[rsbac] Re: RSBAC: Clarifications & Features Request (Please
respond)
Amon Ott
ao at rsbac.org
Mon Apr 24 10:00:53 CEST 2006
On Montag 24 April 2006 09:50, n.sakthivelrajan wrote:
> Have been using the RSBAC patched kernel for a while and have
tested the FF Module. Excellent. It just works great. In the meantime
I had an opportunity to read through eTRUST - earlier Memco's SeOS
Access Control System. The systems is very vast with granular access
control mechanisms. I would like to share / get clarified & request
for certain features which I believe will make RSBAC project go to
heights.
Feedback is always welcome!
> 1) Program Pathing: Authorizing access to a file only when the
access is being made from a specific program (Conditional Access
Control List - CACL)
>
> Example: Allow read access to httpd.conf file for httpd daemon only
& allow edit via only "/bin/vi". Allow users to update file but only
to update by means of a specific program.
This can be covered by the RC model.
> 2) Protecting files using filename patterns - wildcards.
>
> Example: Should protect all files of pattern "*.so" with Read_only
permission. This includes non-existent (to be created) files too. I
should be able to protect specific files using standard
> unix wildcards like "$_*.txt" with append_only permission. This
includes non-existent (to be created) files too.
Art kernel level, RSBAC works on inode basis, not with names. The
tools accept names, so you can make a simple script to update your
settings.
For new files, you have to rely on RC model's def_fd_create_type and
dev_fd_ind_create_type.
> 3) Restricting userlogin to system by Day & Time.
>
> Example: I should be able to allow user "auditor" to login to a
system on the following criteria: Allow "auditor" login to "a.b.c.d"
on (sat,sun) at ((3:00 - 4:00).
No such restriction has been implemented yet, because noone asjed for
it. This could be a one-day-implemented loadable runtime module.
> 4) Disabling/limiting concurrent logins
>
> Example: RSBAC should allow option to restrict / limit number of
concurrent logins per user ID on a machine. Also Restricting user
login through terminals / Ipaddress from which the user connects
You can restrict the login paths through device (and network) access
rights, e.g. with RC or ACL. There is no restriction in number of
logins, but RES module allows to restrict the number of processes run
by a certain user.
> 5) Controlling Incoming and Outgoing connections in the server at
kernel level.
>
> Example: Should be able to restrict incoming and outgoing traffic
like say allow outgoing traffic on port 8080 to "x.x.x.x" only.
Similarly Incoming traffic.
This has been added in version 1.2.0 with network templates. :)
> 6) Password Quality Policy implementation
>
> Clarification: Are the below configurations possible with RSBAC UM
module ? If not would recommend the same to be included as this
proves to be an accepted policy.
>
>
> - Old passwords are not repeated.
New in 1.3.0-pre, length of password history configurable.
> - No trivial passwords allowed.
Min len and non-alpha char since 1.2.x. Dictionary tests not good at
kernel level. You can also use PAM mechanisms.
> - Password cannot contain username.
Not implemented, could be.
Please write in plain text, not html - your mails get stripped on the
list. I am answering to my private copy now.
Amon.
--
http://www.rsbac.org - GnuPG: 2048g/5DEAAA30 2002-10-22
More information about the rsbac
mailing list