Introduction
What is RSBAC?
The official RSBAC web site◳
defines RSBAC as "a flexible, powerful and fast open source access control framework for
current Linux kernels." In actual fact it is much more than just a framework for access control. Currently
RSBAC patched kernels ship with several modules which make use of this framework to
provide a wide variety of functions, some of which are not even purely related to
access control.
Why would I want to use it?
Most current Unix, and therefore by implication Linux, based operating systems
suffer from some well known deficiencies in their access control model. To be more
specific the standard access control model lacks granularity and, for the most part,
has little or no ability to assign capabilities based on target.
RSBAC, and the modules provided with it, resolve these issues and also provide a
flexible framework into which other security related modules can be built.
So what does RSBAC do exactly?
As RSBAC is a modular system it is difficult to describe exactly what it is
capable of in a single paragraph - hence the wordy and less than descriptive
paragraphs above. In an attempt to provide a real description of the capabilities
of RABAC a brief overview of each module is provided below.
- AUTH
- The AUTH module is the cornerstone of the RSBAC security model. It moves
user authentication from user-space to kernel-space providing a greatly enhanced
level of security. The AUTH module provides a variety of controls over not
just authentication but also over the authentication capabilities available to
each user, even root. It can also (optionally) use SHA1, rather than MD5, for
password hashing.
- ACL
- The ACL module provides an implementation of Access Control Lists similar
to that found in Microsoft Windows NT. Access can be assigned based on user,
ACL group membership or RC role. Permissions can be assigned to files,
devices, groups, network resources, etc. File permissions are inherited by
descendants and can be overridden on a per object basis.
- PAX
- The PAX module provides an RSBAC interface to the management of PAX
flags. Default flags can be set for every executable and can be overridden on
a per object basis. Moving the PAX flags into RSBAC allows stricter enforcement
of who is able to modify the settings. This can be used to prevent a malicious
user, even root, from intentionally opening a known exploit.
- CAP
- The CAP module provides a method of controlling the Linux Capabilities
available to any user or process. Minimum and maximum capabilities can be
set based on user, ACL group or RC role allowing most daemon processes to
be run as a non-root user, even dropping capabilities not required after
initialisation.
- FF
- The FF module provides some additional File Flags which can be used
to further secure a system. They include WRITE_ONLY
and APPEND_ONLY which are particularly useful
for securing log files.
- RC
- The RC module provides an access control model based on the concept of Roles
and Role Compatibility. Users, processes, network objects, etc can all be
assigned Roles and Resource Types. Permissions are assigned at the intersection
of the Role and the Resource Type and are referred to as the Role Resource
Compatibility. As initial roles can be set on executables the RC model is
especially suited to complex multi-user deployments and service isolation.
- JAIL
- The JAIL module provides a secure chroot
implementation which can be used to easily secure and isolate daemon
processes.
- RES
- The RES module provides an RSBAC interface to the control of Linux system
resources.
- DAZuko
- The DAZuko module provides an on-access virus scanning interface which can
be used with a variety of open source virus scanners. It implements a scan
cache which greatly enhances performance over traditional methods of on-access
virus scanning.
- PM
- The PM module provides a Privacy Management model which can be used to
ensure the privacy of information. It was developed to ensure compliance
with EU data protection legislation. It is not covered in this guide.
- MAC
- The MAC module provides a Mandatory Access Control model similar to that
provided by SELinux. It is not covered in this guide.
As you can see from the above list of modules and their functionality it is probably
impossible to write a single paragraph description of RSBAC which does it justice.
If that wasn't enough to ensure that a simple description is impossible there is
also one more module which probably deserves a quick mention. The REG module
allows the inclusion of user developed modules into an RSBAC
implementation.