RBAC

Aus C3D2
Wechseln zu: Navigation, Suche

Role Modes

  • u - This role is a user role.
  • g - This role is a group role.
  • s - This role is a special role, meaning it does not belong to a user or group and does not require an enforced secure policy base to be included in the ruleset.
  • A - This role is an administrative role, thus it has special privileges that normal roles do not have. In particular, this role bypasses the additional ptrace and library loading restrictions.
  • N - This role does not require authentication. To access this role, use gradm -n <rolename>
  • G - This role can use gradm to authenticate to the kernel. A policy for gradm will automatically be added to the role.
  • T - This role has Trusted Path Execution (TPE) enabled.
  • l - This role has learning enabled.
  • P - This role uses PAM for authentication.

Subject Modes

  • o - Disable configuration inheritance
  • h - Hide from all processes but those with the 'v' subject mode
  • v - Allow viewing of hidden processes
  • p - Protect from all processes but those with the 'k' subject mode
  • k - Allow killing of protected processes
  • b - Enable process accounting
  • d - Protect /proc/<pid>/fd and /proc/<pid>/mem
  • l - Enable learning
  • O - Allow loading of writable libraries
  • t - Allow ptracing of any process (do not use unless necessary, allows ptrace to cross subject boundaries)
  • r - Relax ptrace restrictions (allows ptracing of processes other than one's own children)
  • i - Enable inheritance-based learning, causing all accesses of this subject and anything it executes to be logged as originating from this subject. The policy generated from this learning will have the inheritance flag added to every file executed from this subject.
  • a - Allow this process to communicate with the /dev/grsec device
  • A - Protect shared memory
  • K - Auto-kill upon violation of security policy
  • C - Auto-kill all processes belonging to the attacker's IP address upon violation of security policy
  • T - Deny execution of binaries or scripts that are writable by any other subject in the policy

bind/connect

  • bind [!] [(device|ip|host):80] (stream|dgram) (tcp|udp|ip)
  • bind disabled
  • connect [!] [(device|ip|ip/netmask|host):80] (stream|dgram) (tcp|udp|ip)
  • connect disabled

Resource limits

RESOURCE (unlimited|(SOFT_LIMIT UNIT)) (unlimited|(HARD_LIMIT UNIT))

resources

  • RES_AS - maximum size of the process's virtual memory (address space) (RLIMIT_AS)
  • RES_CORE - maximum size of the core file (RLIMIT_CORE)
  • RES_CPU - cpu time limit in seconds (RLIMIT_CPU)
  • RES_CRASH - maximum number of queued signals for this process RLIMIT_SIGPENDING
  • RES_DATA - maximum size of the process's data segment(initialized data, uninitialized data, heap) (RLIMIT_DATA)
  • RES_FSIZE - maximum size of files the process may create (RLIMIT_FSIZE)
  • RES_LOCKS - maximum combined number of flock and fcntl leases (RLIMIT_LOCKS)
  • RES_MEMLOCK - maximum number of bytes of memory that may be locked into RAM(affects mlock,mlockall,mmap and shmctl) (RLIMIT_MEMLOCK)
  • RES_NOFILE - maximum - 1 number of files that may be opened by this process (RLIMIT_NOFILE)
  • RES_NPROC - maximum number of processes that can be created for the real user id of the calling process (RLIMIT_NPROC)
  • RES_RSS - number of virtual pages resident in RAM (RLIMIT_RSS)
  • RES_STACK - maximum size of the process stack in bytes (RLIMIT_STACK)

units

  • m - * 60
  • h - * 60 * 60
  • d - * 60 * 60 * 24
  • s - * 1
  • K - * 2^10
  • M - * 2^20
  • G - * 2^30

example

  • RES_AS 100M 100M - set RLIMIT_AS to 100M soft and 100M hard

Object Modes

Object permission modes

  • r - Allow reads
  • w - Allow writes (implies allowed append)
  • a - Allow appends
  • c - Allow creations
  • d - Allow deletions
  • m - Allow creations of setuid/setgid files and the addition of the setuid/setgid bit to an already existing file
  • l - Allow hardlink creations
  • x - Allow executions
  • i - Inherit the current subject when executing
  • t - Allow only real-only ptraces
  • p - Disallow ptraces
  • h - Hide this path (reject all access)

Object auditing flags

  • R - Audit reads
  • W - Audit writes (implies append auditing)
  • A - Audit appends
  • C - Audit creations
  • D - Audit deletions
  • M - Audit creations of setuid/setgid files and addition of the setuid/setgid bit to an already existing file
  • L - Audit hardlink creations
  • X - Audit executions
  • I - Audit inherits of the current subject when executing
  • F - Audit accesses that don't involve reading or writing (eg. stat, readdir, getdents, access)

Other Object flags

  • s - Suppress logs of denied access