Share your story
The central voice for Linux and Open Source security news
Home News Topics Advisories HOWTOs Features Newsletters About Register

Sign up!
EnGarde Community
What is the most important Linux security technology?
Linux Events
Linux User Groups
Link to Us
Security Center
Book Reviews
Security Dictionary
Security Tips
White Papers
Featured Blogs
All About Linux
DanWalsh LiveJournal
Latest Newsletters
Linux Security Week: March 30th, 2015
Linux Advisory Watch: March 27th, 2015
LinuxSecurity Newsletters
Choose Lists:
About our Newsletters
RSS Feeds
Get the LinuxSecurity news you want faster with RSS
Powered By

RSBAC v1.1.1 Released Print E-mail
User Rating:      How can I rate this item?
Source: Amon Ott - Posted by Dave Wreski   
Security Projects Rule Set Based Access Control (RSBAC) version 1.1.1 has been released. Information and downloads are available from . . Rule Set Based Access Control (RSBAC) version 1.1.1 has been released. Information and downloads are available from

Below are the notes that Amon sent to the RSBAC mailing list

 ---------------------------------------  Name:          rsbac Version:       1.1.1 Kernelver:     2.2.18-19, 2.4.2 Status:        9 (UP), 8 (SMP) Author:        Amon Ott  Maintainer:    Amon Ott  Description:   Rule Set Based Access Control (RSBAC) Date:          28-March-2001 Descfile-URL: Download-URL: Homepage-URL: Manual-URL:  What is RSBAC? --------------  RSBAC is a flexible, powerful and fast open source access control framework for current Linux kernels, which has been in stable production use for over a year (since version 1.0.9a).  The standard package includes a range of access control models like MAC, RC, ACL (see below). Furthermore, the runtime registration facility (REG) makes it easy to implement your own access control model as a kernel module and get it registered at runtime.  The RSBAC framework is based on the Generalized Framework for Access Control (GFAC) by Abrams and LaPadula. All security relevant system calls are extended by security enforcement code. This code calls the central decision component, which in turn calls all active decision modules and generates a combined decision. This decision is then enforced by the system call extensions.  Decisions are based on the type of access (request type), the access target and on the values of attributes attached to the subject calling and to the target to be accessed. Additional independent attributes can be used by individual modules, e.g. the privacy module (PM). All attributes are stored in fully protected directories, one on each mounted device. Thus changes to attributes require special system calls provided.  As all types of access decisions are based on general decision requests, many different security policies can be implemented as a decision module. Apart from the builtin models shown below, the optional Module Registration (REG) allows for registration of additional, individual decision modules at runtime.  In RSBAC version 1.1.1, the following modules are included. Please note that all modules are optional. They are described in detail in an extra text.  MAC:  Bell-LaPadula Mandatory Access Control (compartments limited to a number       of 64)  FC:   Functional Control. A simple role based model, restricting access to       security information to security officers and access to system       information to administrators.  SIM:  Security Information Modification. Only security administrators are       allowed to modify data labeled as security information  PM:   Privacy Model. Simone Fischer-Hübner's Privacy Model in its first       implementation. See our paper on PM implementation (43K) for the       National Information Systems Security Conference (NISSC 98)  MS:   Malware Scan. Scan all files for malware on execution (optionally on all       file read accesses or on all TCP/UDP read accesses), deny access if       infected. Currently the Linux viruses Bliss.A and Bliss.B and a handfull       of others are detected. See our paper on Approaches to Integrated       Malware Detection and Avoidance (34K) for The Third Nordic Workshop on       Secure IT Systems (Nordsec'98)  FF:   File Flags. Provide and use flags for dirs and files, currently       execute_only (files), read_only (files and dirs), search_only (dirs),       secure_delete (files), no_execute (files), add_inherited (files and dirs)       and no_rename_or_delete(files and dirs, no inheritance). Only security       officers may modify these flags.  RC:   Role Compatibility. Defines 64 roles and 64 types for each target type       (file, dir, dev, ipc, scd, process). For each role, compatibility to all       types and to other roles can be set individually and with request       granularity. For administration there is a fine grained       separation-of-duty.  AUTH: Authorization enforcement. Controls all CHANGE_OWNER requests for       process targets, only programs/processes with general setuid allowance       and those with a capability for the target user ID may setuid.       Capabilities can be controlled by other programs/processes, e.g.       authentication daemons.  ACL:  Access Control Lists. For every object there is an Access Control List,       defining which subjects may access this object with which request types.       Subjects can be of type user, RC role and ACL group. Objects are grouped       by their target type, but have individual ACLs. If there is no ACL entry       for a subject at an object, rights are inherited from parent objects,       restricted by an inheritance mask. Direct (user) and indirect (role,       group) rights are accumulated. For each object type there is a default       ACL on top of the normal hierarchy. Group management has been added in       version 1.0.9a.  A general goal of RSBAC design has been to some day reach (obsolete) Orange Book (TCSEC) B1 level. Now it is mostly targeting to be useful as secure and multi-purposed networked system, with special interest in firewalls.   RSBAC Changes ------------- 1.1.1: - New target type FIFO, with a lot of cleanup, e.g. IPC type fifo          removed        - MAC module reworked, including MAC-Light option        - Several bugfixes        - Port to 2.4.0, 2.4.1 and 2.4.2        - New Makefiles with lists for 2.4 and without for 2.2 kernels          (Thanks to Edward Brocklesby for samples)        - init process default ACI now partly depends on root's ACI        - Optional interception of sys_read and sys_write.          Attention: you might have to add READ and WRITE rights to files,          fifos, dirs and sockets first, if upgrading from an older version        - REG overhaul. Now you can register syscall functions, everything is          kept in unlimited lists instead of arrays and registering is          versioned to allow for binary module shipping with REG version          checks.        - Inheritance is now fixed, except for MAC model        - MAC: optional inheritance, new option Smart Inheritance that tries          to avoid new attribute objects (see config help)        - New soft mode option: all decisions and logging are performed, but          DO_NOT_CARE is returned to enforcement. Off by default. See config          help for details.        - Optional initialization in extra rsbac_initd thread. 

Only registered users can write comments.
Please login or register.

Powered by AkoComment!

< Prev   Next >


Latest Features
Peter Smith Releases Linux Network Security Online
Securing a Linux Web Server
Password guessing with Medusa 2.0
Password guessing as an attack vector
Squid and Digest Authentication
Squid and Basic Authentication
Demystifying the Chinese Hacking Industry: Earning 6 Million a Night
Free Online security course (LearnSIA) - A Call for Help
What You Need to Know About Linux Rootkits
Review: A Practical Guide to Fedora and Red Hat Enterprise Linux - Fifth Edition
Yesterday's Edition
Feds Charged With Stealing Money During Silk Road Investigation
EFF questions US government's software flaw disclosure policy
Hotel Router Vulnerability A Reminder Of Untrusted WiFi Risks
Partner Sponsor

Community | HOWTOs | Blogs | Features | Book Reviews | Networking
 Security Projects |  Latest News |  Newsletters |  SELinux |  Privacy |  Home
 Hardening |   About Us |   Advertise |   Legal Notice |   RSS |   Guardian Digital
(c)Copyright 2015 Guardian Digital, Inc. All rights reserved.