How to install sysmask. ------------------------------------------ *************** WARNING ****************** If you update from versions less than 1.00 already activated on your system, please do the update simultaneously (kernel + utility), when you are on SINGLE MODE. Otherwise, a partially updated system might lockup on shutdown. ------------------------------------------ 1. Patch the kernel source using one of the patch files in this directory. Patches are supplied for 2.4.31 and 2.6.12. Slight manual patching may be needed for other kernel versions. 2. Configure the kernel, enabling sysmask. 3. Compile and install the new kernel. 4. Compile and install sysmask: "make install" in the current directory. In order not to erase an existing configuration, the directory /etc/sysmask is not automatically updated. You have to manually copy the content of etc/sysmask to /etc/sysmask when you update from an earlier version. 5. Type "sysmaskadm" (as root) to pre-configure your system. Sysmask is by default disabled, meaning that it will not alter your system behavior in any way. But the functionalities will be there once you boot from the new kernel, so you may make a first boot test with sysmask disabled, do some manual testing (something like "sysmask init /etc/init.d/ssh restart") to test it, before engaging active sysmask actions. 6. Reboot the system, then do more configurations using sysmaskadm. ------------------------------------------- For a first test, log in as any user. At the command prompt, type "sysmask chdir". This should give you a subshell prompt. Under this subshell, try "cd /", or "cd /tmp", or anything else. If sysmask is working, any of these commands should be refused with a message "operation not permitted". Exit the subshell by typing "exit". Log in as root, and type "smkd" to install the daemon if sysmask is not yet enabled. Then try "sysmask debug". In the resulting subshell, do anything you want, such as "ls", "ln -s ...", "mv ...", or launch a program. Nothing should be refused this time, but every operation will be registered. Exit the subshell, then take a look at the file "/var/log/smkd.log". You should get a huge list of what you have done in the last subshell. If no problem is detected, you can continue with the last steps: system configuration. ------------------------------------------- If you put sysmask operating mode to "feedback", sysmask only registers access requests that are about to be refused. You can use the administration tool "sysmaskadm" to check the feedback list, modify it and commit it to the configuration so that the request can be accepted when the operating mode is switched to active. In general, you should first make some basic manual adjustments to the file /etc/sysmask/macros.in (you can use sysmaskadm to do so) in order to fit your system setup. After that, just let sysmask run for a certain period of time for test, preferably with a few reboots too, and take regular checks on the feedback data (using sysmaskadm). When everything seems OK, switch the operating mode to "active", either for the whole system or for selected tokens. If something goes wrong, take a look at the sysmask log file, and correct. If necessary or in emergency, disable sysmask protection by switching to feedback mode. ------------------------------------------- ATTENTION when sysmask is installed, if you restart a daemon, you have to start it with sysmask manually unless your login is under the token "init" (you can do it for local root login). Otherwise, the restarted daemon will lose all its sysmask protections. For example, instead of /etc/init.d/sshd restart You should type sysmask init /etc/init.d/sshd restart Of course, you can only do so if you are full root for sysmask, that is, logged in as root, with no sysmask token and no mask. Another solution is to insert the word "sysmask init" into the startup scripts. But this is not supplied with the package, due to the great variety of startup scripts for the different Linux distributions. In any case, avoid restarting daemons using su or sudo, while logged as a non-root user with restricted sysmask access rights. This won't work correctly, and you will lose the daemon if you haven't defined an emergency measure allowing you to gain full sysmask root access without token. In this case, only a reboot will let you get the daemon back. The template configuration coming with the package is set up such that root login from console has no token.