I had a few suggestions that occurred to me over the years but I never got around to posting. They're just sort of pie in the sky things.
* It'd be kind of neat to have the role be repeatable but with different "role_allow_ip" subnets -- like a first match or most specific match. I like to lock down root's role to just a few IPs, but then any daemons running as root talking to the outside world get dumped into the same 'default' role as random unprivileged users (like suexec running CGI for arbitrary users). It'd be really nice to have that "role_allow_ip"-locked-down root role but also have a much more stripped down root role with just enough privs for daemons to operate. That sounds like a seriously non-trivial feature though.
* A flag for suppressing 'connect' and RES_* logging. Especially for 'connect', I've got a number of things locked down but that get triggered by benign things. Being able to suppress known benign things like you can do with regular file entries in the ACL would be handy to cut down the log noise.
* Multiple ports on a 'connect' line, e.g. to connect to a web server on either 80 or 443, "connect 192.168.1.1/32:80,443 stream tcp", instead of multiple lines for :80 and :443.
* A test flag for gradm to test ACL syntax but without actually having to load/reload the new ACL.
Pie in the Sky suggestions
4 posts
• Page 1 of 1
Pie in the Sky suggestions
by moseleymark » Wed Nov 11, 2009 3:34 pm
- moseleymark
- Posts: 53
- Joined: Fri Sep 05, 2008 5:19 pm
Re: Pie in the Sky suggestions
by spender » Wed Nov 11, 2009 4:28 pm
All very good suggestions. You'll be happy to know the last one you mention has already been implemented recently in gradm (gradm -C).
http://en.wikibooks.org/wiki/Grsecurity ... lity#Usage
-Brad
http://en.wikibooks.org/wiki/Grsecurity ... lity#Usage
-Brad
- spender
- Posts: 2185
- Joined: Wed Feb 20, 2002 8:00 pm
Re: Pie in the Sky suggestions
by spender » Wed Nov 11, 2009 4:38 pm
For the first suggestion, had you considered using authenticated or non-authenticated special roles with role_allow_ip for the actual user(s) making use of the root role? (though still, any admin activity should be done within the authenticated admin role) Then you could reserve the root role for hardening daemons.
-Brad
-Brad
- spender
- Posts: 2185
- Joined: Wed Feb 20, 2002 8:00 pm
Re: Pie in the Sky suggestions
by moseleymark » Thu Nov 12, 2009 4:36 pm
* gradm -C: That's awesome. I'll have to update my gradm-2.1.14 so I can check it out.
* Re: Using special roles: I'm probably missing something, but I'm not sure then how I'd handle the non-externally-facing daemon side of the system, like stuff like cron, udev, init, getty, etc -- all the mundane system stuff that needs to run in the background but needs to do fairly sensitive things. I've got a "role_allow_ip 0.0.0.0/32" in the root role to let that sort of stuff run. What might be interesting is running the daemons (at least ones that can't be just run as non-root) in special roles (like in rc scripts) though then an ACL reload would knock them out of their role. Incidentally, is there a way to prevent users from getting kicked out of non-admin roles when the ACL reloads?
* Re: Using special roles: I'm probably missing something, but I'm not sure then how I'd handle the non-externally-facing daemon side of the system, like stuff like cron, udev, init, getty, etc -- all the mundane system stuff that needs to run in the background but needs to do fairly sensitive things. I've got a "role_allow_ip 0.0.0.0/32" in the root role to let that sort of stuff run. What might be interesting is running the daemons (at least ones that can't be just run as non-root) in special roles (like in rc scripts) though then an ACL reload would knock them out of their role. Incidentally, is there a way to prevent users from getting kicked out of non-admin roles when the ACL reloads?
- moseleymark
- Posts: 53
- Joined: Fri Sep 05, 2008 5:19 pm
4 posts
• Page 1 of 1