RBAC: Unterschied zwischen den Versionen

Aus C3D2
Zur Navigation springen Zur Suche springen
(Die Seite wurde neu angelegt: ==Role Modes== *u - user role *g - group role *s - special role *A - administrative role *N - role does not require authentication *G - role can use gradm *T - role ha...)
 
Keine Bearbeitungszusammenfassung
Zeile 1: Zeile 1:
==Role Modes==
==Role Modes==


*u - user role
*u - This role is a user role.
*g - group role
*g - This role is a group role.
*s - special role
*s - This role is a special role, meaning it does not belong to a user or group and does not require an enforced secure policy base to be included in the ruleset.
*A - administrative role
*A - This role is an administrative role, thus it has special privileges that normal roles do not have. In particular, this role bypasses the additional ptrace and library loading restrictions.
*N - role does not require authentication
*N - This role does not require authentication. To access this role, use gradm -n <rolename>
*G - role can use gradm
*G - This role can use gradm to authenticate to the kernel. A policy for gradm will automatically be added to the role.
*T - role has TPE enabled
*T - This role has Trusted Path Execution (TPE) enabled.
*l - role has learning enabled
*l - This role has learning enabled.
*P - role uses PAM for authentication
*P - This role uses PAM for authentication.
 
==Subject Modes==
*o - Disable configuration inheritance
*h - Hide from all processes but those with the 'v' subject mode
*v - Allow viewing of hidden processes
*p - Protect from all processes but those with the 'k' subject mode
*k - Allow killing of protected processes
*b - Enable process accounting
*d - Protect /proc/<pid>/fd and /proc/<pid>/mem
*l - Enable learning
*O - Allow loading of writable libraries
*t - Allow ptracing of any process (do not use unless necessary, allows ptrace to cross subject boundaries)
*r - Relax ptrace restrictions (allows ptracing of processes other than one's own children)
*i - Enable inheritance-based learning, causing all accesses of this subject and anything it executes to be logged as originating from this subject. The policy generated from this learning will have the inheritance flag added to every file executed from this subject.
*a - Allow this process to communicate with the /dev/grsec device
*A - Protect shared memory
*K - Auto-kill upon violation of security policy
*C - Auto-kill all processes belonging to the attacker's IP address upon violation of security policy
*T - Deny execution of binaries or scripts that are writable by any other subject in the policy

Version vom 16. April 2007, 21:32 Uhr

Role Modes

  • u - This role is a user role.
  • g - This role is a group role.
  • s - This role is a special role, meaning it does not belong to a user or group and does not require an enforced secure policy base to be included in the ruleset.
  • A - This role is an administrative role, thus it has special privileges that normal roles do not have. In particular, this role bypasses the additional ptrace and library loading restrictions.
  • N - This role does not require authentication. To access this role, use gradm -n <rolename>
  • G - This role can use gradm to authenticate to the kernel. A policy for gradm will automatically be added to the role.
  • T - This role has Trusted Path Execution (TPE) enabled.
  • l - This role has learning enabled.
  • P - This role uses PAM for authentication.

Subject Modes

  • o - Disable configuration inheritance
  • h - Hide from all processes but those with the 'v' subject mode
  • v - Allow viewing of hidden processes
  • p - Protect from all processes but those with the 'k' subject mode
  • k - Allow killing of protected processes
  • b - Enable process accounting
  • d - Protect /proc/<pid>/fd and /proc/<pid>/mem
  • l - Enable learning
  • O - Allow loading of writable libraries
  • t - Allow ptracing of any process (do not use unless necessary, allows ptrace to cross subject boundaries)
  • r - Relax ptrace restrictions (allows ptracing of processes other than one's own children)
  • i - Enable inheritance-based learning, causing all accesses of this subject and anything it executes to be logged as originating from this subject. The policy generated from this learning will have the inheritance flag added to every file executed from this subject.
  • a - Allow this process to communicate with the /dev/grsec device
  • A - Protect shared memory
  • K - Auto-kill upon violation of security policy
  • C - Auto-kill all processes belonging to the attacker's IP address upon violation of security policy
  • T - Deny execution of binaries or scripts that are writable by any other subject in the policy