About LinSec
News
Download
Documentation
Developers

OSNY
ETF
LinSec

Full configuration example

This document contains full configuration example, after installing linsec kernel and after installing linsec tools (make;make install is enough)

mkdir /etc/linsec
lspasswd
--> enter passwords...

capadm -B -f
capadm -B -r CAP_NET_HIDDEN CAP_PROC_HIDDEN RESERVED1 RESERVED2

capadm -G -c 0

capadm -U -c root
capadm -U -f root uB 
capadm -U -r root uB CAP_NET_HIDDEN CAP_PROC_HIDDEN

capadm -F -a /sbin/agetty fF CAP_DAC_OVERRIDE CAP_SYS_BOOTTIME
capadm -F -a /sbin/agetty fE CAP_DAC_OVERRIDE CAP_SYS_BOOTTIME

capadm -F -a /bin/chmod fE CAP_SYS_BOOTTIME
capadm -F -a /bin/chmod fF CAP_SYS_BOOTTIME

capadm -F -a /bin/cut fE CAP_SYS_BOOTTIME
capadm -F -a /bin/cut fF CAP_SYS_BOOTTIME

capadm -F -a /bin/dd fE CAP_SYS_BOOTTIME
capadm -F -a /bin/dd fF CAP_SYS_BOOTTIME

capadm -F -a /sbin/depmod fE CAP_SYS_BOOTTIME
capadm -F -a /sbin/depmod fF CAP_SYS_BOOTTIME

capadm -F -a /sbin/e2fsck fE CAP_SYS_BOOTTIME
capadm -F -a /sbin/e2fsck fF CAP_SYS_BOOTTIME

capadm -F -a /sbin/fsck.ext2 fF CAP_SYS_BOOTTIME
capadm -F -a /sbin/fsck.ext2 fE CAP_SYS_BOOTTIME

capadm -F -a /bin/ipmask fF CAP_SYS_BOOTTIME
capadm -F -a /bin/ipmask fE CAP_SYS_BOOTTIME

capadm -F -a /sbin/ldconfig fF CAP_SYS_BOOTTIME
capadm -F -a /sbin/ldconfig fE CAP_SYS_BOOTTIME

capadm -F -a /sbin/lilo fA CAP_SYS_RAWIO
capadm -F -a /sbin/lilo fE CAP_SYS_RAWIO

capadm -F -a /bin/chown fA CAP_CHOWN
capadm -F -a /bin/chown fE CAP_CHOWN

capadm -F -a /usr/bin/stty fF CAP_SYS_BOOTTIME
capadm -F -a /usr/bin/stty fE CAP_SYS_BOOTTIME

capadm -F -a /sbin/halt fF CAP_SYS_BOOT
capadm -F -a /sbin/halt fE CAP_SYS_BOOT

capadm -F -a /sbin/depmod fF CAP_SYS_BOOTTIME
capadm -F -a /sbin/depmod fE CAP_SYS_BOOTTIME

capadm -F -a /sbin/insmod fF CAP_SYS_BOOTTIME
capadm -F -a /sbin/insmod fE CAP_SYS_BOOTTIME

capadm -F -a /sbin/fsck fE CAP_SYS_BOOTTIME
capadm -F -a /sbin/fsck fF CAP_SYS_BOOTTIME

capadm -F -a /bin/fgrep fE CAP_SYS_BOOTTIME
capadm -F -a /bin/fgrep fF CAP_SYS_BOOTTIME

capadm -F -a /etc/rc.d/rc.M fE CAP_SYS_BOOTTIME
capadm -F -a /etc/rc.d/rc.M fF CAP_SYS_BOOTTIME

capadm -F -a /etc/rc.d/rc.S fE CAP_SYS_BOOTTIME
capadm -F -a /etc/rc.d/rc.S fF CAP_SYS_BOOTTIME

capadm -F -a /etc/rc.d/rc.inet1 fE CAP_SYS_BOOTTIME
capadm -F -a /etc/rc.d/rc.inet1 fF CAP_SYS_BOOTTIME

capadm -F -a /etc/rc.d/rc.inet2 fE CAP_SYS_BOOTTIME
capadm -F -a /etc/rc.d/rc.inet2 fF CAP_SYS_BOOTTIME

capadm -F -a /etc/rc.d/rc.sshd fF CAP_SYS_BOOTTIME
capadm -F -a /etc/rc.d/rc.sshd fE CAP_SYS_BOOTTIME

capadm -F -a /etc/rc.d/rc.syslog fE CAP_SYS_BOOTTIME
capadm -F -a /etc/rc.d/rc.syslog fF CAP_SYS_BOOTTIME

capadm -F -a /etc/rc.d/rc.local fE CAP_SYS_BOOTTIME
capadm -F -a /etc/rc.d/rc.local fF CAP_SYS_BOOTTIME

capadm -F -a /bin/rm fE CAP_SYS_BOOTTIME
capadm -F -a /bin/rm fF CAP_SYS_BOOTTIME

capadm -F -a /bin/setterm fE CAP_SYS_BOOTTIME
capadm -F -a /bin/setterm fF CAP_SYS_BOOTTIME

capadm -F -a /bin/sleep fE CAP_SYS_BOOTTIME
capadm -F -a /bin/sleep fF CAP_SYS_BOOTTIME

capadm -F -a /sbin/sulogin fE CAP_SYS_BOOTTIME
capadm -F -a /sbin/sulogin fF CAP_SYS_BOOTTIME

capadm -F -a /bin/uname fE CAP_SYS_BOOTTIME
capadm -F -a /bin/uname fF CAP_SYS_BOOTTIME

capadm -F -a /bin/hostname fE CAP_SYS_ADMIN CAP_SYS_BOOTTIME
capadm -F -a /bin/hostname fF CAP_SYS_ADMIN CAP_SYS_BOOTTIME

capadm -F -a /sbin/hwclock fE CAP_SYS_RAWIO CAP_SYS_TIME CAP_SYS_BOOTTIME
capadm -F -a /sbin/hwclock fF CAP_SYS_RAWIO CAP_SYS_TIME CAP_SYS_BOOTTIME

capadm -F -a /sbin/ifconfig fE CAP_NET_ADMIN CAP_SYS_BOOTTIME
capadm -F -a /sbin/ifconfig fF CAP_NET_ADMIN CAP_SYS_BOOTTIME

capadm -F -a /usr/sbin/inetd fE CAP_NET_BIND_SERVICE CAP_PROC_UNKILLABLE CAP_SYS_BOOTTIME
capadm -F -a /usr/sbin/inetd fF CAP_NET_BIND_SERVICE CAP_PROC_UNKILLABLE CAP_SYS_BOOTTIME

capadm -F -f /sbin/init fF 
capadm -F -f /sbin/init fE 
capadm -F -r /sbin/init fE CAP_ACD_OVERRIDE
capadm -F -a /sbin/init fA CAP_SYS_BOOT CAP_PROC_GOD

capadm -F -a /usr/sbin/klogd fF CAP_SYS_ADMIN CAP_PROC_PROTECTED CAP_SYS_BOOTTIME 
capadm -F -a /usr/sbin/klogd fE CAP_SYS_ADMIN CAP_PROC_PROTECTED CAP_SYS_BOOTTIME

capadm -F -a /bin/login fF CAP_CHOWN CAP_FOWNER CAP_SETGID CAP_SETUID
capadm -F -a /bin/login fE CAP_CHOWN CAP_FOWNER CAP_SETGID CAP_SETUID

capadm -F -a /bin/mount fF CAP_DAC_OVERRIDE CAP_FOWNER CAP_SYS_RAWIO CAP_SYS_ADMIN CAP_SYS_BOOTTIME
capadm -F -a /bin/mount fE CAP_DAC_OVERRIDE CAP_FOWNER CAP_SYS_RAWIO CAP_SYS_ADMIN CAP_SYS_BOOTTIME

capadm -F -a /bin/tar fA CAP_CHOWN
capadm -F -a /bin/tar fE CAP_CHOWN

capadm -F -a /sbin/route fF CAP_NET_ADMIN CAP_SYS_BOOTTIME
capadm -F -a /sbin/route fE CAP_NET_ADMIN CAP_SYS_BOOTTIME

capadm -F -a /usr/bin/scp fA CAP_SETGID CAP_SETUID
capadm -F -a /usr/bin/scp fF CAP_SETGID CAP_SETUID
capadm -F -a /usr/bin/scp fE CAP_SETGID CAP_SETUID

capadm -F -a /bin/bash fA CAP_SYS_BOOT CAP_PROC_GOD
capadm -F -a /bin/bash fE CAP_SYS_BOOTTIME         
capadm -F -a /bin/bash fF CAP_SYS_BOOTTIME

capadm -F -a /usr/bin/ssh fE CAP_SETGID CAP_SETUID
capadm -F -a /usr/bin/ssh fF CAP_SETGID CAP_SETUID

capadm -F -a /usr/sbin/sshd fF CAP_CHOWN CAP_SETGID CAP_SETUID CAP_NET_BIND_SERVICE CAP_PROC_PROTECTED CAP_SYS_BOOTTIME
capadm -F -a /usr/sbin/sshd fE CAP_CHOWN CAP_SETGID CAP_SETUID CAP_NET_BIND_SERVICE CAP_PROC_PROTECTED CAP_SYS_BOOTTIME

capadm -F -a /sbin/swapon fF CAP_SYS_ADMIN CAP_SYS_BOOTTIME
capadm -F -a /sbin/swapon fE CAP_SYS_ADMIN CAP_SYS_BOOTTIME

capadm -F -a /sbin/swapoff fF CAP_SYS_ADMIN CAP_SYS_BOOTTIME
capadm -F -a /sbin/swapoff fE CAP_SYS_ADMIN CAP_SYS_BOOTTIME

capadm -F -a /usr/sbin/syslogd fF CAP_NET_BIND_SERVICE CAP_PROC_PROTECTED CAP_SYS_BOOTTIME
capadm -F -a /usr/sbin/syslogd fE CAP_NET_BIND_SERVICE CAP_PROC_PROTECTED CAP_SYS_BOOTTIME

capadm -F -a /bin/umount fF CAP_DAC_OVERRIDE CAP_FOWNER CAP_SYS_RAWIO CAP_SYS_ADMIN CAP_SYS_BOOTTIME
capadm -F -a /bin/umount fE CAP_DAC_OVERRIDE CAP_FOWNER CAP_SYS_RAWIO CAP_SYS_ADMIN CAP_SYS_BOOTTIME

adadm -G -c 0
adadm -G -a 0 NONE /proc
adadm -G -a 0 NONE /dev 
adadm -G -a 0 NONE /dev/pts
adadm -G -a 0 NONE /tmp   
adadm -G -a 0 NONE /var/tmp

adadm -G -c 1
adadm -G -a 1 NONE /etc
adadm -G -a 1 NONE /lib
adadm -G -a 1 NONE /bin
adadm -G -a 1 NONE /usr/bin
adadm -G -a 1 NONE /usr/local/bin
adadm -G -a 1 NONE /sbin
adadm -G -a 1 NONE /usr/sbin
adadm -G -a 1 NONE /usr/local/sbin
adadm -G -a 1 NONE /usr/X11R6/bin/
adadm -G -a 1 NONE /usr/lib
adadm -G -a 1 NONE /usr/share/
adadm -G -a 1 NONE /usr/include
adadm -G -a 1 NONE /usr/src/linsec

adadm -G -c 2
adadm -G -a 2 NONE /var/run
adadm -F -a /usr/sbin/syslogd rw 2
adadm -F -a /usr/sbin/klogd rw 2
adadm -F -a /usr/sbin/inetd rw 2
adadm -F -a /usr/sbin/sshd rw 2
adadm -F -a /bin/login rw 2
adadm -F -a /sbin/shutdown rw 2
adadm -F -a /sbin/halt rw 2
adadm -F -a /usr/bin/w ro 2
adadm -F -a /sbin/agetty rw 2

adadm -G -c 3
adadm -G -a 3 NONE /var/log
adadm -F -a /usr/sbin/syslogd rw 3
adadm -F -a /sbin/halt rw 3
adadm -F -a /sbin/agetty rw 3

adadm -G -c 4
adadm -G -a 4 NONE /
adadm -F -a /bin/umount rw 4
adadm -F -a /sbin/halt rw 4

adadm -G -c 5
adadm -G -a 5 NONE /dev
adadm -F -a /bin/umount rw 7

adadm -G -c 6
adadm -G -a 6 NONE /etc
adadm -F -a /sbin/hwclock rw 6
adadm -F -a /bin/dd rw 6

adadm -U -a root /root

--> edit /etc/rc.d/rc.local, add: echo "1" > /proc/linsec/boot
--> reboot! ;)