Note: Please see the Security Modules page for more information about the different modules and the model they provide
In the following table, you can find a summary of every available module.
The Code Name is the name RSBAC uses to identify that module.
The Use column helps out if you are not sure of what modules to use:
The Short description column links to a description of the module in the current page.
The In depth description column links to a section completely dedicated to this module, explaining the functionality and usage in details.
| Module Name | Code name | Use | Short description | In depth description |
|---|---|---|---|---|
| Authenticated User | AUTH | Always | Authenticate Users | Yes |
| Role Compatibility | RC | Likely | Role based access control | Yes |
| Jail | JAIL | Likely | Encapsulation of individual processes | Yes |
| Linux Capacities | CAP | Likely | Manages Linux Capacities | Yes |
| Pageexec | PAX | Likely | Prevention against unwanted code execution | No |
| Dazuko | DAZ | Optional | On-access anti-virus scanner | Yes |
| User Space Decision Facility (from 1.4.8) | UDF | Optional | User space decisions, e.g. malware scanning | No |
| File Flags | FF | Optional | Set special access control flags per file/dir | Yes |
| Linux Resources | RES | Optional | Manages Linux Resources | No |
| User Management | UM | Optional | Manage system Users in kernel | Yes |
| Access Control Lists | ACL | Optional | Extensive Access Control Lists | Yes |
| Privacy Model (removed in 1.4.8) | PM | Optional | Controls data privacy in conformance to EU laws | No |
| Mandatory Access Control | MAC | Unlikely | Multi Layer Access Control | Yes |
Alright, the above table pretty much sums up what modules are offered to you, what they do, and how likely it is that you want to use them. Quite a few of them are very case specific however. When you know them all in details, you will be able to choose by yourself what fits your requirements.
To get your started, here are a few safe combinations that are commonly used:
Note: the modules in brackets are left to your consideration. Enabling them won't make things harder.
| Standard server | AUTH,RC,JAIL,CAP,[RES] |
|---|---|
| Standard desktop | AUTH,RC,JAIL,[CAP] |
| Minimum desktop | AUTH,FF,JAIL,[CAP] |
The Minimum desktop set is the easiest to deal with. You will only have to setup AUTH (means, what application can switch to what user id) to have a usable system. You can then experiment with FF, to set attributes to directories paths, and with JAIL, by Jailing for example your web browser and mail client.
The Standard desktop raises the level, with RC. You will have to understand this model and set it system-wide before your system becomes usable. However, this is far more powerful and after a while, it will be easier for you to secure your system using RC than with FF or ACL modules. Like with the minimum desktop, you can jail your web browser or other sensitive applications with the JAIL module.
Finally, the standard server comes with a similar setup. Jail your services, setup RC system wide, and you may want to add a few more modules, like DAZ for the virus scanning, RES to control system resources etc.
In every case, make sure that you understand every module you are using. Test them (you can use the Live CD to do this without destroying your system), until you feel comfortable with them.
Table of Contents: RSBAC Handbook
Previous: Logging
Next: selecting_models