[rsbac] CAP learning mode and RC learning mode
Michał Purzyński
michal at rsbac.org
Wed Sep 30 12:19:28 CEST 2009
Definitely i can see the RC learning mode per role as 1.5 feature.
Maybe one of the best :)
There's quite much to learn and to think about in the design process
to make it both useful and secure.
Sent from my iPhone
On Sep 30, 2009, at 11:00 AM, Amon Ott <ao at rsbac.org> wrote:
> On Tuesday 29 September 2009 wrote Amon Ott:
>> On Tuesday 29 September 2009 wrote Javier J. Martínez Cabezón:
>>> Hi amon, thanks for your answer and thanks for CAP learning mode, in
>>> RC learning mode users should take it just as a starting point after
>>> analize their system and setting the necessary roles and types and
>>> we
>>> could advice it, RC learning mode will add necessary rights to the
>>> new
>>> created role to the necessary types (it will save a lot of time of
>>> review logs looking for DENIED AEF answers). We could add an
>>> advise to
>>> the user to be careful with the policies generated at this way.
>>
>> Just had the idea that RC learning mode could be enabled per role,
>> so you
>> will only mess up single roles. E.g. create a new role and let it
>> learn the
>> rights to your existing types.
>
> Current svn now also contains a simple, global RC learning mode.
> Kernel
> parameter rsbac_rc_learn will set all missing rights of all existing
> roles to
> types.
>
> Of course, all learning modes are strictly optional, disabled in
> kernel config
> by default and turned off by default.
>
> Learning mode per role is planned, but needs a new on-disk version
> of the role
> list, so there is no way back to a previous RSBAC version. This
> means that it
> probably goes into a new RSBAC 1.5 only. Alternatively, we could
> split the
> role list into two, adding some small overhead if learning is
> enabled and
> adding a set of extra functions to access the new list.
>
> Amon.
> --
> http://www.rsbac.org - GnuPG: 2048g/5DEAAA30 2002-10-22
> _______________________________________________
> rsbac mailing list
> rsbac at rsbac.org
> http://www.rsbac.org/mailman/listinfo/rsbac
More information about the rsbac
mailing list