Thomas Jones wrote:
Hello,
Has anyone here implemented RSBAC access control in a 9+ suse/opensuse release? I am looking at testing RSBAC within suse and was wanting to know other end-user(s) experiences.
I am sure that kernel patches must be altered to apply cleanly to suse kernels. And the init system within suse is a little different than most distributions, so the application of security policies for system initialization(as well as login) will need some work for sure.
No rpm's of dialog or user-manager are available according to google. So this leads me to believe that not very many suse/opensuse end-users implement and/or develop fine-grained access control models. Hopefully this is incorrect.
I don't know anyone who does, personally. For the vast majority of users, it's actually likely to cause things to be less secure, since access controls are, more often than not, a pain in the ass to set up and maintain. This leads to lapses. What do you need RSBAC for? SuSE 10.1 comes standard with AppArmor, which is a pretty nifty system to keep server processes under control. However, it won't stop a rogue user. If that's what you're worried about, RSBAC or SELinux are what you want. It's been my experience that very few systems these days offer shell accounts, so the vast majority of systems are more interested in locking down their server processes to prevent intrusion in the first place. I don't believe there is a standard kit for RSBAC applied to SuSE, but I recall one being done for SELinux. If you're going to create a SuSE system with RSBAC, keep in mind that it might not react well to LSM (Linux Security Module) in SuSE's kernels. AppArmor and SELinux both hook to LSM, but I'm pretty sure RSBAC wrote their own system.