We can split down the base system into different system objects, or elements.

There are common, default directories that contain the base programs needed to run your operating system. Most common ones are:

• /bin, /usr/bin (default binaries)
• /sbin, /usr/sbin (default binaries useable by the superuser only)
• /etc (configuration data)
• /tmp (temporary space, can be used by anyone)
• /var (variable data, used by services and daemons)
• /home (user data)
• /lib, /usr/lib (program libraries)
• /proc, /sys (volatile filesystem)
• /boot, /lib/modules, /dev/kmem (kernel data and modules)

/bin, /sbin, /usr/bin, /usr/sbin

Program files are subject to be replaced, infected by trojans, viruses, worms, or even deleted. They must be executed only and do their task, but not tampered with.

/lib, /usr/lib

Like program files, libraries contain executable code and thus can be infected, deleted, etc. Many programs access the same libraries, so getting control over one single library can give you the control over several programs.

/etc

Program's behaviour are driven by their configuration files. They may also contain sensitive data. They should only be readable by their associated program.

/boot, /lib/modules, /dev/kmem

The kernel code and loadable modules are stored as files on disk. Modifying any of them may grant total system control.

Additionally, standard Linux kernels give the system administrator raw access to kernel memory through devices and special files. This can be used to bypass the official kernel entry points and get the same kind of complete system control.

/dev

Direct access to media devices, like disk partitions, bypasses the filesystem individual object access control and thus must be prevented. Some devices also provide extra functionality, which is not available otherwise.

/etc/passwd, /etc/shadow, setuid, or RSBAC UM

The data used for authentication is a critical point for the access control. RSBAC has two modules especially written for authentification needs (AUTH and UM) They must be protected from all accesses which are not strictly necessary, and carefully verified.

Remote servers as well as local network sockets provide essential network services to many users. This means many possibilities to compromise the system, and a possibility to reach your system. While the firewall protects mainly from external systems, we can ensure that the loopback network features and local users are protected inside the machine.

There are always other objects to be taken into account. For example, /var/log holds logging data, boot loaders needs special rights, hardware ports, etc. These additional base system settings depend greatly on your own system configuration.

Table of Contents: RSBAC Handbook
Previous: Configuration
Next: Service Encapsulation