grsecurity forums

I have a Linux server here which will go on production next week.

Now, I enabled learning mode for eveything except oracle client binaries.
Those will be called by various apps, or run from console. There are way too many binaries, so should I enable learning mode for each one of them?
Or is there an easier way of doing this?
(Some 40+ binaries are involved)

ANy help will be greatly appreciated.

Is it necessary to create acl's for all of those files? In my configs I acl all running daemons, any files that will be run as root, and any suid/sgid files on the system. Anything else should technically never be run from root and file system permissions should cover that.

Since you are talking about oracle client binaries, if these are run by unprivaledged users why are you trying to ACL them? Proper file system permissions should restrict these properly since they have no ability to elevate their priviledges to escape these.

A quick script to automate creating a long list of learning modes:

--- SNIP ---
#!/bin/bash
targs=`cat /dev/stdin`

for targ in $targs
do

echo "
${targ} lo {
/ h
-CAP_ALL
RES_FSIZE 0 0
RES_DATA 0 0
RES_RSS 0 0
RES_NOFILE 0 0
RES_MEMLOCK 0 0
RES_STACK 0 0
RES_AS 0 0
RES_NPROC 0 0
RES_LOCKS 0 0

connect {
disabled
}

bind {
disabled
}
}
"
---ENDSNIP---

You can pipe into this script like so:

find /usr/local/oracle/bin | ourscript.sh > learnthis.acl

That will output you a pretty little acl for those files to learn.

Have fun.

You can put subjects on directories, not just files. Put them all in the same directory if they're not already.

-Brad