HOME LINKSFANSCONTACTDOWNLOADWHYTODO The most important changes since 1.4.9 are the port to longterm kernel 4.4 and the new feature “Prevent memory write and execute (RSBAC mprotect)” to prevent against process memory segments being both writable and executable. This new hardening feature made me choose a new middle version number. The change lists are here: Kernel changes DOCUMENTATION [RSBAC: EXTENDING LINUX SECURITY BEYOND THE The new RSBAC book “Amon Ott: Mandatory Rule Set Based Access Control in Linux” covers all the concepts and background of the RSBAC framework as well as the RC model with AUTH and ACL.It can be ordered through your local book seller (ISBN 978-3-8322-6423-9) or directly from the publisher.. The table of contents, abstracts in German and English and an electronic version are available as PDF

DOWNLOAD

Rule Set Based Access Control, Free Open Source Access Control for

Linux

WHY

RSBAC: A framework. RSBAC is a flexible, powerful and fast ( low overhead) open source access control framework for current Linux kernels, which has been in stable production use since January 2000 (version 1.0.9a). All development is independent of governments and big companies, and no existing access control code has been reused. DOCUMENTATION:RSBAC_HANDBOOK:SECURITY_MODELS [RSBAC The checker program has to exit with 0 for “allow”, 1 for “deny”, 254 for “temporary failure, allow” (do not cache) or 255 for “temporary failure, deny” (do not cache). Any other exit code is undefined, but for now treated as “deny”. If the checker got killed by a signal, it is treated as “temporary failure,

deny”.

DOCUMENTATION:RSBAC_HANDBOOK:CONFIGURATION_BASICS A small medical treatment center wants to use a centralized data management. High level privacy is to be guaranteed for all patient data, but statistical research on operations and selective data transmission to other centers must remain possible. THE ‘RULE SET BASED ACCESS CONTROL’ (RSBAC) FRAMEWORK FOR 1 The ‘Rule Set Based Access Control’ (RSBAC) Framework for Linux Amon Ott Compuniverse D-22949 Ammersbek / Germany Email:

ao@compuniverse.de

THE RULE SET BASED ACCESS CONTROL (RSBAC) LINUX KERNEL The Rule Set Based Access Control (RSBAC) system is an open source security extension to current Linux kernels, which has been continuously developed for several years. DOCUMENTATION:WRITE_YOUR_DECISION_MODULE [RSBAC: EXTENDING Please do not change any values or remove items, unless you know exactly what you are doing - other models depend on them. #include int rsbac_get_attr (enum rsbac_target_t target, union rsbac_target_id_t tid, enum rsbac_attribute_t attr, union rsbac_attribute_value_t * attr_val_p, boolean inherit); /* read an attribute value, possibly inherited */ int rsbac_set_attr (enum rsbac THE ROLE COMPATIBILITY SECURITY MODEL Processes as subjects can perform some model relevant actions: changeowner tn(p:process, u:user) := change owner of process p to u at time n clone tn(p 1:process, p 2:process) := creation of process p 2 by parent process p 1 at time n execute tn(p:process, f: le) := start execution of program le f in process p at time n createfs tn(p:process, f: lesystem object) := creation of lesystem object HOME LINKSFANSCONTACTDOWNLOADWHYTODO The most important changes since 1.4.9 are the port to longterm kernel 4.4 and the new feature “Prevent memory write and execute (RSBAC mprotect)” to prevent against process memory segments being both writable and executable. This new hardening feature made me choose a new middle version number. The change lists are here: Kernel changes DOCUMENTATION [RSBAC: EXTENDING LINUX SECURITY BEYOND THE The new RSBAC book “Amon Ott: Mandatory Rule Set Based Access Control in Linux” covers all the concepts and background of the RSBAC framework as well as the RC model with AUTH and ACL.It can be ordered through your local book seller (ISBN 978-3-8322-6423-9) or directly from the publisher.. The table of contents, abstracts in German and English and an electronic version are available as PDF

DOWNLOAD

Rule Set Based Access Control, Free Open Source Access Control for

Linux

WHY

RSBAC: A framework. RSBAC is a flexible, powerful and fast ( low overhead) open source access control framework for current Linux kernels, which has been in stable production use since January 2000 (version 1.0.9a). All development is independent of governments and big companies, and no existing access control code has been reused. DOCUMENTATION:RSBAC_HANDBOOK:SECURITY_MODELS [RSBAC The checker program has to exit with 0 for “allow”, 1 for “deny”, 254 for “temporary failure, allow” (do not cache) or 255 for “temporary failure, deny” (do not cache). Any other exit code is undefined, but for now treated as “deny”. If the checker got killed by a signal, it is treated as “temporary failure,

deny”.

DOCUMENTATION:RSBAC_HANDBOOK:CONFIGURATION_BASICS A small medical treatment center wants to use a centralized data management. High level privacy is to be guaranteed for all patient data, but statistical research on operations and selective data transmission to other centers must remain possible. THE ‘RULE SET BASED ACCESS CONTROL’ (RSBAC) FRAMEWORK FOR 1 The ‘Rule Set Based Access Control’ (RSBAC) Framework for Linux Amon Ott Compuniverse D-22949 Ammersbek / Germany Email:

ao@compuniverse.de

THE RULE SET BASED ACCESS CONTROL (RSBAC) LINUX KERNEL The Rule Set Based Access Control (RSBAC) system is an open source security extension to current Linux kernels, which has been continuously developed for several years. DOCUMENTATION:WRITE_YOUR_DECISION_MODULE [RSBAC: EXTENDING Please do not change any values or remove items, unless you know exactly what you are doing - other models depend on them. #include int rsbac_get_attr (enum rsbac_target_t target, union rsbac_target_id_t tid, enum rsbac_attribute_t attr, union rsbac_attribute_value_t * attr_val_p, boolean inherit); /* read an attribute value, possibly inherited */ int rsbac_set_attr (enum rsbac THE ROLE COMPATIBILITY SECURITY MODEL Processes as subjects can perform some model relevant actions: changeowner tn(p:process, u:user) := change owner of process p to u at time n clone tn(p 1:process, p 2:process) := creation of process p 2 by parent process p 1 at time n execute tn(p:process, f: le) := start execution of program le f in process p at time n createfs tn(p:process, f: lesystem object) := creation of lesystem object DOCUMENTATION:RSBAC_HANDBOOK:CONFIGURATION_BASICS Start Mozilla, etc. in an RSBAC jail without chroot: it will hide all other processes from Mozilla and disallow dirty networking tricks. Try rsbac_jail -ldD /usr/bin/mozilla-suite DOCUMENTATION:RSBAC_HANDBOOK:CONFIGURATION_BASICS A small medical treatment center wants to use a centralized data management. High level privacy is to be guaranteed for all patient data, but statistical research on operations and selective data transmission to other centers must remain possible. CONTENTS II: RULE SET BASED ACCESS CONTROL (RSBAC) Contents IV: 8 Practical Experience 8.1 Running Systems 8.2 Stability 8.3 Performance 9 Online Ressources 10 Outlook 1 Introduction 1.1 History 1.2 Motivation DOCUMENTATION:WRITE_YOUR_DECISION_MODULE [RSBAC: EXTENDING Please do not change any values or remove items, unless you know exactly what you are doing - other models depend on them. #include int rsbac_get_attr (enum rsbac_target_t target, union rsbac_target_id_t tid, enum rsbac_attribute_t attr, union rsbac_attribute_value_t * attr_val_p, boolean inherit); /* read an attribute value, possibly inherited */ int rsbac_set_attr (enum rsbac ARCHITECTURE OF RULE SET BASED ACCESS CONTROL (RSBAC a “CREATE” request for the target directory, creates the file and informs the decision facility of the new object. Otherwise a “TRUNCATE” request is CONTENTS II: RULE SET BASED ACCESS CONTROL (RSBAC) Rule Set Based Access Control (RSBAC) Linux Kernel Security Extension Linux Kongress 2004 - One Day Workshop Amon Ott Contents: 1 Introduction to RSBAC DOCUMENTATION:WHY_RSBAC_DOES_NOT_USE_LSM [RSBAC: EXTENDING The LSM security_ops array for RSBAC contains 32 decision and 5 notification entries, some of which are conditional. There are still 95 decision (rsbac_adf_request) and 39 notification (rsbac_adf_set_attr) calls left in the RSBAC patch. III: CONTENTS (RSBAC) Rule Set Based Access Control (RSBAC) Linux Kernel Security Extension Tutorial Amon Ott Contents: 1 Motivation: Why We Need Better Security (RSBAC) CONTROL ACCESS Contents II: 3 Implemented Models 3.1 MAC, FC and SIM 3.2 PM, MS and FF 3.3 AUTH 3.4 RC 3.5 ACL 3.6 CAP 4 Installation under Linux 4.1

Linux Kernel 4.2

(RSBAC) CONTROL

Contents II: 3 Implemented Models 3.1 MAC, FC and SIM 3.2 PM, MS and FF 3.3 AUTH 3.4 RC 3.5 ACL 4 Installation under Linux 4.1 Linux Kernel

4.2 Administration

HOME LINKSFANSCONTACTDOWNLOADWHYTODO The most important changes since 1.4.9 are the port to longterm kernel 4.4 and the new feature “Prevent memory write and execute (RSBAC mprotect)” to prevent against process memory segments being both writable and executable. This new hardening feature made me choose a new middle version number. The change lists are here: Kernel changes DOCUMENTATION [RSBAC: EXTENDING LINUX SECURITY BEYOND THE The new RSBAC book “Amon Ott: Mandatory Rule Set Based Access Control in Linux” covers all the concepts and background of the RSBAC framework as well as the RC model with AUTH and ACL.It can be ordered through your local book seller (ISBN 978-3-8322-6423-9) or directly from the publisher.. The table of contents, abstracts in German and English and an electronic version are available as PDF

DOWNLOAD

Rule Set Based Access Control, Free Open Source Access Control for

Linux

WHY

RSBAC: A framework. RSBAC is a flexible, powerful and fast ( low overhead) open source access control framework for current Linux kernels, which has been in stable production use since January 2000 (version 1.0.9a). All development is independent of governments and big companies, and no existing access control code has been reused. DOCUMENTATION:RSBAC_HANDBOOK:SECURITY_MODELS [RSBAC The checker program has to exit with 0 for “allow”, 1 for “deny”, 254 for “temporary failure, allow” (do not cache) or 255 for “temporary failure, deny” (do not cache). Any other exit code is undefined, but for now treated as “deny”. If the checker got killed by a signal, it is treated as “temporary failure,

deny”.

RSBAC: ALPHABETICAL LIST RSBAC Data Structure Index. A | D | E | F | G | H | O | P | R | S | T

| X. A

DOCUMENTATION:WRITE_YOUR_DECISION_MODULE [RSBAC: EXTENDING Please do not change any values or remove items, unless you know exactly what you are doing - other models depend on them. #include int rsbac_get_attr (enum rsbac_target_t target, union rsbac_target_id_t tid, enum rsbac_attribute_t attr, union rsbac_attribute_value_t * attr_val_p, boolean inherit); /* read an attribute value, possibly inherited */ int rsbac_set_attr (enum rsbac A ROLE-COMPATIBILITY MODEL FOR SECURE SYSTEM ADMINISTRATION Introduction. Recently, role-based access controls have emerged and have received considerable attention as a method of security administration. We have developed a Role-Compatibility Model (RC Model) that can be used to define roles as a set of access permissions to compatible object types, and which is most useful for secure system THE ROLE COMPATIBILITY SECURITY MODEL Processes as subjects can perform some model relevant actions: changeowner tn(p:process, u:user) := change owner of process p to u at time n clone tn(p 1:process, p 2:process) := creation of process p 2 by parent process p 1 at time n execute tn(p:process, f: le) := start execution of program le f in process p at time n createfs tn(p:process, f: lesystem object) := creation of lesystem object RULE-SET MODELING OF A TRUSTED COMPUTER SYSTEM 5XOH 6HW0RGHOLQJRID7UXVWHG&RPSXWHU6\VWHP ˙ˆ Essay 9 Rule-Set Modeling of a Trusted Computer System Leonard J. LaPadula 7KLVHVVD\GHVFULEHVDQHZDSSURDFKWRIRUPDOPRGHOLQJRID HOME LINKSFANSCONTACTDOWNLOADWHYTODO The most important changes since 1.4.9 are the port to longterm kernel 4.4 and the new feature “Prevent memory write and execute (RSBAC mprotect)” to prevent against process memory segments being both writable and executable. This new hardening feature made me choose a new middle version number. The change lists are here: Kernel changes DOCUMENTATION [RSBAC: EXTENDING LINUX SECURITY BEYOND THE The new RSBAC book “Amon Ott: Mandatory Rule Set Based Access Control in Linux” covers all the concepts and background of the RSBAC framework as well as the RC model with AUTH and ACL.It can be ordered through your local book seller (ISBN 978-3-8322-6423-9) or directly from the publisher.. The table of contents, abstracts in German and English and an electronic version are available as PDF

WHY

RSBAC: A framework. RSBAC is a flexible, powerful and fast ( low overhead) open source access control framework for current Linux kernels, which has been in stable production use since January 2000 (version 1.0.9a). All development is independent of governments and big companies, and no existing access control code has been reused.

DOWNLOAD

Rule Set Based Access Control, Free Open Source Access Control for

Linux

DOCUMENTATION:FEATURES [RSBAC: EXTENDING LINUX SECURITY Symlink redirection (symlinks can redirect to another location by role, by uid, by security level or by remote address) DOCUMENTATION:RSBAC_HANDBOOK:SECURITY_MODELS [RSBAC The checker program has to exit with 0 for “allow”, 1 for “deny”, 254 for “temporary failure, allow” (do not cache) or 255 for “temporary failure, deny” (do not cache). Any other exit code is undefined, but for now treated as “deny”. If the checker got killed by a signal, it is treated as “temporary failure,

deny”.

THE RULE SET BASED ACCESS CONTROL (RSBAC) LINUX KERNEL The Rule Set Based Access Control (RSBAC) system is an open source security extension to current Linux kernels, which has been continuously developed for several years. DOCUMENTATION:WRITE_YOUR_DECISION_MODULE [RSBAC: EXTENDING Please do not change any values or remove items, unless you know exactly what you are doing - other models depend on them. #include int rsbac_get_attr (enum rsbac_target_t target, union rsbac_target_id_t tid, enum rsbac_attribute_t attr, union rsbac_attribute_value_t * attr_val_p, boolean inherit); /* read an attribute value, possibly inherited */ int rsbac_set_attr (enum rsbac THE ROLE COMPATIBILITY SECURITY MODEL Processes as subjects can perform some model relevant actions: changeowner tn(p:process, u:user) := change owner of process p to u at time n clone tn(p 1:process, p 2:process) := creation of process p 2 by parent process p 1 at time n execute tn(p:process, f: le) := start execution of program le f in process p at time n createfs tn(p:process, f: lesystem object) := creation of lesystem object RSBAC - A FRAMEWORK FOR ENHANCED LINUX SYSTEM SECURITY RSBAC - a framework for enhanced Linux system security Marek Jawurek⁄ RWTH-Aachen Abstract Operating systems traditionally bring their own means of protection against any kind of threats. DOCUMENTATION:FEATURES [RSBAC: EXTENDING LINUX SECURITY Symlink redirection (symlinks can redirect to another location by role, by uid, by security level or by remote address)

MIRRORS

The rsbac.org domain is located in Germany. Please choose a local mirror to save international bandwith and get a faster access.

TODO

Real model driven logging model - extend the decision return code to also signal whether this module requests logging. Still, we could use the object based logging RSBAC: ALPHABETICAL LIST RSBAC Data Structure Index. A | D | E | F | G | H | O | P | R | S | T

| X. A

DOCUMENTATION:RSBAC_HANDBOOK:SECURITY_MODELS:MAC [RSBAC The first property to be maintained is the simple security property (no read-up). This property states that a subject Si may have read access to an object Oj ((Si,Oj,r) or (Si,Oj,w) is a WIKI:SYNTAX [RSBAC: EXTENDING LINUX SECURITY BEYOND THE DokuWiki supports some simple markup language, which tries to make the datafiles to be as readable as possible. This page contains all possible syntax you may use when editing the pages. Simply have a look at the source of this page by pressing “Edit this page”. DOCUMENTATION:WRITE_YOUR_DECISION_MODULE [RSBAC: EXTENDING Please do not change any values or remove items, unless you know exactly what you are doing - other models depend on them. #include int rsbac_get_attr (enum rsbac_target_t target, union rsbac_target_id_t tid, enum rsbac_attribute_t attr, union rsbac_attribute_value_t * attr_val_p, boolean inherit); /* read an attribute value, possibly inherited */ int rsbac_set_attr (enum rsbac THE ‘RULE SET BASED ACCESS CONTROL’ (RSBAC) FRAMEWORK FOR 1 The ‘Rule Set Based Access Control’ (RSBAC) Framework for Linux Amon Ott Compuniverse D-22949 Ammersbek / Germany Email:

ao@compuniverse.de

RSBAC - A FRAMEWORK FOR ENHANCED LINUX SYSTEM SECURITY RSBAC - a framework for enhanced Linux system security Marek Jawurek⁄ RWTH-Aachen Abstract Operating systems traditionally bring their own means of protection against any kind of threats.

THE RSBAC MODELS

3.1. The modules/models provided with RSBAC. If you employ RSBAC you have to try to limit yourself to using the modules/models your really need - and, most important: that you really understand. The 'common' needs are covered quite well by using a combination of the AUTH, RC en FF models. I will describe some of the most used models and modules

below.

HOME LINKSFANSCONTACTDOWNLOADWHYTODO The most important changes since 1.4.9 are the port to longterm kernel 4.4 and the new feature “Prevent memory write and execute (RSBAC mprotect)” to prevent against process memory segments being both writable and executable. This new hardening feature made me choose a new middle version number. The change lists are here: Kernel changes DOCUMENTATION [RSBAC: EXTENDING LINUX SECURITY BEYOND THE The new RSBAC book “Amon Ott: Mandatory Rule Set Based Access Control in Linux” covers all the concepts and background of the RSBAC framework as well as the RC model with AUTH and ACL.It can be ordered through your local book seller (ISBN 978-3-8322-6423-9) or directly from the publisher.. The table of contents, abstracts in German and English and an electronic version are available as PDF

DOWNLOAD

Rule Set Based Access Control, Free Open Source Access Control for

Linux

WHY

RSBAC: A framework. RSBAC is a flexible, powerful and fast ( low overhead) open source access control framework for current Linux kernels, which has been in stable production use since January 2000 (version 1.0.9a). All development is independent of governments and big companies, and no existing access control code has been reused. DOCUMENTATION:RSBAC_HANDBOOK:SECURITY_MODELS [RSBAC The checker program has to exit with 0 for “allow”, 1 for “deny”, 254 for “temporary failure, allow” (do not cache) or 255 for “temporary failure, deny” (do not cache). Any other exit code is undefined, but for now treated as “deny”. If the checker got killed by a signal, it is treated as “temporary failure,

deny”.

RSBAC: ALPHABETICAL LIST RSBAC Data Structure Index. A | D | E | F | G | H | O | P | R | S | T

| X. A

DOCUMENTATION:WRITE_YOUR_DECISION_MODULE [RSBAC: EXTENDING Please do not change any values or remove items, unless you know exactly what you are doing - other models depend on them. #include int rsbac_get_attr (enum rsbac_target_t target, union rsbac_target_id_t tid, enum rsbac_attribute_t attr, union rsbac_attribute_value_t * attr_val_p, boolean inherit); /* read an attribute value, possibly inherited */ int rsbac_set_attr (enum rsbac A ROLE-COMPATIBILITY MODEL FOR SECURE SYSTEM ADMINISTRATION Introduction. Recently, role-based access controls have emerged and have received considerable attention as a method of security administration. We have developed a Role-Compatibility Model (RC Model) that can be used to define roles as a set of access permissions to compatible object types, and which is most useful for secure system THE ROLE COMPATIBILITY SECURITY MODEL Processes as subjects can perform some model relevant actions: changeowner tn(p:process, u:user) := change owner of process p to u at time n clone tn(p 1:process, p 2:process) := creation of process p 2 by parent process p 1 at time n execute tn(p:process, f: le) := start execution of program le f in process p at time n createfs tn(p:process, f: lesystem object) := creation of lesystem object RULE-SET MODELING OF A TRUSTED COMPUTER SYSTEM 5XOH 6HW0RGHOLQJRID7UXVWHG&RPSXWHU6\VWHP ˙ˆ Essay 9 Rule-Set Modeling of a Trusted Computer System Leonard J. LaPadula 7KLVHVVD\GHVFULEHVDQHZDSSURDFKWRIRUPDOPRGHOLQJRID HOME LINKSFANSCONTACTDOWNLOADWHYTODO The most important changes since 1.4.9 are the port to longterm kernel 4.4 and the new feature “Prevent memory write and execute (RSBAC mprotect)” to prevent against process memory segments being both writable and executable. This new hardening feature made me choose a new middle version number. The change lists are here: Kernel changes DOCUMENTATION [RSBAC: EXTENDING LINUX SECURITY BEYOND THE The new RSBAC book “Amon Ott: Mandatory Rule Set Based Access Control in Linux” covers all the concepts and background of the RSBAC framework as well as the RC model with AUTH and ACL.It can be ordered through your local book seller (ISBN 978-3-8322-6423-9) or directly from the publisher.. The table of contents, abstracts in German and English and an electronic version are available as PDF

DOWNLOAD

Rule Set Based Access Control, Free Open Source Access Control for

Linux

WHY

RSBAC: A framework. RSBAC is a flexible, powerful and fast ( low overhead) open source access control framework for current Linux kernels, which has been in stable production use since January 2000 (version 1.0.9a). All development is independent of governments and big companies, and no existing access control code has been reused. DOCUMENTATION:RSBAC_HANDBOOK:SECURITY_MODELS [RSBAC The checker program has to exit with 0 for “allow”, 1 for “deny”, 254 for “temporary failure, allow” (do not cache) or 255 for “temporary failure, deny” (do not cache). Any other exit code is undefined, but for now treated as “deny”. If the checker got killed by a signal, it is treated as “temporary failure,

deny”.

RSBAC: ALPHABETICAL LIST RSBAC Data Structure Index. A | D | E | F | G | H | O | P | R | S | T

| X. A

DOCUMENTATION:WRITE_YOUR_DECISION_MODULE [RSBAC: EXTENDING Please do not change any values or remove items, unless you know exactly what you are doing - other models depend on them. #include int rsbac_get_attr (enum rsbac_target_t target, union rsbac_target_id_t tid, enum rsbac_attribute_t attr, union rsbac_attribute_value_t * attr_val_p, boolean inherit); /* read an attribute value, possibly inherited */ int rsbac_set_attr (enum rsbac A ROLE-COMPATIBILITY MODEL FOR SECURE SYSTEM ADMINISTRATION Introduction. Recently, role-based access controls have emerged and have received considerable attention as a method of security administration. We have developed a Role-Compatibility Model (RC Model) that can be used to define roles as a set of access permissions to compatible object types, and which is most useful for secure system THE ROLE COMPATIBILITY SECURITY MODEL Processes as subjects can perform some model relevant actions: changeowner tn(p:process, u:user) := change owner of process p to u at time n clone tn(p 1:process, p 2:process) := creation of process p 2 by parent process p 1 at time n execute tn(p:process, f: le) := start execution of program le f in process p at time n createfs tn(p:process, f: lesystem object) := creation of lesystem object RULE-SET MODELING OF A TRUSTED COMPUTER SYSTEM 5XOH 6HW0RGHOLQJRID7UXVWHG&RPSXWHU6\VWHP ˙ˆ Essay 9 Rule-Set Modeling of a Trusted Computer System Leonard J. LaPadula 7KLVHVVD\GHVFULEHVDQHZDSSURDFKWRIRUPDOPRGHOLQJRID DOCUMENTATION:FEATURES [RSBAC: EXTENDING LINUX SECURITY Symlink redirection (symlinks can redirect to another location by role, by uid, by security level or by remote address)

MIRRORS

The rsbac.org domain is located in Germany. Please choose a local mirror to save international bandwith and get a faster access.

TODO

Real model driven logging model - extend the decision return code to also signal whether this module requests logging. Still, we could use the object based logging RSBAC: ALPHABETICAL LIST RSBAC Data Structure Index. A | D | E | F | G | H | O | P | R | S | T

| X. A

DOCUMENTATION:RSBAC_HANDBOOK:SECURITY_MODELS:MAC [RSBAC The first property to be maintained is the simple security property (no read-up). This property states that a subject Si may have read access to an object Oj ((Si,Oj,r) or (Si,Oj,w) is a WIKI:SYNTAX [RSBAC: EXTENDING LINUX SECURITY BEYOND THE DokuWiki supports some simple markup language, which tries to make the datafiles to be as readable as possible. This page contains all possible syntax you may use when editing the pages. Simply have a look at the source of this page by pressing “Edit this page”. DOCUMENTATION:WRITE_YOUR_DECISION_MODULE [RSBAC: EXTENDING Please do not change any values or remove items, unless you know exactly what you are doing - other models depend on them. #include int rsbac_get_attr (enum rsbac_target_t target, union rsbac_target_id_t tid, enum rsbac_attribute_t attr, union rsbac_attribute_value_t * attr_val_p, boolean inherit); /* read an attribute value, possibly inherited */ int rsbac_set_attr (enum rsbac THE ‘RULE SET BASED ACCESS CONTROL’ (RSBAC) FRAMEWORK FOR 1 The ‘Rule Set Based Access Control’ (RSBAC) Framework for Linux Amon Ott Compuniverse D-22949 Ammersbek / Germany Email:

ao@compuniverse.de

RSBAC - A FRAMEWORK FOR ENHANCED LINUX SYSTEM SECURITY RSBAC - a framework for enhanced Linux system security Marek Jawurek⁄ RWTH-Aachen Abstract Operating systems traditionally bring their own means of protection against any kind of threats.

THE RSBAC MODELS

3.1. The modules/models provided with RSBAC. If you employ RSBAC you have to try to limit yourself to using the modules/models your really need - and, most important: that you really understand. The 'common' needs are covered quite well by using a combination of the AUTH, RC en FF models. I will describe some of the most used models and modules

below.

What is RSBAC ? Documentation Download Impressum Datenschutzerklärung

* Login

* » Home

* » Bugtracker

* » m-privacy

* » Links

* » Fans

* » Wiki

* » Contact

Search

home

Releases

CURRENT VERSION

Git/Latestdiff: 1.5.5

LATEST SNAPSHOTS

_Produced after each commit or rebase to new upstream version_

GIT

_RSBAC source code, can be unstable sometimes_

Events

NO EVENTS PLANNED

DECISION MODULES PAX AND DAZ REMOVED _Wednesday, 22/Apr/2020_ PAX and DAZ modules have been removed in latest kernel 5.4 and rsbac-admin git repos. RSBAC version is now 1.5.5 to reflect that

change.

DEPRECATE DECISION MODULES PAX AND DAZ _Tuesday, 31/Mar/2020_ PAX and DAZ support are now marked as deprecated. PaX has not been freely available for years and the Dazuko interface seems obsolete, too. For on-access malware scanning, I recommend the UDF module. If noone protests within the next few weeks, I am going to remove the

related code.

RSBAC FOR KERNEL 5.4 _Wednesday, 27/Nov/2019_ RSBAC has been ported to kernel 5.4. Please test and report bugs to the bugtracker at https://bugtracker.rsbac.org or to this list. As usual, you find the latest patches at https://download.rsbac.org/latestdiff/5.4/ and the Git repo at https://git.rsbac.org/cgi-bin/gitweb.cgi?p=linux-5.4.y.git;a=summary NEW DOKUWIKI VERSION _Monday, 14/Jan/2019_ The RSBAC Website DokuWiki version has been updated today. Please test and report any problems! RSBAC PORTED TO 4.19 _Tuesday, 30/Oct/2018_ Latest RSBAC for kernel 4.19 is now available in Git at git://git.rsbac.org/linux-4.19.y.git Diffs will start showing up at https://download.rsbac.org/latestdiff/ after release of 4.19.1. Please test and report any problems! As a side node, I will start removing old unsupported Git repositories, EOL at upstream and unchanged for > 10 months, from the server soon. Please tell me, if you still need them. LATEST RSBAC PATCHES _Wednesday, 11/April/2018_ Even though this page has not been updated for a long time, RSBAC is still under constant development and maintenance. Latest code has always been available through git. From now on, you can also find the latest RSBAC patches for the maintained kernel versions in the latestdiff

download dir.

RSBAC 1.5.0

_Tuesday, 13/September/2016_ RSBAC 1.5.0 has been released for kernel 4.4.20. Please drop us a note if you need support for other kernel versions. The most important changes since 1.4.9 are the port to longterm kernel 4.4 and the new feature “Prevent memory write and execute (RSBAC mprotect)” to prevent against process memory segments being both writable and executable. This new hardening feature made me choose a new middle version number. The change lists are here: Kernel changes: http://www.rsbac.org/dl.php?file=code/1.5.0/changes-1.5.0.txt Admin tools changes: http://www.rsbac.org/dl.php?file=code/1.5.0/admin-changes-1.5.0.txt Please consider giving some feedback on the RSBAC mailing list

.

//

home.txt · Last modified: 2020/04/22 12:22 by ao home.txt · Last modified: 2020/04/22 12:22 by ao This website is kindly hosted by m-privacy