mac-initial.html

FreeBSD操作系统的详细使用手册

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta name="generator" content="HTML Tidy, see www.w3.org" />
<title>Explanation of MAC</title>
<meta name="GENERATOR" content="Modular DocBook HTML Stylesheet Version 1.7" />
<link rel="HOME" title="FreeBSD Handbook" href="index.html" />
<link rel="UP" title="Mandatory Access Control" href="mac.html" />
<link rel="PREVIOUS" title="Key Terms in this Chapter" href="mac-inline-glossary.html" />
<link rel="NEXT" title="Understanding MAC Labels" href="mac-understandlabel.html" />
<link rel="STYLESHEET" type="text/css" href="docbook.css" />
</head>
<body class="SECT1" bgcolor="#FFFFFF" text="#000000" link="#0000FF" vlink="#840084"
alink="#0000FF">
<div class="NAVHEADER">
<table summary="Header navigation table" width="100%" border="0" cellpadding="0"
cellspacing="0">
<tr>
<th colspan="3" align="center">FreeBSD Handbook</th>
</tr>

<tr>
<td width="10%" align="left" valign="bottom"><a href="mac-inline-glossary.html"
accesskey="P">Prev</a></td>
<td width="80%" align="center" valign="bottom">Chapter 15 Mandatory Access Control</td>
<td width="10%" align="right" valign="bottom"><a href="mac-understandlabel.html"
accesskey="N">Next</a></td>
</tr>
</table>

<hr align="LEFT" width="100%" />
</div>

<div class="SECT1">
<h1 class="SECT1"><a id="MAC-INITIAL" name="MAC-INITIAL">15.3 Explanation of MAC</a></h1>

<p>With all of these new terms in mind, consider how the <acronym
class="ACRONYM">MAC</acronym> framework augments the security of the system as a whole.
The various security policies provided by the <acronym class="ACRONYM">MAC</acronym>
framework could be used to protect the network and file systems, block users from
accessing certain ports and sockets, and more. Perhaps the best use of the policies is to
blend them together, by loading several security policy modules at a time, for a
multi-layered security environment. In a multi-layered security environment, multiple
policies are in effect to keep security in check. This is different then a hardening
policy, which typically hardens elements of a system that is used only for specific
purposes. The only downside is administrative overhead in cases of multiple file system
labels, setting network access control user by user, etc.</p>

<p>These downsides are minimal when compared to the lasting effect of the framework; for
instance, the ability to pick choose which policies are required for a specific
configuration keeps performance overhead down. The reduction of support for unneeded
policies can increase the overall performance of the system as well as offer flexibility
of choice. A good implementation would consider the overall security requirements and
effectively implement the various policies offered by the framework.</p>

<p>Thus a system utilizing <acronym class="ACRONYM">MAC</acronym> features should at
least guarantee that a user will not be permitted to change security attributes at will;
all user utilities, programs and scripts must work within the constraints of the access
rules provided by the selected policies; and that total control of the <acronym
class="ACRONYM">MAC</acronym> access rules are in the hands of the system
administrator.</p>

<p>It is the sole duty of the system administrator to carefully select the correct
policies. Some environments may need to limit access control over the network; in these
cases, the <a href="http://www.FreeBSD.org/cgi/man.cgi?query=mac_portacl&sektion=4"><span
class="CITEREFENTRY"><span class="REFENTRYTITLE">mac_portacl</span>(4)</span></a>, <a
href="http://www.FreeBSD.org/cgi/man.cgi?query=mac_ifoff&sektion=4"><span
class="CITEREFENTRY"><span class="REFENTRYTITLE">mac_ifoff</span>(4)</span></a> and even
<a href="http://www.FreeBSD.org/cgi/man.cgi?query=mac_biba&sektion=4"><span
class="CITEREFENTRY"><span class="REFENTRYTITLE">mac_biba</span>(4)</span></a> policies
might make good starting points. In other cases, strict confidentiality of file system
objects might be required. Policies such as <a
href="http://www.FreeBSD.org/cgi/man.cgi?query=mac_bsdextended&sektion=4"><span
class="CITEREFENTRY"><span class="REFENTRYTITLE">mac_bsdextended</span>(4)</span></a> and
<a href="http://www.FreeBSD.org/cgi/man.cgi?query=mac_mls&sektion=4"><span
class="CITEREFENTRY"><span class="REFENTRYTITLE">mac_mls</span>(4)</span></a> exist for
this purpose.</p>

<p>Policy decisions could be made based on network configuration. Perhaps only certain
users should be permitted access to facilities provided by <a
href="http://www.FreeBSD.org/cgi/man.cgi?query=ssh&sektion=1&manpath=OpenBSD+3.4"><span
class="CITEREFENTRY"><span class="REFENTRYTITLE">ssh</span>(1)</span></a> to access the
network or the Internet. The <a
href="http://www.FreeBSD.org/cgi/man.cgi?query=mac_portacl&sektion=4"><span
class="CITEREFENTRY"><span class="REFENTRYTITLE">mac_portacl</span>(4)</span></a> would
be the policy of choice for these situations. But what should be done in the case of file
systems? Should all access to certain directories be severed from other groups or
specific users? Or should we limit user or utility access to specific files by setting
certain objects as classified?</p>

<p>In the file system case, access to objects might be considered confidential to some
users but not to others. For an example, a large development team might be broken off
into smaller groups of individuals. Developers in project A might not be permitted to
access objects written by developers in project B. Yet they might need to access objects
created by developers in project C; that is quite a situation indeed. Using the different
policies provided by the <acronym class="ACRONYM">MAC</acronym> framework; users could be
divided into these groups and then given access to the appropriate areas without the fear
of information leakage.</p>

<p>Thus, each policy has a unique way of dealing with the overall security of a system.
Policy selection should be based on a well thought out security policy. In many cases,
the overall policy may need to be revised and reimplemented on the system. Understanding
the different policies offered by the <acronym class="ACRONYM">MAC</acronym> framework
will help administrators choose the best policies for their situations.</p>

<p>The default FreeBSD kernel does not include the option for the <acronym
class="ACRONYM">MAC</acronym> framework; thus the following kernel option must be added
before trying any of the examples or information in this chapter:</p>

<pre class="PROGRAMLISTING">
options    MAC
</pre>

<p>And the kernel will require a rebuild and a reinstall.</p>

<div class="CAUTION">
<blockquote class="CAUTION">
<p><b>Caution:</b> While the various manual pages for <acronym
class="ACRONYM">MAC</acronym> modules state that they may be built into the kernel, it is
possible to lock the system out of the network and more. Implementing <acronym
class="ACRONYM">MAC</acronym> is much like implementing a firewall, but care must be
taken to prevent being completely locked out of the system. The ability to revert back to
a previous configuration should be considered while the implementation of <acronym
class="ACRONYM">MAC</acronym> remotely should be done with extreme caution.</p>
</blockquote>
</div>
</div>

<div class="NAVFOOTER">
<hr align="LEFT" width="100%" />
<table summary="Footer navigation table" width="100%" border="0" cellpadding="0"
cellspacing="0">
<tr>
<td width="33%" align="left" valign="top"><a href="mac-inline-glossary.html"
accesskey="P">Prev</a></td>
<td width="34%" align="center" valign="top"><a href="index.html"
accesskey="H">Home</a></td>
<td width="33%" align="right" valign="top"><a href="mac-understandlabel.html"
accesskey="N">Next</a></td>
</tr>

<tr>
<td width="33%" align="left" valign="top">Key Terms in this Chapter</td>
<td width="34%" align="center" valign="top"><a href="mac.html" accesskey="U">Up</a></td>
<td width="33%" align="right" valign="top">Understanding MAC Labels</td>
</tr>
</table>
</div>

<p align="center"><small>This, and other documents, can be downloaded from <a
href="ftp://ftp.FreeBSD.org/pub/FreeBSD/doc/">ftp://ftp.FreeBSD.org/pub/FreeBSD/doc/</a>.</small></p>

<p align="center"><small>For questions about FreeBSD, read the <a
href="http://www.FreeBSD.org/docs.html">documentation</a> before contacting &#60;<a
href="mailto:questions@FreeBSD.org">questions@FreeBSD.org</a>&#62;.<br />
For questions about this documentation, e-mail &#60;<a
href="mailto:doc@FreeBSD.org">doc@FreeBSD.org</a>&#62;.</small></p>
</body>
</html>