=>  RSBAC Handbook

RSBAC Handbook

Preface

Introduction

Architecture

User Management

Security Modules

Installation

Configuration

Maintenance

Appendixes

=>  Releases

Stable: 1.4.4
kernel:

  • 2.6.33+

Full RSBAC kernels
Lazy of patching ? Get the already rsbac-patched kernel. Choose your flavor.

Classic kernels
Includes vanilla kernel with the RSBAC patch

  • 2.6.33

Enhanced kernels
PaX+RSBAC kernels

  • 2.6.33 (20100421)

Debian repository
Also works for Ubuntu and other Debian-based distributions, of course

GIT
Cutting edge RSBAC source code, can be unstable sometimes
Kernel | Tools

=>  Events

No events planned

Protection Against Unwanted Execution

Administration Goals

Protect against execution of uncontrolled files or libraries.

Common Steps for All Models

  • Identify all directories containing executables and all single executables in other directories. Also, identify all directories containing dynamically linked libraries and all such single library files in other directories. As long as the most important directories, e.g. /sbin, /bin, /usr/sbin, /usr/bin, and files, e.g. /lib/*.so* and /usr/lib/*.so* are included, you can find the rest with trial and error later.
  • Attention: If you miss an important directory or file during identification or attribute setting, the system might become unaccessible, because important programs cannot be executed or important libraries cannot be mmapped for execution!

FF Solution

  1. Remove add_inherited flag for all identified directories.
  2. Remove add_inherited flag for all identified separate executables and libraries
  3. Set no_execute flag on top dir
  4. Without add_inherited, the no_execute flag is not inherited and thus not applied to the identified dirs and separate executables

RC Solution

  1. Perform steps 1-5 from RC solution 2. Make a similar setup for library directories and files with another type ‘Libraries’.
  2. Remove EXECUTE and MAP_EXEC rights to all types other than ‘Executables’ and ‘Libraries’ from all roles. For setup checking, remove the right for your Role Admin last and first try other roles.

ACL Solution

  1. Grant rights SEARCH and EXECUTE to group 0 (’Everyone’) for all identified directories and files.
  2. If you need to READ_OPEN the files, e.g. libraries or scripts, add rights READ_OPEN and CLOSE.
  3. For filename completion in the shell, you need READ right, possibly also GET_STATUS_DATA or GET_PERMISSIONS_DATA.
  4. Remove right EXECUTE from the inheritance mask of the root dir / or from all entries in the default FD acl.
  5. If you have individual ACL entries at any directory or file other than the identified ones, revoke EXECUTE right from them. You can find all ACL entries with acl_tlist -r.
  6. As the SUPERVISOR right includes all other rights and can (usually) not be masked out, all subjects with SUPERVISOR still have full access. In the standard setup, only user 400 (Security Officer etc.) has this right to the FD default ACL (and thus to all files, fifos and directories).


Table of Contents: RSBAC Handbook
Back: Administration Examples

 

documentation/rsbac_handbook/configuration_basics/administration_examples/protection_against_execution.txt · Last modified: 2006/05/17 17:52 by kang
This website is kindly hosted by m-privacy