Extra secure auto-generated rules?
Posted: Sun Jan 02, 2005 2:47 pmI've used full system learning to create my policy and I'm now checking through it to find mistakes I made. The first subject for the user 'apache' is /. All it does is hides / and specify -CAP_ALL. The only other subject is /usr/sbin/apache2, which specifically hides other directories such as /etc/ssh, /etc/grsec (etc.). Is there any reason it hides these specifically and overrides the hidden /?
Would it be better to remove the o and specify only the directories Apache needs to access? Or leave the o and deny the ones it shouldn't?
Would it be better to remove the o and specify only the directories Apache needs to access? Or leave the o and deny the ones it shouldn't?
- Code: Select all
subject /usr/sbin/apache2 o {
/
/etc/services r
/home r
/usr/share/mysql/charsets/Index r
/var/run/mysqld/mysqld.sock rw
/etc/ssh h
/etc/grsec h
/dev/grsec h
/proc/kcore h
/proc/sys h
/etc/shadow h
/etc/passwd h
/var/log h
/dev/mem h
/dev/kmem h
/dev/port h
/dev/log h
-CAP_ALL
bind disabled (this will, obviously, need changing)
connect disabled
}