DOCSLIB.ORG

Security Architecture

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Security Architecture COVER STORY RSBAC Architecture of Rule Set Based Access Control (RSBAC) Security Architecture inux security holes typically occur Integrating multiple security models simultaneously in the kernel and in Server programs and S bit tools. LThe best approach would be to detailed logs of any access:The free Rule Set Based Access Control avoid mistakes and update programs immediately if a bug occurs. This is not (RSBAC) security System offers customized protection for a wide range always possible, the next best thing is to of requirements. BY AMON OTT restrict potential damage, and this is where access control systems such as RSBAC come into play [1]. If an attacker exploits the security holes in servers or s bit tools, access to the system should be restricted to a minimum. In this case, even a successful compromise will cause only limited damage, and protective mechanisms can be implemented directly in the operating system kernel. The standard Linux kernel prevents access to various resources such as files, directories or system configurations, but unfortunately the standard mechanisms are fraught with weaknesses: •Poor granularity Ro • Discretionary access control nald Raefle , visipix.com • An all-powerful root user Linux access controls only offer the standard privileges read, write and execute; additionally they only allow distinct privileges to be defined for the owner of a file, the members of a group and all others. Restrictions typically do account used to run that process. kernel a while back, allow a program not apply to the root user. The Thus, an attacker, if fortunate, can launched by root to drop some granularity of these privileges is thus manipulate any files belonging to the privileges, but this is left up to the insufficient for many tasks. compromised account with the gained program itself. access privileges. Linux Privileges – not enough The all-powerful system administrator, Architectural Requirements The owner of a file can do what she root, is the most dangerous of the issues The main aim for the developers of pleases with that file, this is commonly mentioned so far. Many activities RSBAC was to produce a flexible and referred to as DAC, or discretionary are restricted to the root user, from effective access control system as an access control. If an attacker has administrative tasks to simple actions. add-on for existing Linux mechanisms. compromised a process, the attacker’s Thus most service are originally To achieve this goal, the system must activities assume the privileges of the launched with root privileges and have fulfill a number of requirements: superuser access to the whole system, It must provide the underlying Amon Ott is a self-employed com- without ever actually needing these platform to allow the developer to puter scientist and the author of extensive privileges. program access control models quickly the RSBAC system. HOR What is worse is the fact that many and simply. This permits a clear T His mainstay is bespoke develop- services need to be run with root distinction between components that ment and Linux firewalls,preferably privileges (or to be able to assume root make decisions, and components that with RSBAC. He is also working on privileges at any time) to allow them to enforce them. his doctorate,which he hopes to THE AU change to any user account. The POSIX The enforcement components act complete shortly. capabilities introduced to the Linux independently of the components that 36 February 2003 www.linux-magazine.com RSBAC COVER STORY decision facility of the ADF. This Subject function requests individual decisions 1 from all active decision modules. The modules read attributes from data Access 6 request If access is denied: error message (and cancel) Linux Kernel structures (4) and reach a decision: 3 Request decision 7 Notify permitted, not defined, or denied. AEF ADF The central function collates the 5 Answer: Granted or not granted RC individual decisions, and returns a 0 Confirm collective decision (5). The ADF is 2 AUTH q read 9 restrictive in this respect; if a single System values Update Access ACL module returns a negative reply, the ADF 4 8 , will deny access. Actions are only System values Data structures Access to data structures permitted if all the modules agree that they should be permitted. Object In the case of a negative decision, the system call is halted and returns an Figure 1: A subject’s access to an object is monitored by the Access Enforcement Facility (AEF).The Access access error to the process (6). In the Decision Facility (ADF) decides whether to permit or deny access case of positive decisions, the AEF forks to the system call itself. If the call is make decisions. New decision models of access types (request types) that are successful, the AEF sends a message to can use the underlying infrastructure. applied to the object types. this effect to the ADF (7). A large number of tried and trusted Table 2 lists a selection of access types, The central messaging function of the security models exist for various tasks, some of which are used in our practical ADF is responsible for passing the and combinations of these models example later. The entire list is available message to the appropriate module sometimes make sense, depending on in the documentation from [1]. The basic functions. The module functions retrieve the situation. The underlying frame- building blocks of the RSBAC systems the current attributes from the data work should thus support multiple are shown in Figure 1. The enforcement structures (8), update them (9) and security models simultaneously and in- component, or Access Control Enforce- confirm that the call has been completed dependently, allowing the administrator ment Facility, AEF, mainly comprises correctly (10). to choose the most suitable model for enhancements of existing system If a new object was created by the current assignment. No matter what functions. the system call, the message from model is in use, activities and any These enhancements require the the AEF to the ADF will contain the decisions taken need to be logged, and decision making element, or Access type and ID for the new object. The the logs must be protected from Control Decision Facility, ADF, to decision modules then create the attempted manipulation. reach a decision before any access, and attributes of the object. After confirming, The original RSBAC system designed so possible compromise is permitted. the system function passes the requested fulfills nearly all these criteria. Over the If the ADF refuses access, the AEF will course of the last five years the range of return an “access denied” error to Table 1: Target Types functions and monitored objects has the subject. The decision facility and Name Description increased dramatically, allowing RSBAC the data structures used are mostly FILE Also includes special device and to monitor networks. The main elements independent of the kernel version. Only UNIX network files if they are of the original have been tested during AEF requires one or two changes to handled as files this time and the developers see no existing kernel functions. This DIR Directory reason to revise them. component was produced by enhancing FIFO Pipe with name entry in file system existing syscalls. SYMLINK Symbolic link Inner Values IPCInter Process Communication object We need to explain a few terms, in order Components co-operating on System V basis to describe the internal architecture, so Access control involves a number of SCD System Control Data – global bear with us. From the access control steps. The subject (the process) calls a system settings and objects such perspective a subject attempts to invoke system function to request access to an as host names or time a specific type of access to an object. On object (1). An extension of this function USER User object mainly serves the purpose of managing attribute a Linux system, the following occurs: a (the AEF) reads some system values, assignments process (the subject) attempts to read such as the process ID, the type, and PROCESS Process object for receiving signals (access type) a file (object). ID of the target object (2), before calling or reading process statuses The various object types are cate- the decision facility, ADF; and handing NETDEV Network device gorized by target type on an RSBAC on the information it has collected and NETTEMP Network template system (see Table 1 for an overview). the type of access (3). The request is NETOBJ Network object – normally sockets RSBAC also distinguishes a large number originally addressed to the central www.linux-magazine.com February 2003 37 COVER STORY RSBAC Figure 2: Admins can use network templates to assign access privileges to Figure 3:The main administration menu provides the RSBAC user with a network address and port ranges. In our example, the ports on all the hosts straightforward configuration interface, with simple control over all of the in the IP network 192.168.200.0/24 have been selected Decision Module functions data (11) and control back to the a “CREATE” request for the target specific structures provide storage invoking process. directory, creates the file and informs facilities in this case. the decision facility of the new object. The data storage component takes care A Practical Example Otherwise a “TRUNCATE” request is of the thankless task of list management, A practical example is useful to our issued for the file, the open function thus reducing the load on the data understanding of the theoretical path. truncates the file to zero, and reports the storage components; this involves When a process wants to open a file success of the operation. disk storage, SMP locking (for multi- for read and write access, it uses After this preparatory work, the syscall processor systems), and similar tasks.
Load more

Recommended publications
  • Administrative Role-Based Access Control on Top of Security Enhanced Linux
    Administrative Role-Based Access Control on Top of Security Enhanced Linux Ayla Solomon Submitted in Partial Fulfillment of the Prerequisite for Honors in Computer Science June 2009 Copyright Ayla Solomon, 2009 Abstract In a time when the Internet is increasingly dangerous and software is increasingly com- plex, properly securing one’s system has become a widespread concern, especially for system administrators. There are a number of ways to secure a Linux system; these methods vary in effectiveness and usability. Regular Linux discretionary access control is suitable for most mundane tasks and is easy to use, but it fails to confine insecure programs that run with administrative powers and is difficult to scale. Security Enhanced Linux (SELinux) is an extension to the Linux kernel that provides fine-grained controls for preventing malicious agents from exploiting software vulnerabilities. It can be very effective, but its policy lan- guage is extremely low-level and its paradigm difficult to understand and use. This makes it difficult to map a high-level idea of a security policy to what needs to be done in SELinux, which rules out its use to a vast majority of people with Linux systems, including system administrators, though many attempts have been made to make it more usable. I have designed and partially implemented a system on top of SELinux to implement administrative role-based access control (ARBAC), which is not available on any Linux system. ARBAC is an intuitive, flexible, and scalable security paradigm well suited for user confinement, especially for very large systems with many users. ARBAC’s main advan- tages are not only in its intuitive structure but also its built-in administrator confinement mechanism: its very structure promotes separation of privilege amongst administrators.
    [Show full text]
  • Linux OS-Level Security Nikitas Angelinas
    Linux OS-Level Security Nikitas Angelinas MSST 2015 Agenda ● SELinux ● SELinux issues ● Audit subsystem ● Audit issues ● Further OS hardening 2 SELinux ● Security-Enhanced Linux ● Is NOT a Linux distribution ● A kernel feature ● A Linux Security Module (LSM) ● security fields in kernel data structures — processes, files, directories, sockets, IPC, and other OS objects ● hooks on all paths from userspace — return a binary predicate: allowed or not allowed (e.g. EACCES) 3 SELinux ● SELinux is a labeling system ● Every process has a label ● Every OS object has a label ● Policy rules control access between processes and objects, based on their labels ● Policy rules are enforced by the kernel ● The objective is to contain misbehaving/compromised userspace applications 4 SELinux policy management application interface userspace open(2) kernel error checks selinuxfs DAC checks cache Allowed? miss? Security Server LSM hook Access Vector Cache (Policy Rules and Access Decision Logic) Yes/No return SELinux 5 SELinux ● Mandatory Access Control ● vs. Discretionary Access Control (file ownership, permissions) ● Labels are of the form user:role:type:level ● e.g. process: /usr/sbin/sshd → system_u:object_r:sshd_exec_t:s0 ● e.g. file: /root/ssh/* → root:object_r:ssh_home_t ● SELinux implements LSM hooks and offers: ● Role-based Access Control ● Type Enforcement ● Multi-Level Security 6 SELinux labels and rules ● ls -Z /usr/sbin/sshd -rwxr-xr-x. root root system_u:object_r:sshd_exec_t:s0 /usr/sbin/sshd ● ls -Z /root/.ssh/id_rsa -rw-------. root root root:object_r:ssh_home_t /root/.ssh/id_rsa ● ls -Z /etc/ssh/sshd_config -rw-------. root root system_u:object_r:etc_t /etc/ssh/sshd_config ● ls -Z /var/run/sshd.pid -rw-------.
    [Show full text]
  • I. RSBAC Theory
    The RSBAC library The RSBAC library Copyright © 2003 Amon Ott, Stanislav Ievlev and Henk Klöpping The RSBAC introduction Amon Ott Stanislav Ievlev Heinrich W. Klöpping The RSBAC introduction by Amon Ott, Stanislav Ievlev, and Heinrich W. Klöpping Audience: This book is intended for use by experienced and skilled Unix professionals who wish to install, configure and use RSBAC. Approach: This book resulted from a project founded on June 28th, 2002 by Amon Ott, Stanislav Ievlev and Henk Klöpping. It provides an introduction to Rule Set Based Access control (RSBAC). If you are new to RSBAC, this book is the place to start reading. It provides an overview of what RSBAC is and how it can be employed. It is aimed at both potential users of RSBAC and programmers that would like to enhance the software by writing their own modules - or even changing the software itself. This book also introduces its companions: The RSBAC cookbook, The RSBAC reference manual, The RSBAC programmers cookbook and The RSBAC programmers reference manual. To learn where the latest version of this book can be downloaded or read please refer to Section 6.2. Sources: Our sources of information were (Open Source) material on the Internet, several books, practical experience of the authors , research and programming work done by the authors and others. We try to give credit where due, but are fallible. We apologize. Caution While every precaution was made in the preparation of this book, we can assume no responsibility for errors or omissions. When you feel we have not given you proper credit or feel we may have violated your rights or when you have suggestions how we may improve our work please notify us immediately so we can take corrective actions.
    [Show full text]
  • Case Study: Building a Secure Operating System for Linux
    121 C H A P T E R 9 Case Study: Building a Secure Operating System for Linux The Linux operating system is a complete reimplementation of the POSIX interface initiated by Linus Torvalds [187]. Linux gained popularity throughout the 1990s, resulting in the promotion of Linux as a viable alternative to Windows, particularly for server systems (e.g., web servers). As Linux achieved acceptance, variety of efforts began to address the security problems of traditional UNIX systems (see Chapter 4). In this chapter, we describe the resulting approach for enforcing mandatory access control, the Linux Security Modules (LSM) framework. The LSM framework defines a reference monitor interface for Linux behind which a variety of reference monitor imple- mentations are possible. We also examine one of the LSM reference monitors, Security-enhanced Linux (SELinux), and evaluate how it uses the LSM framework to implement the reference monitor guarantees of Chapter 2. 9.1 LINUX SECURITY MODULES The Linux Security Modules (LSM) framework is a reference monitor system for the Linux ker- nel [342]. The LSM framework consists of two parts, a reference monitor interface integrated into the mainline Linux kernel (since version 2.6) and a reference monitor module, called an LSM, that implements reference monitor function (i.e., authorization module and policy store, see Chapter 2 for the reference monitor concept definition) behind that interface. Several independent modules have been developed for the LSM framework [228, 183, 127, 229] to implement different forms of reference monitor function (e.g., different policy modules). We examine the LSM reference monitor interface in this section, and one of its LSMs, Security-Enhanced Linux (SELinux) [229] in the subsequent section.
    [Show full text]
  • Security-Enhanced Linux
    Information Assurance Research Group Security-Enhanced Linux Peter Loscocco Information Assurance Research Group National Security Agency [email protected] 4/6/01 1 Information Assurance Research Group Outline Importance of secure operating systems Security-enhanced Linux Related work Conclusions 4/6/01 2 Information Assurance Research Group Importance of Secure OS Growing need for security Flawed assumption of security OS is correct level to provide security Key feature: Mandatory Access Control (MAC) • Access to objects controlled by policy administrator • Users/processes may not change access policy • All accesses are mediated w.r.t. the policy 4/6/01 3 Information Assurance Research Group Mandatory Security: Key Gains Provides critical support for application security • Protects against tampering with secured application • Protects against bypass of secured application • Enables assured pipelines Provides strong separation of applications • Permits safe execution of untrustworthy applications • Limits scope of potential damage due to penetration of applications • Functional uses: isolated testing environments or insulated development environments Protects information from • Legitimate users with limited authorization • Authorized users unwittingly using malicious applications 4/6/01 4 Information Assurance Research Group Why not just DAC? Decisions are only based on user identity and ownership Each user has complete discretion over his objects Only two major categories of users: user and superuser Many system services and privileged
    [Show full text]
  • Kiegészítő Linux Kernel Biztonsági Megoldások Összehasonlítása
    Kiegészítő Linux kernel biztonsági megoldások összehasonlítása A kiegészítő kernelbiztonsági megoldásokra irányuló vizsgálódásaim azzal kezdődtek, hogy egy SLES11 SP1 szerveren olyan formán szerettem volna üzemeltetni a cron démont, hogy a közönséges felhasználók időzített feladatai erősen korlátozott jogokkal fussanak, a rendszerfeladatok viszont nagyjából korlátoktól mentesen. Arra gondoltam, hogy ezt a célt egy mandatory access control (a továbbiakban MAC) rendszer használatával érem el. Használhatnám ugyan a kiterjesztett attribútumokra épülő POSIX ACL-eket is, amelyeket ha kiegészítünk az utóbbi időben egyre inkább használhatóvá váló Linux capability-kkel, akkor az ACL-ek néhány idegesítő gyengeségétől eltekintve elfogadható védelmi rendszert kaphatunk, de egy MAC rendszer használata mégis kézenfekvőbbnek tűnik. Tulajdonképpen mi is egy MAC rendszer? A Wikipédia definíciója, és a hozzáférés-vezérlésben elfoglalt helye szerint kizárólagosan rendszergazdai irányítás alatt álló, a többi felhasználó belátására (discretion) nem alapozó, centralizál hozzáférés-vezérlési rendszer, és mint ilyen, a Discretionary Access Control (DAC), vagyis a hagyományos (pl. Windows/UNIX), elosztott felelősségvállaláson alapuló fájlrenszer-jogosultsági rendszer ellentétpárja. Már a Wikipédia is felhívja azonban a figyelmet arra, hogy a MAC név történelmi okokból szorosan egybeforrt a fenti definíció szerinti rendszerek egy konkrét típusával, nevezetesen a Multilevel Security (MLS, újabban MLS/MCS) rendszerekével, mégpedig oly mértékben, hogy több - általam
    [Show full text]
  • Differentiating Between Access Control Terms WP
    Differentiating Between Access Control Terms Understanding User and Role Based Access Control, Policy Based Access Control, Content Dependent Access Control, Context Based Access Control, View Based Access Control, Discretionary and Mandatory Access Control Access Control White Paper Table of Contents INTRODUCTION 3 USER BASED ACCESS CONTROL (UBAC) 4 ROLE BASED ACCESS CONTROL (RBAC) 4 POLICY BASED ACCESS CONTROL 5 CONTENT DEPENDENT ACCESS CONTROL (CDAC) 6 CONTEXT BASED ACCESS CONTROL (CBAC 6 VIEW BASED ACCESS CONTROL (VBAC) 7 MANDATORY & DISCRETIONARY ACCESS CONTROL (MAC AND DAC) 8 THE BOTTOM LINE 9 LEGAL NOTICE 12 2 Access Control White Paper 1. INTRODUCTION Access control, by the broadest definition, is the ultimate goal of all network security – granting access when appropriate and denying when inappropriate. Access control tools help accomplish this purpose, as do firewalls, encryption, and intrusion detection. In light of the true mission of network security, however, having the right access control tool is absolutely essential. Almost every network has some form of access control, even if it is merely that of the native operating systems – some networks have several access control tools that protect different resources. The various types of access control tools enforce security policy and/or users’ privileges by protecting mail servers, web applications, database systems, fileservers, applications, or some combination of these resources. In fact, there are so many types of access control tools and so many non-standardized terms to describe them that it is difficult to determine which solution is right for a given network. An understanding of the more common usages of these terms can make it easier to discern between the basic types of solutions available .
    [Show full text]
  • Access Control Model and Policies for Collaborative Environments
    Hasso–Plattner–Institut fuer Softwaresystemtechnik an der Universitaet Potsdam Access Control Model and Policies for Collaborative Environments Dissertation zur Erlangung des akademischen Grades “Doctor rerum naturalium” (Dr. rer. nat.) am Fachgebiet Internet Technologien und Systeme eingereicht an der Mathematisch–Naturwissenschaftlichen Fakultaet der Universitaet Potsdam von Wei Zhou Potsdam 2008 Abstract To effectively participate in modern collaborations, member organizations must be able to share specific data and functionality with the collaborative partners, while ensuring their resources are safe from inappropriate access. This requires access control models, policies, and enforcement mechanisms for collaborative systems. This thesis describes my research work that concerns two important issues in collaborative systems: access control model and policies. Team and Task based RBAC (TT-RBAC) Model. TT-RBAC extends the Role-Based Access Control (RBAC) model through adding sets of two basic data elements called teams and tasks. TT-RBAC model as a whole is defined in terms of individual users being assigned to roles and teams, roles and tasks being assigned to teams, and permissions being assigned to roles and tasks. By virtue of team membership, users get access to team’s resources specified by assigned tasks. However, for each user, the exact permissions he/she obtains to a team’s resources will be determined by his/her roles and current activity of the team. The team defines a small and specific RBAC application zone, through which we can preserve the advantages of scalable security administration that RBAC-style models offer and yet offers the flexibility to specify fine-grained control on individual users in certain roles and on individual object instances.
    [Show full text]
  • A Firewall Model of File System Security
    Michigan Technological University Digital Commons @ Michigan Tech Dissertations, Master's Theses and Master's Dissertations, Master's Theses and Master's Reports - Open Reports 2014 A FIREWALL MODEL OF FILE SYSTEM SECURITY Lihui Hu Michigan Technological University Follow this and additional works at: https://digitalcommons.mtu.edu/etds Part of the Computer Sciences Commons Copyright 2014 Lihui Hu Recommended Citation Hu, Lihui, "A FIREWALL MODEL OF FILE SYSTEM SECURITY", Dissertation, Michigan Technological University, 2014. https://doi.org/10.37099/mtu.dc.etds/786 Follow this and additional works at: https://digitalcommons.mtu.edu/etds Part of the Computer Sciences Commons A FIREWALL MODEL OF FILE SYSTEM SECURITY By Lihui Hu A DISSERTATION Submitted in partial fulfillment of the requirements for the degree of DOCTOR OF PHILOSOPHY In Computer Science MICHIGAN TECHNOLOGICAL UNIVERSITY 2014 This dissertation has been approved in partial fulfillment of the requirements for the Degree of DOCTOR OF PHILOSOPHY in Computer Science. Department of Computer Science Thesis Advisor: Dr. Jean Mayo Committee Member: Dr. Steve Carr Committee Member: Dr. Soner Onder Committee Member: Dr. Haiying Liu Department Chair: Dr. Charles Wallace Table of Contents List of Figures .................................................................................................................. viii List of Tables ..................................................................................................................... ix Acknowledgements ..............................................................................................................x
    [Show full text]
  • Access Control Methodologies
    chapple02 10/12/04 7:59 AM Page 25 CHAPTER 2 Access Control Methodologies After reading this chapter, you will be able to: I Understand access control basics I Discuss access control techniques I Recognize and compare access control models I Contrast various identification and authentication techniques I Recognize common attacks and implement controls to prevent them This chapter presents various methods and techniques for controlling users’ access to system resources. You’ll learn about different approaches to help ensure that only authorized users can access secured resources. This chapter also covers the basics of access control, general methods and tech- niques used to manage access to resources, and some common attacks that are launched against access control systems. 2.1 Basics of Access Control Access control is a collection of methods and components used to protect information assets. Although some information is and should be accessible by everyone, you will most likely need to restrict access to other information. Access control supports both the confidentiality and the integrity properties of a secure system. The confidentiality property protects information from unauthorized disclosure. You use access control to ensure that only author- ized users can view information. The integrity property protects information chapple02 10/12/04 7:59 AM Page 26 26 CHAPTER 2 Access Control Methodologies from unauthorized modification. Access control gives you the ability to dic- tate what information a user can both view and modify. Before you can implement a sound access control policy, you must first develop a plan. Here are a few questions you need to answer: I How do I separate restricted information from unrestricted information? I What methods should I use to identify users who request access to restricted information? I What is the best way to permit only users I authorize to access restricted information? I Where do I start? 2.1.1 Subjects and Objects Access control is all about, well, controlling access.
    [Show full text]
  • A Comprehensive Analysis of MAC Enhancements for Leveraging Distributed MAC
    Proceedings of the International MultiConference of Engineers and Computer Scientists 2008 Vol I IMECS 2008, 19-21 March, 2008, Hong Kong A Comprehensive Analysis of MAC Enhancements for Leveraging Distributed MAC Shahbaz khan1, Muhammad Amin2, Muhammad Nauman3, Tamleek Ali4 Abstract—Increased dependability of users, businesses and This course-grained security may allow malicious software government on computing systems for research and computa- access to many critical components of the system once an tions on sensitive data raises serious issues regarding security. individual user’s critical information has been compromised Operating systems conventionally provide Discretionary Access Control (DAC, superuser logic) to maintain security. Malicious [1]. users and applications are major threats to organizations and DAC seriously fails to address the required level of security. Mandatory Access Control (MAC) mechanisms address Former research has proven that enforcement of Mandatory these deficiencies. MAC enforces a system-wide security, Access Control (MAC, security labels/contexts for subjects and which is a manifestation of the organization’s security policy. objects) restricts the malicious agents to their own domain, thus In simple words MAC can be defined as “the definition eliminating risk of damage it can cause to rest of the system and of policy logic and the assignment of security attributes or data. MAC implementations depend upon access control mecha- labels to all resources of a system, tightly controlled by a nisms. These mechanisms are added to operating systems as system security administrator [2].” From another perspective kernel enhancements. There are four prominent kernel enhance- we can also say that MAC is the dynamic or runtime secure ments: RSBAC, SELinux, GRSecurity and AppArmor.
    [Show full text]
  • A Framework for Enhanced Linux System Security
    RSBAC - a framework for enhanced Linux system security Marek Jawurek¤ RWTH-Aachen Abstract Based Access Control (RSBAC) comes into play. The RS- BAC kernel-extension was developed in 1997 by Amon Ott Operating systems traditionally bring their own means as his diploma work and is in stable production since 2000. of protection against any kind of threats. But often the sys- It introduces a security framework designed to install dif- tem's security is based on an evolved composition of differ- ferent security models dynamically into a Linux system in ent projects and tools, historically grown with their operat- order to control access to system resources. ing system, ensuring and controlling system security. There- fore only rarely a coherent security solution is provided by 1.1 This work's focus the system. This existing structure of security suffers from different problems and inconsistencies, caused by its evolu- Four major different approaches to Linux security exist: tion, and often lacks universality due to bad or shortsighted SELinux, grsecurity, LIDS and RSBAC. A direct compari- design decisions in its history. son between these would be desirable but is due to the fol- The RSBAC framework is focused on the elimination of lowing reasons not feasible: these drawbacks in Linux kernels and has been designed The different approaches classify them- this way from its start. It introduces a modular framework Classification selves differently (kernel patch, security framework, to allow fine-grained access control enabling system admin- etc.). istrators to compose a system using a combination of the preferred security models. This paper presents the RSBAC Interpretation Each improvement to Linux security has a approach and outlines RSBAC's concept of integration into different understanding of a 'Secure Linux System'.
    [Show full text]