Few ACL's for debian...
Posted: Thu Sep 18, 2003 8:16 am
These are not for RBAC.
ntpd and ntpdate:
/usr/sbin/ntpdate o {
/usr/share/zoneinfo/Europe/Helsinki r
/lib rx
/lib/ld-2.3.2.so x
/etc r
/dev/log rw
/usr/sbin/ntpdate x
/ h
-CAP_ALL
+CAP_SYS_NICE
+CAP_SYS_TIME
connect {
195.10.132.65:123 dgram udp
194.100.0.11:123 dgram udp
198.123.30.132:123 dgram udp
127.0.0.1:53 dgram udp
}
bind {
0.0.0.0:0 dgram ip
}
}
/usr/sbin/ntpd o {
/ h
/var/log/ntpstats/peerstats w
/var/log/ntpstats/loopstats w
/var/log/ntpstats
/var/log/ntpd a
/var/log
/var/lib/ntp/ntp.drift r
/usr/share/zoneinfo/Europe/Helsinki r
/tmp rw
/lib rx
/etc r
/dev/null rw
/dev/log rw
/usr/sbin/ntpd x
-CAP_ALL
+CAP_NET_BIND_SERVICE
+CAP_IPC_LOCK
+CAP_SYS_TIME
connect {
194.100.0.11:123 dgram udp
198.123.30.132:123 dgram udp
195.10.132.65:123 dgram udp
198.123.30.132:2000 dgram udp
127.0.0.1:1030 dgram udp
127.0.0.1:123 dgram udp
127.0.0.1:53 dgram udp
195.10.132.65:2000 dgram udp
194.100.0.11:2000 dgram udp
}
bind {
192.168.3.1:123 dgram udp
62.237.194.77:123 dgram udp
127.0.0.1:123 dgram udp
0.0.0.0:123 dgram udp
0.0.0.0:0 dgram ip
}
}
Made with ACL learning (and then cleaned up)
ntpd and ntpdate:
/usr/sbin/ntpdate o {
/usr/share/zoneinfo/Europe/Helsinki r
/lib rx
/lib/ld-2.3.2.so x
/etc r
/dev/log rw
/usr/sbin/ntpdate x
/ h
-CAP_ALL
+CAP_SYS_NICE
+CAP_SYS_TIME
connect {
195.10.132.65:123 dgram udp
194.100.0.11:123 dgram udp
198.123.30.132:123 dgram udp
127.0.0.1:53 dgram udp
}
bind {
0.0.0.0:0 dgram ip
}
}
/usr/sbin/ntpd o {
/ h
/var/log/ntpstats/peerstats w
/var/log/ntpstats/loopstats w
/var/log/ntpstats
/var/log/ntpd a
/var/log
/var/lib/ntp/ntp.drift r
/usr/share/zoneinfo/Europe/Helsinki r
/tmp rw
/lib rx
/etc r
/dev/null rw
/dev/log rw
/usr/sbin/ntpd x
-CAP_ALL
+CAP_NET_BIND_SERVICE
+CAP_IPC_LOCK
+CAP_SYS_TIME
connect {
194.100.0.11:123 dgram udp
198.123.30.132:123 dgram udp
195.10.132.65:123 dgram udp
198.123.30.132:2000 dgram udp
127.0.0.1:1030 dgram udp
127.0.0.1:123 dgram udp
127.0.0.1:53 dgram udp
195.10.132.65:2000 dgram udp
194.100.0.11:2000 dgram udp
}
bind {
192.168.3.1:123 dgram udp
62.237.194.77:123 dgram udp
127.0.0.1:123 dgram udp
0.0.0.0:123 dgram udp
0.0.0.0:0 dgram ip
}
}
Made with ACL learning (and then cleaned up)