=>  RSBAC Handbook

RSBAC Handbook

Preface

Introduction

Arch. and Imple.

Security Modules

Installation

Config. Basics

Adv.Configuration

Maintenance

Troubleshooting

Appendixes

=>  Releases

Stable: 1.3.7
for kernels:

  • 2.4.36
  • 2.6.23.14

Devel 1.4: 1.4.0-pre1
for kernels:

  • 2.4.35.4
  • 2.6.23.9

Full RSBAC kernels
Lazy of patching ? Get the already rsbac-patched kernel. Choose your flavor.

Classic kernels
Includes vanilla kernel with the RSBAC patch

  • 2.6.23.14
  • 2.4.35.3

Enhanced kernels
Kernels including latest security fixes, goodies, and of course PaX+RSBAC

  • 2.6.23.15 (20080217)
  • 2.4.36 (20080217)

Debian repository
Also works for Ubuntu and other Debian-based distributions, of course

SVN
Cutting edge RSBAC source code, can be unstable sometimes

=>  Events

No events planned

Logging Facility

The Access Control Decision Facility (ADF) also provides a powerful logging system.

It is possible to log events, depending on the request, target type, user, executable and target object (with individual settings for the files, directories, fifos, links, devices, and network objects).

Some of the features have to be enabled in the kernel configuration to be available.

It is also possible to log pseudonyms instead of real user IDs, thus providing some user privacy. The current implementation also hides some of the user specific directory names (e.g. /home/userid/..)

Logged items are:

  • request
  • process ID
  • parent process ID
  • process name
  • program file
  • real or pseudonymous user ID who triggered the event
  • real or pseudonymous original user ID of the process itself (if different from above)
  • IP address the user connected from (if any)
  • target type
  • target ID
  • attribute type
  • attribute value
  • ADF decision
  • names of the modules that returned the above ADF decision

The logging format is standardised for automatic log processing or/and intrusion detection.

The following algorithm is used:

  1. If individual user logging is active and the user’s log level for this request type is
    • none: go to step 2
    • full: log
  2. If individual program logging is active and the program’s log level for this request type is
    • none: go to step 3
    • full: log
  3. If individual object logging is active, the object is of type file, dir, fifo, symlink, device or network object and the object’s log level for the request type is:
    • none: no logging
    • denied: log, if result is NOT_GRANTED, else no logging
    • full: log
    • request based (default value): go to step 4
  4. If the log level for the request and target type combination is
    • none: no logging
    • denied: log, if result is NOT_GRANTED, else no logging
    • full: log

Logging can be very useful in many situations. E.g. you can find out, what a program is really doing for debugging purposes. You can also monitor a suspicious program or user, or simply have a program analysing the output to either help create new security policies, or check for suspicious activity automatically.


Table of Contents: RSBAC Handbook
Previous: Interfaces
Next: Runtime Registration

 

documentation/rsbac_handbook/architecture_implementation/framework_components/logging_facility.txt · Last modified: 2007/03/10 22:23 by caspar
This website is kindly hosted by m-privacy