From: ao@ao.morpork.shnet.org (A. Ott)
Subject: RSBAC 1.0.7a for Linux kernel 2.2.0-pre6
Date: 17 Jan 1999 21:04:00 +0100
Next Article (by Author): Problems ao@morpork.shnet.org (A. Ott)
Previous Article (by Author): Re: RC separation of duty Vadim Kogan
Articles sorted by: [Date]
[Author]
[Subject]
Hi folks!
I finally renamed the RSBAC pre-version 3 to be release 1.0.7a.
Amon.
----
DESC-File
---------
Name: rsbac
Version: 1.0.7a
Kernelver: 2.2.0-pre6
Status: 6
Author: Amon Ott <1ott@informatik.uni-hamburg.de>
Maintainer:
Description: Rule Set Based Access Control
Date: 16-JAN-1999
Descfile-URL: http://agn-www.informatik.uni-hamburg.de/people/1ott/rsbac/rsbac.desc
Download-URL: http://agn-www.informatik.uni-hamburg.de/people/1ott/rsbac
Homepage-URL: http://agn-www.informatik.uni-hamburg.de/people/1ott/rsbac
Manual-URL: http://agn-www.informatik.uni-hamburg.de/people/1ott/rsbac/instadm.htm
RSBAC Changes in recent versions
--------------------------------
1.0.7a:
- Added alpha support (with Shaun Savage). Has different storage sizes,
so default useraci does not work and you need a maint kernel.
- Added new error detection features for file/dir entries.
- Increasing of NR_FD_LISTS is now handled differently for error
detection reasons. See README-nrlists.
- Marked init functions as __init - though saving a few KB doesn't
make such a big difference while using RSBAC... ;)
- Fixed memory leaks in write_*_list while introducing vmalloc for
large lists. The number of file/dir lists is now only a matter of
performance and available memory.
- Added two flags to File Flags
- Port to 2.2.0-pre6
- Added secure deletion/truncation, needs a config switch to be
enabled. If on, all files marked with (inheritable) FF-flag
secure_delete and all files marked as PM-personal data are zeroed on
deletion and truncation - if the regarding modules are switched on.
1.0.7: - Port to 2.1.131
- Added more fs types to non-writable: smbfs, ncpfs, codafs - so
there should be no writing on network mounts (unfortunately there
is no afs SUPER_MAGIC)
- Added configuration option NO_DECISION_ON_NETMOUNTS, which
additionally turns off all decisions for all these fs, so that
they are completely ignored
- Added attribute inheritance: Some attributes for files and dirs
have a special value 'inherit'. If this is set, the value of the
parent dir's attribute is used instead. This mechanism ends on
fs boundaries - each fs root dir gets old style standard values,
if attribute is set to 'inherit'.
Currently security_level, object_category and data_type are
inheritable.
- Added configuration option DEF_INHERIT. If set, default values for
inheritable attributes are *inherit, rather than the old default.
This option setting should not differ between different RSBAC
kernels to avoid deeper confusion for administrators and
rsbac_check().
- To support inheritance, added parameter inherit to both get_attr
system calls. If on, the effective (possibly inherited) value is
returned, if off, the real value is returned.
- Corrected a security hole in receiving from / sending via datagram
sockets (thanks to Simone). Now a read/append open and a close
request are done for every datagram (if net support is configured,
as usual).
Attention: Programs that open an UDP socket as one user (e.g. root)
and then setuid to another (e.g. bin) may not be able
to access that socket, if the new user has insufficent
rights! (see config help)
Checking of net access can as before be turned on/off via
CONFIG_RSBAC_NET.
- Worked on rsbac_check(). Is more stable now, but should only be
called under maximum of moderate load.
11/Jan/99
Amon Ott.
What is RSBAC?
--------------
RSBAC is mostly a big patch for current Linux kernels. It is based
on the Generalized Framework for Access Control (GFAC) by Abrams and
LaPadula and provides a flexible system of access control based on several
modules.
All security relevant system calls are extended by security
enforcement code. This code calls the central decision component, which
in turn calls all active decision modules and generates a combined decision.
This decision is then enforced by the system call extensions.
Decisions are based on the type of access (request type), the access target
and on the values
of attributes attached to the subject calling and to the target to be
accessed. Additional independent attributes can be used by individual modules,
e.g. the
privacy module (PM). All attributes are stored in fully protected
directories, one on each mounted device. Thus changes to attributes require
special system calls provided.
As all types of access decisions are based on general decision requests,
many different security policies can be implemented as a decision module. In
the current RSBAC version (1.0.7a), seven modules are included:
MAC: Bell-LaPadula Mandatory Access Control (compartements not yet
implemented)
CWI: Clark-Wilson-Integrity (only basics implemented, not working)
FC: Functional Control. A simple role based model, restricting access
to security information to security officers and access to system
information to administrators.
SIM: Security Information Modification. Only security
administrators are allowed to modify data labeled as security information
PM: Privacy Model. Simone Fischer-Huebner's Privacy Model in its first
implementation. See our paper on PM implementation for the National
Information Systems Security Conference (NISSC 98)
MS: Malware Scan. Scan all files for malware on execution
(optionally on all file read accesses or on all TCP/UDP read accesses),
deny access if infected. Currently the Linux viruses Bliss.A and Bliss.B
and a handfull of others are detected. See our paper on malware detection
and avoidance for The Third Nordic Workshop on Secure IT Systems (Nordsec'98)
FF: File Flags. Provide and use flags for dirs and files,
currently execute_only (files), read_only (files and dirs), search_only
(dirs), secure_delete (files) and add_inherited (files and dirs).
Only security officers may modify these flags.
The underlying models are described in an extra text.
A general goal of RSBAC has been to some day reach Orange Bool (TCSEC) B1
level. Now it is mostly targeting to be useful as secure and multi-purposed
networked system.
How it will go on
-----------------
Who knows?-) But there are a few things planned for the future:
- Improve documentation - there are man pages, concept and detail
descriptions, how-tos, examples and
other stuff missing (volunteers?)
- Improve recovering from system crashes - it is still possible (though
unlikely) to loose attributes, if system crashed while modifying /rsbac dir.
- Reduce memory and disk usage of RSBAC structures, as soon as the next attribute
structure version change happens (see next item).
- Add the ultimate ;) role based module, 64 roles, 64 types per target
type, change_to_role array, role-type-compatibility matrices, default create
types for all targets and everything configurable. Under construction for 1.0.8.
- Add Access Control Lists (ACL) module, based on roles (sic!), users
and request types. Likely for 1.0.9.
- Add user and password management daemon enforcement, inspired by an idea
of Julio Sanchez. Might make it into 1.0.8 or 1.0.9, if we both find the
time. Requires a bit of helper stuff, like PAM stubs etc., but is under
construction now.
- Provide library patches and changes to checkpasswd (for qmail etc.) to
use it
- Include more scan strings into the Malware Scan module
- Improve security specially as internet server system, addressing
special needs for that. The role model should give a first kick to that.
- (Maybe) Join RSBAC with Pretty Secure Linux
- (Some day) With or without PSL: Meet B1 security requirements. Not
really urgent though, since Orange Book is a bit out of date.
--
Please remove second ao for E-Mail reply - no spam please!
## CrossPoint v3.11 ##
-
To unsubscribe from the rsbac list, send a mail to
majordomo@morpork.shnet.org with
unsubscribe rsbac
as single line in the body.
Next Article (by Author): Problems ao@morpork.shnet.org (A. Ott)
Previous Article (by Author): Re: RC separation of duty Vadim Kogan
Articles sorted by: [Date]
[Author]
[Subject]