[rsbac] Re: RSBAC: Clarifications & Features Request (Please respond)

[Amon Ott]

On Montag 24 April 2006 09:50, n.sakthivelrajan wrote:
>  Have been using the RSBAC patched kernel for a while and have 
tested the FF Module. Excellent. It just works great. In the meantime 
I had an opportunity to read through eTRUST - earlier Memco's SeOS 
Access Control System. The systems is very vast with granular access 
control mechanisms. I would like to share / get clarified & request 
for certain features which I believe will make RSBAC project go to 
heights.

Feedback is always welcome!
  
> 1) Program Pathing: Authorizing access to a file only when the 
access is being made from a specific program (Conditional Access 
Control List - CACL)
> 
> Example: Allow read access to httpd.conf file for httpd daemon only 
& allow edit via only "/bin/vi". Allow users to update file but only 
to update by means of a specific program.

This can be covered by the RC model.
 
> 2) Protecting files using filename patterns - wildcards.
> 
> Example: Should protect all files of pattern "*.so" with Read_only 
permission. This includes non-existent (to be created) files too. I 
should be able to protect specific files using standard 
> unix wildcards like "$_*.txt" with append_only permission. This 
includes non-existent (to be created) files too.

Art kernel level, RSBAC works on inode basis, not with names. The 
tools accept names, so you can make a simple script to update your 
settings.

For new files, you have to rely on RC model's def_fd_create_type and 
dev_fd_ind_create_type.
 
> 3) Restricting userlogin to system by Day & Time.
> 
> Example: I should be able to allow user "auditor" to login to a 
system on the following criteria: Allow "auditor" login to "a.b.c.d" 
on (sat,sun) at ((3:00 - 4:00).

No such restriction has been implemented yet, because noone asjed for 
it. This could be a one-day-implemented loadable runtime module.
 
> 4) Disabling/limiting concurrent logins
> 
> Example: RSBAC should allow option to restrict / limit number of 
concurrent logins per user ID on a machine. Also Restricting user 
login through terminals / Ipaddress from which the user connects

You can restrict the login paths through device (and network) access 
rights, e.g. with RC or ACL. There is no restriction in number of 
logins, but RES module allows to restrict the number of processes run 
by a certain user.
 
> 5) Controlling Incoming and Outgoing connections in the server at 
kernel level.
> 
> Example: Should be able to restrict incoming and outgoing traffic 
like say allow outgoing traffic on port 8080 to "x.x.x.x" only. 
Similarly Incoming traffic.

This has been added in version 1.2.0 with network templates. :)
 
> 6) Password Quality Policy implementation
> 
> Clarification: Are the below configurations possible with RSBAC UM 
module ? If not would recommend the same to be included as this 
proves to be an accepted policy.
>         
> 
> - Old passwords are not repeated.

New in 1.3.0-pre, length of password history configurable.

>  - No trivial passwords allowed.

Min len and non-alpha char since 1.2.x. Dictionary tests not good at 
kernel level. You can also use PAM mechanisms.

>  - Password cannot contain username.

Not implemented, could be.

Please write in plain text, not html - your mails get stripped on the 
list. I am answering to my private copy now.

Amon.
-- 
http://www.rsbac.org - GnuPG: 2048g/5DEAAA30 2002-10-22