All services and all network clients running on a computer system should be considered for encapsulation. Encapsulation means that all programs providing a service or some network access, are restricted to the absolutely necessary access rights, but also get protected from all other services and client programs. This way, misbehaving programs cannot harm other services or clients, except denial of service attacks by resource exhaustion.
The Program Based Roles of the RC model provide the necessary means for per-program access control and RC process types are used for protection against other processes. A good Base Protection setup makes the encapsulation task much easier. The RSBAC Jail module also provides a pre-configured encapsulation, which can be used in addition to the manual RC setup.
To identify all services, which should be encapsulated, it is useful to distinguish between local services, e.g. for system maintenance, and network services, which can be used for accesses from remote systems. For most servers, the network services are the most dangerous.
Generally, all services should be turned off, if they are not necessary for the intended functionality. This reduces the set of services to be protected, and it makes the resulting configuration easier to understand and maintain.
When all services, which must be protected have been identified, the most difficult task is to find all object accesses each service needs. The Base Protection categories give a frame to begin with, but often have to be extended by service specific categories, e.g. Web data for a Webserver or the file area of a fileserver.
It is also important to know, which user ids are used by which services. If users have to login, their login paths need to be identified: Do they have console access or use ssh?
Table of Contents: RSBAC Handbook
Previous: System Base
Next: User Management