Key features
- Free Open Source (GPL) Linux kernel security extension
- Independent of governments and big companies
- Several well-known and new security models, e.g. MAC, ACL and RC
- Control over individual user and program network accesses
- Any combination of models possible
- Easily extensible: write your own model for runtime registration
- Support for current kernels
- Stable for production use
RSBAC is a flexible, powerful and fast open source access
control framework for current Linux kernels, which has been in stable production use since
January 2000 (version 1.0.9a). All development is independent of governments and big
companies, and no existing access control code has been reused.
The standard package includes a range of access control models like MAC, RC, ACL (see
below). Furthermore, the runtime registration facility (REG) makes
it easy to implement your own access control model as a kernel module and get it
registered at runtime.
The RSBAC framework is based on the Generalized Framework for Access Control (GFAC) by
Abrams and LaPadula. All security relevant system calls are extended by security
enforcement code. This code calls the central decision component, which in turn calls all
active decision modules and generates a combined decision. This decision is then enforced
by the system call extensions.
Decisions are based on the type of access (request type), the access target and on the
values of attributes attached to the subject calling and to the target to be accessed.
Additional independent attributes can be used by individual modules, e.g. the privacy
module (PM). All attributes are stored in fully protected directories, one on each mounted
device. Thus changes to attributes require special system calls provided.
From version 1.2.0, all types of network accesses can be controlled individually for
all users and programs. This gives you full control over their network behaviour and makes
unintended network accesses easier to prevent and detect.
As all types of access decisions are based on general decision requests, many different
security policies can be implemented as a decision module. Apart from the builtin models
shown below, the optional Module Registration (REG) allows for
registration of additional, individual decision modules at runtime.
In the RSBAC version 1.2.3, the following modules are included. Please note that all
modules are optional. They are described in detail in an extra text.
- MAC
- Bell-LaPadula Mandatory Access Control (compartments limited to a number of 64)
- FC
- Functional Control. A simple role based model, restricting access to security
information to security officers and access to system information to administrators.
- SIM
- Security Information Modification. Only security administrators are allowed to modify
data labeled as security information
- PM
- Privacy Model. Simone Fischer-Hübner's
Privacy Model in its first implementation. See our paper on PM
implementation (43K) for the National Information Systems Security Conference (NISSC
98)
- MS
- Malware Scan. Scan all files for malware on execution (optionally on all file read
accesses or on all TCP/UDP read accesses), deny access if infected. Currently the Linux
viruses Bliss.A and Bliss.B and a handfull of others are detected. From v1.2.0, a generic
interface allows to replace the scanning engine through a kernel module at runtime. Also
see our paper on Approaches to Integrated Malware Detection and
Avoidance (34K) for The Third Nordic Workshop on Secure IT Systems (Nordsec'98)
- FF
- File Flags. Provide and use flags for dirs and files, currently execute_only (files),
read_only (files and dirs), search_only (dirs), secure_delete (files), no_execute (files),
add_inherited (files and dirs), no_rename_or_delete (files and dirs, no inheritance) and
append_only(files and dirs). Only FF security officers may modify these flags.
- RC
- Role Compatibility. Defines roles and types for each target type (file, dir, dev, ipc,
scd, process). For each role, compatibility to all types and to other roles can be set
individually and with request granularity. For administration there is a fine grained
separation-of-duty. Granted rights can have a time limit. Please also refer to the Nordsec 2002 RC Paper for the detailed model design
and specification.
- AUTH
- Authorization enforcement. Controls all CHANGE_OWNER requests for process targets, only
programs/processes with general setuid allowance and those with a capability for the
target user ID may setuid. Capabilities can be controlled by other programs/processes,
e.g. authentication daemons.
- ACL
- Access Control Lists. For every object there is an Access Control List, defining which
subjects may access this object with which request types. Subjects can be of type user, RC
role and ACL group. Objects are grouped by their target type, but have individual ACLs. If
there is no ACL entry for a subject at an object, rights are inherited from parent
objects, restricted by an inheritance mask. Direct (user) and indirect (role, group)
rights are accumulated. For each object type there is a default ACL on top of the normal
hierarchy. Group management has been added in version 1.0.9a. Granted rights and group
memberships can have a time limit.
- CAP
- Linux Capabilities (new in 1.2.0). For all users and programs you can define a minimum
and a maximum Linux capability set ("set of root special rights"). This lets you
e.g. run server programs as normal user, or restrict rights of root programs in the
standard Linux way.
- JAIL
- Process Jails (new in 1.2.1). This module adds a new system call rsbac_jail, which is
basically a superset of the FreeBSD jail system call. It encapsulates the calling process
and all subprocesses in a chroot environment with a fixed IP address and a lot of further
restrictions.
- RES
- Linux Resources (new in 1.2.2). For all users and programs you can define a minimum
and a maximum Linux process resource set (e.g. memory size, number of
open files, number of processes per user). Internally, these sets are
applied to the standard Linux resource flags.
- PAX
- PaX support (new in 1.2.3). Manage Pageexec (PaX) flags for all
executables. See PaX homepage at http://pax.grsecurity.net.
All decision modules are described in detail on the module
description page.
A general goal of RSBAC design has been to some day reach (obsolete) Orange Book
(TCSEC) B1 level. Now it is mostly targeting to be useful as secure and multi-purposed
networked system, with special interest in firewalls.
Questions,
tips, etc.
15-Jun-04, -ao