Table of Contents

Service Encapsulation

All services and all network clients running on a computer system should be considered for encapsulation. Encapsulation means that all programs providing a service or some network access, are restricted to the absolutely necessary access rights, but also get protected from all other services and client programs. This way, misbehaving programs cannot harm other services or clients, except denial of service attacks by resource exhaustion.

The Program Based Roles of the RC model provide the necessary means for per-program access control and RC process types are used for protection against other processes. A good Base Protection setup makes the encapsulation task much easier. The RSBAC Jail module also provides a pre-configured encapsulation, which can be used in addition to the manual RC setup.

Separate network services from local ones

To identify all services, which should be encapsulated, it is useful to distinguish between local services, e.g. for system maintenance, and network services, which can be used for accesses from remote systems. For most servers, the network services are the most dangerous.

Turn off unnecessary services

Generally, all services should be turned off, if they are not necessary for the intended functionality. This reduces the set of services to be protected, and it makes the resulting configuration easier to understand and maintain.

Divide the objects, a service accesses to, into categories

When all services, which must be protected have been identified, the most difficult task is to find all object accesses each service needs. The Base Protection categories give a frame to begin with, but often have to be extended by service specific categories, e.g. Web data for a Webserver or the file area of a fileserver.

Users, User IDs and Paths

It is also important to know, which user ids are used by which services. If users have to login, their login paths need to be identified: Do they have console access or use ssh?



Table of Contents: RSBAC Handbook
Previous: System Base
Next: User Management