Chapter 4. RSBAC installation

4.1. RSBAC installation

This paragraph marks a milestone: by now you should have learned enough about RSBAC to be able to decide whether or not you need its functionality. If you are sure you do not need more than the standard security features a modern Unix (like Linux) has to offer, I thank you for your interest and bid you farewell. For those of you still with me by now: our next step will be to actually install RSBAC.

You will need to patch the Linux kernel to implement RSBAC. This will only work if you have the original kernel source code. At the time of this writing (may 2003) the stable version of RSBAC was 1.2.1 for kernels 2.2.21-25 and 2.4.19-20. Older kernels are supported too. Amon Ott tries his very best to support the newest development kernels too, check the RSBAC website to learn more. If for any reason you need to patch a kernel that is not supported I suggest you contact Amon Ott.

The software consists of a patch, the code for the kernel extensions that is hooked up to the kernel and an archive with administrative software. The RSBAC website ( http://www.rsbac.org) provides a good source of additional documentation and links to other related materials. If you are eager to start you might want to read the relevant section in this book or read the relevant section on the RSBAC website. (http://www.rsbac.org/instadm.htm).

Start by installing the source code for one of the supported Linux kernels in /usr/src/linux. If you are not used to building your own kernels, for example because you use precompiled distributions, you may want to build a 'clean' kernel first to get a grip on the procedure. To learn how to compile kernels from source you might want to consult the kernel-HOWTO ( http://www.linuxdoc.org/HOWTO/Kernel-HOWTO.html ). If you were succesful in booting your freshly build kernel and if that kernel provides the functionalities you want, you should save the kernel configuration in a safe place.

As reparation for the actual installation of RSBAC you could fetch the patch and accompanying software and create the user 'security officer'. Use any UID you want (except 0) - the default is 400, but you are able to override that during installation.