RSBAC 1.0.8 for Linux Kernel 2.2.5


From: ao@morpork.shnet.org (A. Ott)
Subject: RSBAC 1.0.8 for Linux Kernel 2.2.5
Date: 18 Apr 1999 11:55:00 +0200

Next Article (by Subject): RSBAC on SMP ao@morpork.shnet.org (A. Ott)
Previous Article (by Subject): RSBAC 1.0.7a for Linux kernel 2.2.0-pre6 ao@ao.morpork.shnet.org (A. Ott)
Articles sorted by: [Date] [Author] [Subject]


Hi RSBAC folks!

The new Rule Set Based Access Control (RSBAC) version 1.0.8 for Linux  
kernel 2.2.5 is out and can be downloaded from the *new Homepage* at
http://www.compuniverse.com/rsbac

Feedback is wellcome.

Amon.

------------------------

Name:          rsbac
Version:       1.0.8
Kernelver:     2.2.5
Status:        6
Author:        Amon Ott <ao@compuniverse.com>
Maintainer:    Amon Ott <ao@compuniverse.com>
Description:   Rule Set Based Access Control
Date:          16-APR-1999
Descfile-URL:  http://www.compuniverse.com/rsbac/rsbac.desc
Download-URL:  http://www.compuniverse.com/rsbac/download.htm
Homepage-URL:  http://www.compuniverse.com/rsbac
Manual-URL:    http://www.compuniverse.com/rsbac/instadm.htm
Mailing-List:  rsbac@morpork.shnet.org

RSBAC Changes
-------------
1.0.8: - Port to 2.2.1
       - Added /proc/rsbac-info/backup to provide an easier means of backup
         for not device dependent stuff. To be extended.
       - Added new Role Compatibility (RC) module.
       - New on-disk binary layout, auto update from all versioned data
         (1.0.5 upwards).
       - AUTH module added to support proper authentification by enforcing
         externally granted CHANGE_OWNER capabilities.
       - Save to disk inconsistency in PM sets fixed.
       - MAC categories added, but limited to a fixed number of 64. Apart
         from that, the MAC module categories are as proposed in the
         Bell-LaPadula model.
       - Port to 2.2.2
       - Port to 2.2.3 with minor changes
       - Port to 2.2.4
       - Port to 2.2.5


What is RSBAC?
--------------
RSBAC is mostly a big patch for current Linux kernels. It is based
on the Generalized Framework for Access Control (GFAC) by Abrams and
LaPadula and provides a flexible system of access control based on
several modules.

All security relevant system calls are extended by security
enforcement code. This code calls the central decision component,
which in turn calls all active decision modules and generates a
combined decision. This decision is then enforced by the system call  
extensions.

Decisions are based on the type of access (request type), the access
target and on the values of attributes attached to the subject calling
and to the target to be accessed. Additional independent attributes can
be used by individual modules, e.g. the privacy module (PM). All  
attributes are stored in fully protected directories, one on each mounted  
device. Thus changes to attributes require special system calls provided.

As all types of access decisions are based on general decision requests,
many different security policies can be implemented as a decision module.
In the current RSBAC version (1.0.8), nine modules are included:

MAC: Bell-LaPadula Mandatory Access Control (limited to 64 compartments)

CWI: Clark-Wilson-Integrity (only basics implemented, not working)

FC: Functional Control. A simple role based model, restricting access
to security information to security officers and access to system
information to administrators.

SIM: Security Information Modification. Only security
administrators are allowed to modify data labeled as security information

PM: Privacy Model. Simone Fischer-Huebner's Privacy Model in its first
implementation. See our paper on PM implementation for the National
Information Systems Security Conference (NISSC 98)

MS: Malware Scan. Scan all files for malware on execution
(optionally on all file read accesses or on all TCP/UDP read accesses),
deny access if infected. Currently the Linux viruses Bliss.A and Bliss.B
and a handfull of others are detected. See our paper on malware detection
and avoidance for The Third Nordic Workshop on Secure IT Systems
(Nordsec'98).

FF: File Flags. Provide and use flags for dirs and files,
currently execute_only (files), read_only (files and dirs), search_only
(dirs), secure_delete (files) and add_inherited (files and dirs).
Only security officers may modify these flags.

RC: Role Compatibility. Defines 64 roles and 64 types for each
target type (file, dir, dev, ipc, scd, process). For each role compatibility
to all types and to other roles can be set individually.

AUTH: Authorization enforcement. Controls all CHANGE_OWNER
requests for process targets, only programs/processes with general setuid
allowance and those with a capability for the target user ID may setuid.
Capabilities are controlled by other programs/processes.

The underlying models are described in an extra text.

A general goal of RSBAC has been to some day reach (obsolete) Orange Book
(TCSEC) B1 level. Now it is mostly targeting to be useful as secure and
multi-purposed networked system, with special interest in firewalls.


How it will go on
-----------------

 - Everlasting: Improve documentation - there are man pages, concept and
   detail descriptions, how-tos, examples and other stuff missing
   (volunteers?)
 - Improve recovering from system crashes - it is still possible (though
   unlikely) to loose attributes, if system crashed while modifying
   /rsbac dir.
 - Improve attribute access performance, maybe by seperating between file
   and dir targets.
 - Finish user and password management daemon enforcement (AUTH module),
   inspired by an idea of Julio Sanchez. Misses a bit of helper stuff,
   like PAM stubs etc. Kernel part is finished, though.
 - Add Access Control Lists (ACL) module, based on roles (sic!), users and
   request types. Likely for 1.0.9.
 - Add registration procedure for new decision modules. Likely for 1.0.9.
 - Include more scan strings into the Malware Scan module
 - Further improve Linux security specially as internet server system,
   addressing special needs for that. The Role Compatibility and the AUTH
   model should give a good kick to that.
 - (Maybe) Join RSBAC with <a HREF="http://www.gem.net:8080/psl">Pretty
   Secure Linux</a>
 - (Some day) With or without PSL: Meet B1 security requirements. Now that
   MAC categories and secure delete are implemented the way has shortened,
   but it is not really urgent though, since Orange Book is a bit out of
   date.

--
## CrossPoint v3.11 ##
-
To unsubscribe from the rsbac list, send a mail to
majordomo@morpork.shnet.org with
unsubscribe rsbac
as single line in the body.

Next Article (by Subject): RSBAC on SMP ao@morpork.shnet.org (A. Ott)
Previous Article (by Subject): RSBAC 1.0.7a for Linux kernel 2.2.0-pre6 ao@ao.morpork.shnet.org (A. Ott)
Articles sorted by: [Date] [Author] [Subject]


Go to Compuniverse LWGate Home Page.