RBAC

Aus C3D2
Wechseln zu: Navigation, Suche

Role Modes

  • u - This role is a user role.
  • g - This role is a group role.
  • s - This role is a special role, meaning it does not belong to a user or group and does not require an enforced secure policy base to be included in the ruleset.
  • A - This role is an administrative role, thus it has special privileges that normal roles do not have. In particular, this role bypasses the additional ptrace and library loading restrictions.
  • N - This role does not require authentication. To access this role, use gradm -n <rolename>
  • G - This role can use gradm to authenticate to the kernel. A policy for gradm will automatically be added to the role.
  • T - This role has Trusted Path Execution (TPE) enabled.
  • l - This role has learning enabled.
  • P - This role uses PAM for authentication.

Subject Modes

  • o - Disable configuration inheritance
  • h - Hide from all processes but those with the 'v' subject mode
  • v - Allow viewing of hidden processes
  • p - Protect from all processes but those with the 'k' subject mode
  • k - Allow killing of protected processes
  • b - Enable process accounting
  • d - Protect /proc/<pid>/fd and /proc/<pid>/mem
  • l - Enable learning
  • O - Allow loading of writable libraries
  • t - Allow ptracing of any process (do not use unless necessary, allows ptrace to cross subject boundaries)
  • r - Relax ptrace restrictions (allows ptracing of processes other than one's own children)
  • i - Enable inheritance-based learning, causing all accesses of this subject and anything it executes to be logged as originating from this subject. The policy generated from this learning will have the inheritance flag added to every file executed from this subject.
  • a - Allow this process to communicate with the /dev/grsec device
  • A - Protect shared memory
  • K - Auto-kill upon violation of security policy
  • C - Auto-kill all processes belonging to the attacker's IP address upon violation of security policy
  • T - Deny execution of binaries or scripts that are writable by any other subject in the policy