https://www.rsbac.org/ 2026-04-27T17:09:09+00:00 https://www.rsbac.org/ https://www.rsbac.org/lib/tpl/rsbac/images/favicon.ico text/html 2006-05-02T13:40:25+00:00 Anonymous (anonymous@undisclosed.example.com) https://www.rsbac.org/documentation/administration_examples/network_access_control?rev=1146577225&do=diff Basics Due to the short lived nature of network connections and their related network objects, a scheme of Network Templates has been developed in RSBAC. Network templates describe a set of connection endpoints, which shall be controlled together. Administration is done on the templates instead of the individual network endpoints. Each endpoint inherits the access control settings of the first template it matches. Templates are checked from lowest to highest index number. text/html 2006-05-02T13:40:25+00:00 Anonymous (anonymous@undisclosed.example.com) https://www.rsbac.org/documentation/administration_examples/pm?rev=1146577225&do=diff For demonstration purposes a simple application example has been developed together with Simone Fischer-Hübner. Although several modules are used, our focus clearly lay on the privacy model, being the most complex and powerful. Other modules are used for special purposes. text/html 2006-05-02T13:40:25+00:00 Anonymous (anonymous@undisclosed.example.com) https://www.rsbac.org/documentation/administration_examples/protection_against_execution?rev=1146577225&do=diff Administration Goals * Protect against execution of uncontrolled files or libraries Common steps for all models * Identify all directories containing executables and all single executables in other directories. Also, identify all directories containing dynamically linked libraries and all such single library files in other directories. As long as the most important directories, e.g. /sbin, /bin, /usr/sbin, /usr/bin, and files, e.g. /lib/*.so* and /usr/lib/*.so* are included, you can find … text/html 2006-05-02T13:40:25+00:00 Anonymous (anonymous@undisclosed.example.com) https://www.rsbac.org/documentation/administration_examples/rsbac_samples?rev=1146577225&do=diff There are some simple things you can do, which already increase desktop user as well as server security without interaction: JAIL * Start Mozilla, etc. in an RSBAC jail without chroot: it will hide all other processes from Mozilla and disallow dirty networking tricks. Try text/html 2006-05-02T13:40:25+00:00 Anonymous (anonymous@undisclosed.example.com) https://www.rsbac.org/documentation/administration_examples/syslog-ng?rev=1146577225&do=diff You can use syslog-ng to log RSBAC log messages. Setting up syslog-ng Disable logging to system log with the “rsbac_nosyslog” kernel flag, or echo “debug nosyslog 1” > /proc/rsbac-info/debug at runtime. You need the kernel option “CONFIG_RSBAC_RMSG_NOSYSLOG text/html 2006-05-02T13:40:25+00:00 Anonymous (anonymous@undisclosed.example.com) https://www.rsbac.org/documentation/administration_examples/tampering_protection_for_exec?rev=1146577225&do=diff Administration Goal Protect all executables, e.g. below /sbin, against tampering Common steps for all models * Identify all directories containing executables and all single executables in other directories. As long as the most important directories, e.g. /sbin, /bin, /usr/sbin, /usr/bin, are included, you can find the rest with trial and error later. text/html 2006-05-02T13:40:25+00:00 Anonymous (anonymous@undisclosed.example.com) https://www.rsbac.org/documentation/administration_examples/tips?rev=1146577225&do=diff Want to know -on the fly- if the softmode has been enabled ? Simple with bash: PROMPT_COMMAND='cat /proc/rsbac-info/active|grep SOFTMODE > /dev/null \ && mode=$(echo -e "\e[31;01m") \ || mode=$(echo -e "\e[34;01m")' PS1='\[\033[32;01m\]\u@$mode\h\[\033[0;m\]:\w\$ ' text/html 2006-05-02T13:40:25+00:00 Anonymous (anonymous@undisclosed.example.com) https://www.rsbac.org/documentation/administration_examples/user_management?rev=1146577225&do=diff Problems of traditional Linux user management subsystem The traditional Linux user management, specially the common passwd/shadow scheme with PAM, has several security problems: * PAM libraries running in process context: The PAM libraries are mapped into every process, which has to authenticate users or change user accounts. This means that every single such process must have read or even write access to sensitive authentication data, and an exploit in only one of them reveals all this sens…