SourceFiles.org - Use the Source, Luke
Home | Register | News | Forums | Guide | MyLinks | Bookmark

Related Sites

Latest News
  General News
  Reviews
  Press Releases
  Software
  Hardware
  Security
  Tutorials
  Off Topic


Back to files

rsbac-init
Description

Some aspects of RSBAC's behaviour can be changed through Linux' /proc-interface or the kernel command-line. This packages allows the security administrator to set these variables in a configuration file, so they are automatically set every time the system boots.

The rsbac-init program reads /etc/rsbac/debug.conf and sets the values in /proc/rsbac-info/debug according to the settings in this configuration file. Dependencies

The rsbac-init program depends on a kernel patch, which converts the contents of /proc/rsbac-info/debug into s-expressions. The kernel packages in Adamantix v1.1.0 and the kernel sources you can download from kernel.adamantix.org, already contain this patch.

Usage

The rsbac-init program reads a configuration file, /etc/rsbac/debug.conf. This file must contain zero or more s-expressions in the form of: ([option] [value]), where [option] is the name of the option to set, and [value] the boolean value given to this option. Boolean values are either 0, which disables the option, or 1, which enables it. Comments can be added anywhere and they start with a ``;'' and end at the end of the line.

Debugging messages produced by the kernel when these options are enabled are sent to /security/log/security-log.

(freeze [boolean])

The RSBAC configuration can normally be changed dynamically. By setting this variable to 1, the RSBAC configuration is ``frozen'', or in other words, it is made read-only until the next reboot and no administrator can change the RSBAC settings anymore. The default value is 0, which disables this feature (and thus it allows dynamic reconfiguration). (daz_ttl [integer])

The results of DAZuko scans are cached (or if you will, remembered) by the kernel. A file is not scanned again for as long as the kernel remembers the result of the last scan. Scanning files is expensive. Therefore this caching improves performance considerably. The value of this variable specifies how long the results are cached. The value is in seconds and must not be negative. The default number is 86400 seconds, which equals to 24 hours. (cap_process_hiding [boolean])

Normally any UNIX user can see all processes of all other UNIX users by using the ps command. By setting this variable to 1, that will be no longer the case. The ps command will only show processes owned by the user who executes ps and nothing more. Only users who have the attribute cap_role secoff or sysadmin can see all processes of all users. The default value of this variable is 0, which disables this feature. (cap_log_missing [boolean])

In Linux the root rights are split in several smaller rights, called capabilities. Each capability enables the user to do certain things. The RSBAC CAP module was created to make administration of these capabilities easier. However, it is difficult to diagnose problems caused by missing capabilities. The standard Linux kernel only denies access, but it does not tell you why it did that. By setting this variable to 1, RSBAC will take care of that. It will log all missing capabilities. The default value is 0, which disables this feature. (jail_log_missing [boolean])

This variable has the same purpose as cap_log_missing above, except that it will only log missing capabilities in RSBAC JAILs. The default is 0, which disables this feature. (debug_write [boolean])

RSBAC is usually configured to write attributes to disk, where they can be read the next time the system boots. When this option is set to 1, debugging messages related to this writing to disk are enabled. The default value is 0, which disables this feature. (debug_stack [boolean])

This is a debugging option for low-level technical stuff which is mostly used for kernel debugging. It measures kernel stack space at certain points in the RSBAC kernel code and spits out debugging messages. The reason for this is that the kernel stack space is very small (4K or 8K) and the kernel code must take care not to overflow the stack, because hat would probably result in a kernel crash. This debugging option has been added to the RSBAC kernel code to find such problems in RSBAC code. The default value is 0, which disables this feature. (debug_lists [boolean])

RSBAC stores its data internally in so called linked lists. When this option is set to 1, it will enable debugging messages when operations are performed on these lists. The default is 0, which disables this option. (debug_ds [boolean])

The Data Structure component is the RSBAC kernel component which manages all RSBAC related data, including the linked lists (see also: debug_lists). When this option is set to 1, debug messages from the Data Structures component will be generated on access to data. The default value is 0, which disables this feature. (debug_aef [boolean])

The Access Enforcement Facility (AEF) is an RSBAC kernel component which is responsible for informing the other components about what happens in the system. And for following orders given by the other components about what is allowed and what is not. When set to 1, this option will enable debugging messages which give an idea of what the AEF component does. The default value is 0, which disables this option. (debug_no_write [boolean])

When RSBAC has been configured to write attributes to disk, this option can be disabled by setting this option to 1. This can be useful for testing new RSBAC settings, without destroying the old ones. After the testing is done, writing can be enabled again by setting this option to 0, which is the default value. The new settings will be written to disk. (debug_reg [boolean])

RSBAC allows the creation of RSBAC modules in the form of loadable kernel modules. These modules introduce themselves to RSBAC through the REG module, which acts like a kind of liasons officer. When this option is set to 1, debugging messages related to what the REG module does are generated. The default is 0, which disables this option. (debug_adf_daz [boolean])

The Access Decision Facility (ADF) RSBAC kernel component decides which actions are allowed and which are denied. This option, when set to 1, will enable the kernel to produce debugging messages when the DAZ module decides about a request for access. The default value is 0, which disables this feature. (debug_aef_jail [boolean])

When set to 1, this option will enable the JAIL related AEF debugging messages. See also debug_aef for a short description of the AEF component. The default value is 0, which disables this option. (debug_adf_jail [boolean])

The Access Decision Facility (ADF) RSBAC kernel component decides which actions are allowed and which are denied. This option, when set to 1, will enable the kernel to produce debugging messages when the JAIL module decides about a request for access. The default value is 0, which disables this feature. (debug_auto [boolean])

Usually, RSBAC is configured to automatically write the changed attributes to disk. When this option is set to 1, this automatic writing will produce debug messages. Setting ths option is recommended for a good disk saving overview. The default value is 0, which disables this option. (debug_ds_net [boolean])

When set to 1, this option will enable debugging messages from the data structure whenever network related data is accessed. See also debug_ds. The default is 0, which disables this option. (debug_aef_net [boolean])

When set to 1, this option will enable the network related AEF debugging messages. See also debug_aef for a short description of the AEF component. The default value is 0, which disables this option. (debug_adf_net [boolean])

The Access Decision Facility (ADF) RSBAC kernel component decides which actions are allowed and which are denied. This option, when set to 1, will enable the kernel to produce debugging messages when decisions are made about network related request for access. The default value is 0, which disables this feature.

Note: The options available in this file depend on the kernel configuration. The above options are available when the Adamantix 2.4.32 kernel packages are used. When you compile your own kernel, some of the above options may be missing while additional ones are available. In other words, your mileage may vary...


Other Sites

Discussion Groups
  Beginners
  Distributions
  Networking / Security
  Software
  PDAs

About | FAQ | Privacy | Awards | Contact
Comments to the webmaster are welcome.
Copyright 2006 Sourcefiles.org All rights reserved.