How to Use the Mandatory Access Control System TrustedBSD MAC in FreeBSD (1)

In traditional UNIX systems, DAC protection measures include file access mode and access control list, while MAC provides Process Control and firewall.

The TrustedBSD Program combines the core FreeBSD release with trusted security components that comply with the information technology security assessment standard (ITSEC. These components provide a large number of different modules to ensure the safe operation of the operating system.

These tools include centralized policy management, components, and execution (including kernel module and function calls) in-depth audit, mandatory access control for different regions of the system, and access control lists from file systems and kernel resources. However, these tools have other functions. For example, finer access control, more powerful reporting and monitoring functions, and a safer environment for running various services.

Unix, including Linux) practitioners know that after logging on to the system, any common user can view which users have logged on to the system and what operations they are performing. In addition, the processes of all users can be easily viewed. Of course, this information can be used legally, but once obtained by hackers, it will leave a considerable security risk. They can immediately find a way to escalate permissions.

However, if you deploy the Mandatory Access Control System of Mandatory Access Control (MAC) Framework -- TrustedBSD in your system, the situation will be different.

The TrustedBSD MAC framework provides basic facilities for most access control modules, allowing them to flexibly expand security policies implemented in the system in the form of INCORE modules. If multiple policies are attached to the system, the MAC framework combines the authorization results of each policy in a meaningful way to form the final decision.

The following is a demonstration on FreeBSD7.0. Before we introduce MAC mandatory access control into the system, we should ensure that our system kernel has corresponding support. If the system is installed by default, you need to add a line in the Kernel configuration file:

Options MAC

After the kernel is re-compiled, it will be OK.

Run the man 4 mac command to view various MAC modules. 1.

Figure 1

Here, you can select some modules for control and some modules for overall control, which is very convenient.

In this testing system, any user can run the ps-aux command to view all the active processes in the system, or execute sockstat-4 and netstat-an to view all network connections and Open Network sockets in the system. 2, 3.

Figure 2

Figure 3