Grsecurity - Role-based Access Control

Role-based Access Control

Another notable component of grsecurity is that it provides a full role-based access control (RBAC) system. RBAC is intended to restrict access to the system further than what is normally provided by Unix access control lists, with the aim of creating a fully least-privilege system, where users and processes have the absolute minimum privileges to work correctly and nothing more. This way, if the system is compromised, the ability of the attacker to damage or gain sensitive information on the system can be drastically reduced. RBAC works through a collection of roles. Each role can have individual restrictions on what they can or cannot do, and these roles and restrictions form an access policy, which can be amended as needed.

A list of RBAC features:

• Domain support for users and groups
• Role transition tables
• IP-based roles
• Non-root access to special roles
• Special roles that require no authentication
• Nested subjects
• Support for variables in the configuration
• And, or, and difference set operations on variables in configuration
• Object mode that controls the creation of setuid and setgid files
• Create and delete object modes
• Kernel interpretation of inheritance
• Real-time regular expression resolution
• Ability to deny ptraces to specific processes
• User and group transition checking and enforcement on an inclusive or exclusive basis
• /dev/grsec entry for kernel authentication and learning logs
• Next-generation code that produces least-privilege policies for the entire system with no configuration
• Policy statistics for gradm
• Inheritance-based learning
• Learning configuration file that allows the administrator to enable inheritance-based learning or disable learning on specific paths
• Full path names for offending process and parent process
• RBAC status function for gradm
• /proc//ipaddr gives the remote address of the person who started a given process
• Secure policy enforcement
• Supports read, write, append, execute, view, and read-only ptrace object permissions
• Supports hide, protect, and override subject flags
• Supports the PaX flags
• Shared memory protection feature
• Integrated local attack response on all alerts
• Subject flag that ensures a process can never execute trojaned code
• Full-featured, fine-grained auditing
• Resource, socket, and capability support
• Protection against exploit bruteforcing
• /proc/pid filedescriptor/memory protection
• Rules can be placed on non-existent files/processes
• Policy regeneration on subjects and objects
• Configurable log suppression
• Configurable process accounting
• Human-readable configuration
• Not filesystem or architecture dependent
• Scales well: supports as many policies as memory can handle with the same performance hit
• No run-time memory allocation
• SMP safe
• O(1) time efficiency for most operations
• Include directive for specifying additional policies
• Enable, disable, reload capabilities
• Option to hide kernel processes