===== Base System Protection =====

We can split down the base system into different system objects, or elements.

=== Filesystem Structure ===

There are common, default directories that contain the base programs needed to run your operating system. Most common ones are:
  * /bin, /usr/bin (default binaries)
  * /sbin, /usr/sbin (default binaries useable by the superuser only)
  * /etc (configuration data)
  * /tmp (temporary space, can be used by anyone)
  * /var (variable data, used by services and daemons)
  * /home (user data)
  * /lib, /usr/lib (program libraries)
  * /proc, /sys (volatile filesystem)
  * /boot, /lib/modules, /dev/kmem (kernel data and modules)

=== Executables ===
// /bin, /sbin, /usr/bin, /usr/sbin //

Program files are subject to be replaced, infected by trojans, viruses, worms, or even deleted.
They must be executed only and do their task, but not tampered with.

=== Dynamic Libraries ===
// /lib, /usr/lib //

Like program files, libraries contain executable code and thus can be infected, deleted, etc.
Many programs access the same libraries, so getting control over one single library can give you the control over several programs.

=== Configuration Files ===
// /etc //

Program's behaviour are driven by their configuration files. They may also contain sensitive data.
They should only be readable by their associated program.

=== Kernel Objects ===
// /boot, /lib/modules, /dev/kmem //

The kernel code and loadable modules are stored as files on disk. Modifying any of them may grant total system control.

Additionally, standard Linux kernels give the system administrator raw access to kernel memory through devices and special files. This can be used to bypass the official kernel entry points and get the same kind of complete system control.

=== Devices === 
// /dev //

Direct access to media devices, like disk partitions, bypasses the filesystem individual object access control and thus must be prevented. Some devices also provide extra functionality, which is not available otherwise.


=== Authentication Data ===
// /etc/passwd, /etc/shadow, setuid, or RSBAC UM //

The data used for authentication is a critical point for the access control.
RSBAC has two modules especially written for authentification needs (AUTH and UM)
They must be protected from all accesses which are not strictly necessary, and carefully verified.
 
=== Network Resources ===
Remote servers as well as local network sockets provide essential network services to many users. This means many possibilities to compromise the system, and a possibility to reach your system. 
While the firewall protects mainly from external systems, we can ensure that the loopback network features and local users are protected inside the machine.
 
=== Other Objects ===
There are always other objects to be taken into account.
For example, ''/var/log'' holds logging data, boot loaders needs special rights, hardware ports, etc.
These additional base system settings depend greatly on your own system configuration.

\\ 
----
**Table of Contents:** [[documentation:rsbac_handbook|RSBAC Handbook]]\\
**Previous:** [[documentation:rsbac_handbook:configuration_basics|Configuration]]\\ 
**Next:** [[Service Encapsulation]]\\