Previous chapter (none)
 
Index
Installing the Packages
Next chapter

Introduction

What is RSBAC?

The official RSBAC web site defines RSBAC as "a flexible, powerful and fast open source access control framework for current Linux kernels." In actual fact it is much more than just a framework for access control. Currently RSBAC patched kernels ship with several modules which make use of this framework to provide a wide variety of functions, some of which are not even purely related to access control.

Why would I want to use it?

Most current Unix, and therefore by implication Linux, based operating systems suffer from some well known deficiencies in their access control model. To be more specific the standard access control model lacks granularity and, for the most part, has little or no ability to assign capabilities based on target.

RSBAC, and the modules provided with it, resolve these issues and also provide a flexible framework into which other security related modules can be built.

So what does RSBAC do exactly?

As RSBAC is a modular system it is difficult to describe exactly what it is capable of in a single paragraph - hence the wordy and less than descriptive paragraphs above. In an attempt to provide a real description of the capabilities of RABAC a brief overview of each module is provided below.

AUTH
The AUTH module is the cornerstone of the RSBAC security model. It moves user authentication from user-space to kernel-space providing a greatly enhanced level of security. The AUTH module provides a variety of controls over not just authentication but also over the authentication capabilities available to each user, even root. It can also (optionally) use SHA1, rather than MD5, for password hashing.
ACL
The ACL module provides an implementation of Access Control Lists similar to that found in Microsoft Windows NT. Access can be assigned based on user, ACL group membership or RC role. Permissions can be assigned to files, devices, groups, network resources, etc. File permissions are inherited by descendants and can be overridden on a per object basis.
PAX
The PAX module provides an RSBAC interface to the management of PAX flags. Default flags can be set for every executable and can be overridden on a per object basis. Moving the PAX flags into RSBAC allows stricter enforcement of who is able to modify the settings. This can be used to prevent a malicious user, even root, from intentionally opening a known exploit.
CAP
The CAP module provides a method of controlling the Linux Capabilities available to any user or process. Minimum and maximum capabilities can be set based on user, ACL group or RC role allowing most daemon processes to be run as a non-root user, even dropping capabilities not required after initialisation.
FF
The FF module provides some additional File Flags which can be used to further secure a system. They include WRITE_ONLY and APPEND_ONLY which are particularly useful for securing log files.
RC
The RC module provides an access control model based on the concept of Roles and Role Compatibility. Users, processes, network objects, etc can all be assigned Roles and Resource Types. Permissions are assigned at the intersection of the Role and the Resource Type and are referred to as the Role Resource Compatibility. As initial roles can be set on executables the RC model is especially suited to complex multi-user deployments and service isolation.
JAIL
The JAIL module provides a secure chroot implementation which can be used to easily secure and isolate daemon processes.
RES
The RES module provides an RSBAC interface to the control of Linux system resources.
DAZuko
The DAZuko module provides an on-access virus scanning interface which can be used with a variety of open source virus scanners. It implements a scan cache which greatly enhances performance over traditional methods of on-access virus scanning.
PM
The PM module provides a Privacy Management model which can be used to ensure the privacy of information. It was developed to ensure compliance with EU data protection legislation. It is not covered in this guide.
MAC
The MAC module provides a Mandatory Access Control model similar to that provided by SELinux. It is not covered in this guide.

As you can see from the above list of modules and their functionality it is probably impossible to write a single paragraph description of RSBAC which does it justice. If that wasn't enough to ensure that a simple description is impossible there is also one more module which probably deserves a quick mention. The REG module allows the inclusion of user developed modules into an RSBAC implementation.