RBAC: Unterschied zwischen den Versionen

Aus C3D2
Wechseln zu: Navigation, Suche
(Subject Modes: +bind/connect)
Zeile 29: Zeile 29:
 
*C - Auto-kill all processes belonging to the attacker's IP address upon violation of security policy
 
*C - Auto-kill all processes belonging to the attacker's IP address upon violation of security policy
 
*T - Deny execution of binaries or scripts that are writable by any other subject in the policy
 
*T - Deny execution of binaries or scripts that are writable by any other subject in the policy
 +
===bind/connect===
 +
bind [!] [(device|ip|host):80] (stream|dgram) (tcp|udp|ip)
 +
bind disabled
 +
connect [!] [(device|ip|ip/netmask|host):80] (stream|dgram) (tcp|udp|ip)
 +
connect disabled
  
 
==Object Modes==
 
==Object Modes==

Version vom 27. April 2007, 16:10 Uhr

Role Modes

  • u - This role is a user role.
  • g - This role is a group role.
  • s - This role is a special role, meaning it does not belong to a user or group and does not require an enforced secure policy base to be included in the ruleset.
  • A - This role is an administrative role, thus it has special privileges that normal roles do not have. In particular, this role bypasses the additional ptrace and library loading restrictions.
  • N - This role does not require authentication. To access this role, use gradm -n <rolename>
  • G - This role can use gradm to authenticate to the kernel. A policy for gradm will automatically be added to the role.
  • T - This role has Trusted Path Execution (TPE) enabled.
  • l - This role has learning enabled.
  • P - This role uses PAM for authentication.

Subject Modes

  • o - Disable configuration inheritance
  • h - Hide from all processes but those with the 'v' subject mode
  • v - Allow viewing of hidden processes
  • p - Protect from all processes but those with the 'k' subject mode
  • k - Allow killing of protected processes
  • b - Enable process accounting
  • d - Protect /proc/<pid>/fd and /proc/<pid>/mem
  • l - Enable learning
  • O - Allow loading of writable libraries
  • t - Allow ptracing of any process (do not use unless necessary, allows ptrace to cross subject boundaries)
  • r - Relax ptrace restrictions (allows ptracing of processes other than one's own children)
  • i - Enable inheritance-based learning, causing all accesses of this subject and anything it executes to be logged as originating from this subject. The policy generated from this learning will have the inheritance flag added to every file executed from this subject.
  • a - Allow this process to communicate with the /dev/grsec device
  • A - Protect shared memory
  • K - Auto-kill upon violation of security policy
  • C - Auto-kill all processes belonging to the attacker's IP address upon violation of security policy
  • T - Deny execution of binaries or scripts that are writable by any other subject in the policy

bind/connect

bind [!] [(device|ip|host):80] (stream|dgram) (tcp|udp|ip) bind disabled connect [!] [(device|ip|ip/netmask|host):80] (stream|dgram) (tcp|udp|ip) connect disabled

Object Modes

Object permission modes

  • r - Allow reads
  • w - Allow writes (implies allowed append)
  • a - Allow appends
  • c - Allow creations
  • d - Allow deletions
  • m - Allow creations of setuid/setgid files and the addition of the setuid/setgid bit to an already existing file
  • l - Allow hardlink creations
  • x - Allow executions
  • i - Inherit the current subject when executing
  • t - Allow only real-only ptraces
  • p - Disallow ptraces
  • h - Hide this path (reject all access)

Object auditing flags

  • R - Audit reads
  • W - Audit writes (implies append auditing)
  • A - Audit appends
  • C - Audit creations
  • D - Audit deletions
  • M - Audit creations of setuid/setgid files and addition of the setuid/setgid bit to an already existing file
  • L - Audit hardlink creations
  • X - Audit executions
  • I - Audit inherits of the current subject when executing
  • F - Audit accesses that don't involve reading or writing (eg. stat, readdir, getdents, access)

Other Object flags

  • s - Suppress logs of denied access