In traditional UNIX systems, DAC protection measures include file access mode and access control list, while MAC provides process control and firewall. The TrustedBSD program combines the core FreeBSD release with trusted security components that comply with the information technology security assessment standard (ITSEC. These components provide
In traditional UNIX systems, DAC protection measures include file access mode and access control list, while MAC provides process control and firewall.
The TrustedBSD program combines the core FreeBSD release with trusted security components that comply with the information technology security assessment standard (ITSEC. These components provide a large number of different modules to ensure the safe operation of the operating system.
These tools include centralized policy management, components, and execution (including kernel module and function calls) in-depth audit, mandatory access control for different regions of the system, and access control lists from file systems and kernel resources. However, these tools have other functions. For example, finer access control, more powerful reporting and monitoring functions, and a safer environment for running various services.
Unix (including Linux) practitioners know that after logging on to the system, any common user can view which users have logged on to the system and what operations they are performing. In addition, the processes of all users can be easily viewed. Of course, this information can be used legally, but once obtained by hackers, it will leave a considerable security risk. they can immediately find a way to escalate permissions.
However, if you deploy the Mandatory Access Control system of Mandatory Access Control (MAC) Framework -- TrustedBSD in your system, the situation will be different.
The TrustedBSD MAC framework provides basic facilities for most access control modules, allowing them to flexibly expand security policies implemented in the system in the form of INCORE modules. If multiple policies are attached to the system at the same time, the MAC framework is responsible for combining the authorization results of each policy in a (to some extent) meaningful way to form the final decision.
The following is a demonstration on FreeBSD7.0. before we introduce MAC mandatory access control into the system, we should ensure that our system kernel has corresponding support. If the system is installed by default, you need to add a line in the kernel configuration file:
Options MAC
After the kernel is re-compiled, it will be OK.
Run the man 4 mac command to view various MAC modules. 1.
498) this. style. width = 498; "border = 0> |
|
Here, you can select some modules for control and some modules for overall control, which is very convenient.
In this testing system, any user can run the ps-aux command to view all the active processes in the system, or execute sockstat-4 and netstat-an to view all network connections and open network sockets in the system. 2, 3.
498) this. style. width = 498; "border = 0> |
|
498) this. style. width = 498; "border = 0> |
|
Next we load the MAC_SEEOTHERUIDS module. Run kldload mac_seeotheruids, as shown in 4.
498) this. style. width = 498; "border = 0> |
|
Note: As shown in the figure below, after the MAC module of TrustedBSD is loaded, the normal user ww can no longer see the working process of others, nor the network connection status of others. 5, 6.
498) this. style. width = 498; "border = 0> |
|
498) this. style. width = 498; "border = 0> |
|
In this way, the system security is greatly improved. If you want to automatically load this module when the system starts, add mac_seeotheruids_load = "YES" to the/boot/loader. conf file"
7.
498) this. style. width = 498; "border = 0> |
|
If you want to uninstall this module, you only need to input the command: kldunload mac_seeotheruids.
You can easily make comparisons by running commands such as netstat and ps in the system as a common user (non-root account. When the MAC module is loaded, the preceding command only displays the processes and sockets of the current user.
However, the operations currently being performed by other users are not displayed.