RSBAC and Fedora
From FedoraNEWS.ORG
Written by Andrea Pasquinucci on 2005-10-03
| Table of contents |
What I am doing
I have been working on a small project for Fedora which I believe can be of interest. I have been preparing (mantaining would be a too big word) rpms of kernel, administrative tools and sample configuration scripts of the RSBAC (http://www.rsbac.org/) patch to the linux kernel. You can find my rpms at http://fedora.rsbac.org/.
My project at the moment is really in a "it works for me" status. Needless to say, any help is appreciated.
RSBAC
RSBAC means Rule Set Based Access Control and it is a flexible, powerful and fast (low overhead) open source access control framework for current Linux kernels. RSBAC has a modular architecture and can add a Mandatory Access Control (MAC) system to the linux kernel depending on the modules used. Many RSBAC modules exist which can enforce at the kernel level security rules by intercepting system-calls. The RSBAC modules go from military models like the famous Bell-LaPadula to advanced ACL or virus scanning, and it is also possible to write your own module and add it. RSBAC also enforces strict separation of duties, for example for some RSBAC modules root is a user like any other and the RSBAC rules are managed by the Security Officer, usually the user with uid 400. Obviously, you can use the modules you like or need.
Selinux and RSBAC are somehow similar. More precisely they are both patches to the current Linux kernels which add a MAC system.
If you wonder, yes ! you can create a kernel with both RSBAC and Selinux, even if some of the RSBAC modules do similar things to what Selinux does. Anyway I do not suggest to use both of them to do the same thing.
Server rpms
Since Fedora Core 2, I am preparing RSBAC rpms for a server configuration, tipically a web or email server. In this I adopt a MAC system, trying to get to a very high level of security (obviously most depends on the practical configuration of the system and on keeping up-to-date all software). Since I am not able to patch the official Fedora kernel with RSBAC, I use the vanilla kernel patched with RSBAC and PaX (for buffer overflow protection). In this case there is no Selinux. You can find my server rpms at http://fedora.rsbac.mprivacy-update.de/ in the directories denoted by 2, 3 ..., they are signed with this (http://www.ucci.it/urpm_pub_key.asc) gpg key.
Please remeber that most of the configuration work is up to you, and the security of the result depends mostly on it.
Workstation rpms
Recently I have started preparing rpms for Fedora Core 4 for a workstation setup. You can find the rpms at http://fedora.rsbac.mprivacy-update.de/ in the directory 4_ws.
In this case there are no MAC features but my aim is to protect normal workstation users from:
- virus, worms and similar (module DAZ + clamd from clamav)
- exhaustion of resources (module RES)
- buffer overflows and similar (module PaX)
Each user can add simple MAC features using the File Flags (FF) module, a simple access control model.
I am still testing these rpms, if anyone wants to give them a try and report, I'll be very happy (but notice that they can break whatever you have on your machine, so be carefull and do not blame me, you have been warned !)
Soon I should be able to prepare new rpms with kernel 2.6.13 and rsbac_1.2.5 which has just been released. When I will be more confident with my rpms, I will post the really simple instructions on how to install and use them.
FInally I believe that the workstation setup can be integrated in the Fedora kernel, substituting PaX with exec-shield and having at the same time both Selinux and RSBAC. But, again, I will need some help for doing this !
