grsecurity forums

Posted: **Wed Sep 24, 2003 11:11 pm**

I'm currently using the default ACL supplied with grsecurty[1] for 2.4.22. I added some restrictions for certain binaries, and directorties, but I basicly want to secure the box so that root is equal to/less than a normal user account, privlidge wise. Any suggestions? Any would be appericated.

Michael Nicks
http://www.bfgservers.com
MichaelNicks@bfgservers.com
Network Administrator

Posted: **Thu Sep 25, 2003 4:32 pm**

I kind of wrote up a shotty acl in a few hours customizing it and such. Opinions would be appericated.

Code: Select all: role admin sA subject / / rwcdmxi role root sG subject / / h /opt h /home r /root rwcd /mnt h /dev /dev/grsec h /dev/urandom r /dev/random r /dev/zero rw /dev/input rw /dev/psaux rw /dev/null rw /dev/tty0 rw /dev/tty1 rw /dev/tty2 rw /dev/tty3 rw /dev/tty4 rw /dev/tty5 rw /dev/tty6 rw /dev/tty7 rw /dev/tty8 rw /dev/console rw /dev/tty rw /dev/pts rw /dev/ptmx rw /dev/dsp rw /dev/mixer rw /dev/initctl rw /dev/fd0 r /dev/cdrom r /dev/mem h /dev/kmem h /dev/port h /bin rx /sbin rx /lib rx /usr /usr/bin rx /usr/sbin rx /usr/lib rx /usr/doc r /usr/include r /usr/local rx /usr/lost+found h /usr/src h /etc rx /proc rx /proc/kcore h /proc/sys r /tmp rwcd /var rx /var/tmp rwcd /var/log r /boot r /etc/grsec h /src h -CAP_ALL -CAP_LINUX_IMMUTABLE -CAP_NET_RAW -CAP_MKNOD -CAP_SYS_RAWIO -CAP_SYS_MODULE role boltsky uG subject / / h /opt h /home r /home/boltsky rwcd /mnt h /dev /dev/grsec h /dev/urandom r /dev/random r /dev/zero rw /dev/input rw /dev/psaux rw /dev/null rw /dev/tty0 rw /dev/tty1 rw /dev/tty2 rw /dev/tty3 rw /dev/tty4 rw /dev/tty5 rw /dev/tty6 rw /dev/tty7 rw /dev/tty8 rw /dev/console rw /dev/tty rw /dev/pts rw /dev/ptmx rw /dev/dsp rw /dev/mixer rw /dev/initctl rw /dev/fd0 r /dev/cdrom r /dev/mem h /dev/kmem h /dev/port h /bin rx /sbin rx /lib rx /usr /usr/bin rx /usr/sbin rx /usr/lib rx /usr/doc r /usr/include r /usr/local rx /usr/lost+found h /usr/src h /etc rx /proc rx /proc/kcore h /proc/sys r /root r /tmp rwcd /var rx /var/tmp rwcd /var/log r /boot r /etc/grsec h /src h -CAP_ALL -CAP_LINUX_IMMUTABLE -CAP_NET_RAW -CAP_MKNOD -CAP_SYS_RAWIO -CAP_SYS_MODULE role default G role_transitions admin subject / / h /opt h /home r /mnt h /dev /dev/grsec h /dev/urandom r /dev/random r /dev/zero rw /dev/input rw /dev/psaux rw /dev/null rw /dev/tty0 rw /dev/tty1 rw /dev/tty2 rw /dev/tty3 rw /dev/tty4 rw /dev/tty5 rw /dev/tty6 rw /dev/tty7 rw /dev/tty8 rw /dev/console rw /dev/tty rw /dev/pts rw /dev/ptmx rw /dev/dsp rw /dev/mixer rw /dev/initctl rw /dev/fd0 r /dev/cdrom r /dev/mem h /dev/kmem h /dev/port h /bin rx /sbin rx /lib rx /usr /usr/bin rx /usr/sbin rx /usr/lib rx /usr/doc r /usr/include r /usr/local rx /usr/lost+found h /usr/src h /etc rx /proc rx /proc/kcore h /proc/sys r /root r /tmp rwcd /var rx /var/tmp rwcd /var/log r /boot r /etc/grsec h /src h -CAP_ALL -CAP_LINUX_IMMUTABLE -CAP_NET_RAW -CAP_MKNOD -CAP_SYS_RAWIO -CAP_SYS_MODULE subject /usr/sbin/sshd lo / h +CAP_SYS_CHROOT -CAP_ALL connect disabled bind disabled subject /usr/sbin/cron lo / h +CAP_SETGID subject /bin/cp lo / h subject /bin/date lo / h /usr/share/zoneinfo/US/Central h # RES_AS 100M 100M # connect 192.168.1.0/24:22 stream tcp # bind 0.0.0.0 stream dgram tcp udp

grsecurity forums

Complete ACL for Debian?

Complete ACL for Debian?