Forced Access Control System under FreeBSD TrustedBSD Mac Tutorial

In traditional UNIX systems, DAC protection measures include file access modes and access control lists; and Mac provides process control and firewalls.

TrustedBSD plans to combine the core FreeBSD release with the trusted security components that meet the information technology security assessment criteria (ITSEC). These components provide a large number of different modules that ensure safe operation of this operating system.

These tools include centralized policy management, components, and execution (including kernel modules and function calls), which implement mandatory access control and access control list from file system and kernel resources. However, these tools have other functions. For example, more refined access control, more powerful reports and monitoring features, and a more secure environment for running a variety of services.

Both UNIX (including Linux) knows that any normal user can view which users have been logged in in the system after landing systems, and what they are doing. In addition, the current process of all users can also be easily viewed. This information is legally used, of course, there is no problem, but once hacked, it will leave a considerable safety hazard, they can find ways to improve privileges immediately.

But if you deploy Mandatory Access Control (Mac) Framework – TrustedBSD, the situation is different.

The TrustedBSD Mac framework provides basic facilities for most access control modules, allowing them to flexibly expand the security policies implemented in the system in the form of kernel modules. If multiple policies are loaded simultaneously, the MAC framework will be responsible for combining the authorization of each policy in a meaningful manner to form a decision of ***.

Below we do a demo on FreeBSD 7.0, you should ensure that there is a corresponding support in our system kernel before introducing the MAC to enhance the control into the system. If it is a default installation system, you need to add a line in the kernel configuration file:

Options Mac

OK after recompile the kernel.

Execute the Man 4 Mac command, you can see various MAC modules. As shown in Figure 1.

figure 1

Here you can choose one of the modules for control, but also some modules of overall control, it is very convenient.

In this test system, any user can run the ps -aux command to view all the activity processes in the system, or execute sockstat -4, netstat -an to view all network connections in the system and open network sockets. As shown in Figures 2, 3.

figure 2

image 3

# p #

Below we load the Mac_seeotheruids module. Execute: kldload mac_seeotheruids, as shown in Figure 4.

Figure 4

Note Looking down below, after loading TrustedBSD’s Mac module, ordinary users WW can no longer see other people’s work processes, and they cannot see other people’s network connection status. As shown in Figures 5, 6.

Figure 5

Image 6

Such a system security is greatly improved. If we want the system to automatically load this module, add: mac_seeotheruids_load = “yes”

As shown in Figure 7.

Figure 7

If we want to uninstall this module, just knock in the command: kldunload mac_seeotheruids.

Everyone uses ordinary users (non-root accounts) to execute NetStat, PS, which can be compared. In the state of loading the Mac module, the above command will only display the current user’s own processes and sockets.

However, there is no display of other users currently on.

Topic: Visiting Linux / UNIX Security World HP Improvement UNIX Safety and Virtual Technology Improves Howit Performance System Safety Comprehensive Defend My Unix System Account