[rsbac] Several questions

[Amon Ott]

On Wednesday, 20. March 2002 11:20, Jan Andrejkovic wrote:
> First of all I have several questions:
>
> 1. I have small linux sever which purpose is firewall, router, mail,
> and dns server and I would like to ask you which models of RSBAC will be
> the best for protection of such server?

I have been using AUTH, FF and RC for a long time on such systems. However, 
you will have to make your personal choice.

> 2. Let's say some intruder will gain login and password to my sever on the
> level of common user. And this intruder will find that I have bug in the
> sendmail program. He will exploit my sendmail and he will gain root
> rights. Which model should I use if I want to prevent him to do another
> operations like sendmail do? Or which model should I use for maximall
> elimination of the intruder?

The recommended way of protection is to define an RC role for sendmail, which 
has only access to your mail spool and helper dirs, which need their own type 
for that, and SEARCH on type 0 for path lookup. The sendmail role is then 
assigned as force_role to the sendmail program.

> 3. Can you explain me the mechanism how RSBAC will protect my server in
> the case written in the previous paragraph?

It will set the forced sendmail role for every process starting sendmail. The 
role will even be kept, if sendmail runs another program without a forced or 
initial role (which might not be allowed in the first place). Since the 
sendmail role is only compatible with the mail dir type, all other requests 
will be denied. This means that the intruder can only harm your mail system, 
but not the rest.

BTW: Is there any special reason to use sendmail instead of something known 
to be more secure by design, e.g. postfix or qmail?

Amon.
--
http://www.rsbac.org