Follow Techotopia on Twitter

On-line Guides
All Guides
eBook Store
iOS / Android
Linux for Beginners
Office Productivity
Linux Installation
Linux Security
Linux Utilities
Linux Virtualization
Linux Kernel
System/Network Admin
Programming
Scripting Languages
Development Tools
Web Development
GUI Toolkits/Desktop
Databases
Mail Systems
openSolaris
Eclipse Documentation
Techotopia.com
Virtuatopia.com
Answertopia.com

How To Guides
Virtualization
General System Admin
Linux Security
Linux Filesystems
Web Servers
Graphics & Desktop
PC Hardware
Windows
Problem Solutions
Privacy Policy

  




 

 

FreeBSD Handbook
Prev Next

Chapter 16 Mandatory Access Control

Table of Contents
16.1 Synopsis
16.2 Key Terms in this Chapter
16.3 Explanation of MAC
16.4 Understanding MAC Labels
16.5 Planning the Security Configuration
16.6 Module Configuration
16.7 The MAC seeotheruids Module
16.8 The MAC bsdextended Module
16.9 The MAC ifoff Module
16.10 The MAC portacl Module
16.11 The MAC partition Module
16.12 The MAC Multi-Level Security Module
16.13 The MAC Biba Module
16.14 The MAC LOMAC Module
16.15 Nagios in a MAC Jail
16.16 User Lock Down
16.17 Troubleshooting the MAC Framework
Written by Tom Rhodes.

16.1 Synopsis

FreeBSD 5.X introduced new security extensions from the TrustedBSD project based on the POSIX®.1e draft. Two of the most significant new security mechanisms are file system Access Control Lists (ACLs) and Mandatory Access Control (MAC) facilities. Mandatory Access Control allows new access control modules to be loaded, implementing new security policies. Some provide protections of a narrow subset of the system, hardening a particular service. Others provide comprehensive labeled security across all subjects and objects. The mandatory part of the definition comes from the fact that the enforcement of the controls is done by administrators and the system, and is not left up to the discretion of users as is done with discretionary access control (DAC, the standard file and System V IPC permissions on FreeBSD).

This chapter will focus on the Mandatory Access Control Framework (MAC Framework), and a set of pluggable security policy modules enabling various security mechanisms.

After reading this chapter, you will know:

  • What MAC security policy modules are currently included in FreeBSD and their associated mechanisms.

  • What MAC security policy modules implement as well as the difference between a labeled and non-labeled policy.

  • How to efficiently configure a system to use the MAC framework.

  • How to configure the different security policy modules included with the MAC framework.

  • How to implement a more secure environment using the MAC framework and the examples shown.

  • How to test the MAC configuration to ensure the framework has been properly implemented.

Before reading this chapter, you should:

  • Understand UNIX® and FreeBSD basics (Chapter 3).

  • Be familiar with the basics of kernel configuration/compilation (Chapter 8).

  • Have some familiarity with security and how it pertains to FreeBSD (Chapter 14).

Warning: The improper use of the information contained herein may cause loss of system access, aggravation of users, or inability to access the features provided by X11. More importantly, MAC should not be relied upon to completely secure a system. The MAC framework only augments existing security policy; without sound security practices and regular security checks, the system will never be completely secure.

It should also be noted that the examples contained within this chapter are just that, examples. It is not recommended that these particular settings be rolled out on a production system. Implementing the various security policy modules takes a good deal of thought and testing. One who does not fully understand exactly how everything works may find him or herself going back through the entire system and reconfiguring many files or directories.

16.1.1 What Will Not Be Covered

This chapter covers a broad range of security issues relating to the MAC framework. The development of new MAC security policy modules will not be covered. A number of security policy modules included with the MAC framework have specific characteristics which are provided for both testing and new module development. These include the mac_test(4), mac_stub(4) and mac_none(4). For more information on these security policy modules and the various mechanisms they provide, please review the manual pages.

Prev Home Next
Application of Jails Up Key Terms in this Chapter

 
 
  Published under the terms of the FreeBSD Document Project