-cron_org 2008-07-14 02:36:08.000000000 +0200 +++ vixie-cron 2008-07-07 04:44:02.000000000 +0200 @@ -11,7 +11,7 @@ start() { ebegin "Starting vixie-cron" - start-stop-daemon --start --quiet --exec /usr/sbin/cron + run-jail vixie-cron start-stop-daemon --start --quiet --exec /usr/sbin/cron eend $? } text/html 2008-07-14T03:10:53+02:00 http://www.rsbac.org/wiki/experiences/igraltist/jail_syslogd?rev=1215997853&do=diff1215997853 This is the modified syslogd init-script. --- sysklogd_org 2008-07-03 05:22:39.000000000 +0200 +++ sysklogd 2008-07-11 16:23:35.000000000 +0200 @@ -59,7 +59,7 @@ start) echo -n "Starting system log daemon: syslogd" create_xconsole - start-stop-daemon --start --quiet --exec $binpath -- $SYSLOGD + rsbac_jail -Y -i-N start-stop-daemon --start --quiet --exec $binpath -- $SYSLOGD echo "." ;; stop) @@ -76,7 +76,7 @@ echo -n "Restarting system log daemon: syslogd… text/html 2008-07-14T02:32:41+02:00 http://www.rsbac.org/wiki/experiences/igraltist/jail_ntpd?rev=1215995561&do=diff1215995561 --- ntpd_org 2008-07-14 02:29:40.000000000 +0200 +++ ntpd 2008-07-05 01:52:18.000000000 +0200 @@ -22,7 +22,7 @@ checkconfig || return $? ebegin "Starting ntpd" - start-stop-daemon --start --exec /usr/sbin/ntpd \ + run-jail ntpd start-stop-daemon --start --exec /usr/sbin/ntpd \ --pidfile /var/run/ntpd.pid \ -- -p /var/run/ntpd.pid ${NTPD_OPTS} eend $? "Failed to start ntpd"