Current version
Git/Latestdiff: 1.5.6
Latest Snapshots
Produced after each commit or rebase to new upstream version
GIT
RSBAC source code, can be unstable sometimes
No events planned
We can split down the base system into different system objects, or elements.
There are common, default directories that contain the base programs needed to run your operating system. Most common ones are:
/bin, /sbin, /usr/bin, /usr/sbin
Program files are subject to be replaced, infected by trojans, viruses, worms, or even deleted. They must be executed only and do their task, but not tampered with.
/lib, /usr/lib
Like program files, libraries contain executable code and thus can be infected, deleted, etc. Many programs access the same libraries, so getting control over one single library can give you the control over several programs.
/etc
Program's behaviour are driven by their configuration files. They may also contain sensitive data. They should only be readable by their associated program.
/boot, /lib/modules, /dev/kmem
The kernel code and loadable modules are stored as files on disk. Modifying any of them may grant total system control.
Additionally, standard Linux kernels give the system administrator raw access to kernel memory through devices and special files. This can be used to bypass the official kernel entry points and get the same kind of complete system control.
/dev
Direct access to media devices, like disk partitions, bypasses the filesystem individual object access control and thus must be prevented. Some devices also provide extra functionality, which is not available otherwise.
/etc/passwd, /etc/shadow, setuid, or RSBAC UM
The data used for authentication is a critical point for the access control. RSBAC has two modules especially written for authentification needs (AUTH and UM) They must be protected from all accesses which are not strictly necessary, and carefully verified.
Remote servers as well as local network sockets provide essential network services to many users. This means many possibilities to compromise the system, and a possibility to reach your system. While the firewall protects mainly from external systems, we can ensure that the loopback network features and local users are protected inside the machine.
There are always other objects to be taken into account.
For example, /var/log
holds logging data, boot loaders needs special rights, hardware ports, etc.
These additional base system settings depend greatly on your own system configuration.
Table of Contents: RSBAC Handbook
Previous: Configuration
Next: Service Encapsulation