© 1995-2008 by The FreeBSD Project. All rights reserved.URL: http://www.FreeBSD.de
jkois 2009-05-12 11:02:02 UTC
FreeBSD German Documentation Repository
Modified files:
books/handbook/mac chapter.sgml
Log:
In den letzten 2 Jahren sind genau 0 (null) Zeilen dieser Datei uebersetzt worden. Bei MFde muss die Datei aber jedesmal manuell
zurueckgesetzt werden. Daher Entfernen des englischen Texts und stattdessen Einbau des "Noch-nicht-uebersetzt"-Templates.
Revision Changes Path
1.5 +8 -2077 de-docproj/books/handbook/mac/chapter.sgml
Index: chapter.sgml
===================================================================
RCS file: /home/cvs/de-docproj/books/handbook/mac/chapter.sgml,v
retrieving revision 1.4
retrieving revision 1.5
diff -u -I$FreeBSDde.*$ -r1.4 -r1.5
--- chapter.sgml 23 Aug 2007 03:13:04 -0000 1.4
+++ chapter.sgml 12 May 2009 11:02:01 -0000 1.5
@@ -3,2089 +3,20 @@
The FreeBSD German Documentation Project
$FreeBSD$
- $FreeBSDde: de-docproj/books/handbook/mac/chapter.sgml,v 1.4 2007/08/23 03:13:04 as Exp $
- basiert auf: 1.70
+ $FreeBSDde: de-docproj/books/handbook/mac/chapter.sgml,v 1.5 2009/05/12 11:02:01 jkois Exp $
+ basiert auf:
-->
<chapter id="mac">
- <chapterinfo>
- <authorgroup>
- <author>
- <firstname>Tom</firstname>
- <surname>Rhodes</surname>
- <contrib>Written by </contrib>
- </author>
- </authorgroup>
- </chapterinfo>
- <title>Mandatory Access Control</title>
+ <title>MAC - Mandatory Access Control (noch nicht übersetzt)</title>
- <sect1 id="mac-synopsis">
- <title>Synopsis</title>
-
- <indexterm><primary>MAC</primary></indexterm>
- <indexterm>
- <primary>Mandatory Access Control</primary>
- <see>MAC</see>
- </indexterm>
-
- <para>&os; 5.X introduced new security extensions from the
- TrustedBSD project based on the &posix;.1e draft. Two of the most
- significant new security mechanisms are file system Access Control
- Lists (<acronym>ACL</acronym>s) and Mandatory Access Control
- (<acronym>MAC</acronym>) facilities. Mandatory Access Control allows
- new access control modules to be loaded, implementing new security
- policies. Some provide protections of a narrow subset of the
- system, hardening a particular service. Others provide
- comprehensive labeled security across all subjects and objects.
- The mandatory part
- of the definition comes from the fact that the enforcement of
- the controls is done by administrators and the system, and is
- not left up to the discretion of users as is done with
- discretionary access control (<acronym>DAC</acronym>, the standard
- file and System V <acronym>IPC</acronym> permissions on &os;).</para>
-
- <para>This chapter will focus on the
- Mandatory Access Control Framework (<acronym>MAC</acronym> Framework), and a set
- of pluggable security policy modules enabling various security
- mechanisms.</para>
-
- <para>After reading this chapter, you will know:</para>
-
- <itemizedlist>
- <listitem>
- <para>What <acronym>MAC</acronym> security policy modules are currently
- included in &os; and their associated mechanisms.</para>
- </listitem>
-
- <listitem>
- <para>What <acronym>MAC</acronym> security policy modules implement as
- well as the difference between a labeled and non-labeled
- policy.</para>
- </listitem>
-
- <listitem>
- <para>How to efficiently configure a system to use
- the <acronym>MAC</acronym> framework.</para>
- </listitem>
-
- <listitem>
- <para>How to configure the different security policy modules included with the
- <acronym>MAC</acronym> framework.</para>
- </listitem>
-
- <listitem>
- <para>How to implement a more secure environment using the
- <acronym>MAC</acronym> framework and the examples
- shown.</para>
- </listitem>
-
- <listitem>
- <para>How to test the <acronym>MAC</acronym> configuration
- to ensure the framework has been properly implemented.</para>
- </listitem>
- </itemizedlist>
-
- <para>Before reading this chapter, you should:</para>
-
- <itemizedlist>
- <listitem>
- <para>Understand &unix; and &os; basics
- (<xref linkend="basics">).</para>
- </listitem>
-
- <listitem>
- <para>Be familiar with
- the basics of kernel configuration/compilation
- (<xref linkend="kernelconfig">).</para>
- </listitem>
-
- <listitem>
- <para>Have some familiarity with security and how it
- pertains to &os; (<xref linkend="security">).</para>
- </listitem>
- </itemizedlist>
-
- <warning>
- <para>The improper use of the
- information contained herein may cause loss of system access,
- aggravation of users, or inability to access the features
- provided by X11. More importantly, <acronym>MAC</acronym> should not
- be relied upon to completely secure a system. The
- <acronym>MAC</acronym> framework only augments
- existing security policy; without sound security practices and
- regular security checks, the system will never be completely
- secure.</para>
-
- <para>It should also be noted that the examples contained
- within this chapter are just that, examples. It is not
- recommended that these particular settings be rolled out
- on a production system. Implementing the various security policy modules takes
- a good deal of thought and testing. One who does not fully understand
- exactly how everything works may find him or herself going
- back through the entire system and reconfiguring many files
- or directories.</para>
- </warning>
-
- <sect2>
- <title>What Will Not Be Covered</title>
-
- <para>This chapter covers a broad range of security issues relating
- to the <acronym>MAC</acronym> framework. The
- development of new <acronym>MAC</acronym> security policy modules
- will not be covered. A number of security policy modules included with the
- <acronym>MAC</acronym> framework have specific characteristics
- which are provided for both testing and new module
- development. These include the &man.mac.test.4;,
- &man.mac.stub.4; and &man.mac.none.4;.
- For more information on these security policy modules and the various
- mechanisms they provide, please review the manual pages.</para>
- </sect2>
- </sect1>
-
- <sect1 id="mac-inline-glossary">
- <title>Key Terms in this Chapter</title>
-
- <para>Before reading this chapter, a few key terms must be
- explained. This will hopefully clear up any confusion that
- may occur and avoid the abrupt introduction of new terms
- and information.</para>
-
- <itemizedlist>
- <listitem>
- <para><emphasis>compartment</emphasis>: A compartment is a
- set of programs and data to be partitioned or separated,
- where users are given explicit access to specific components
- of a system. Also, a compartment represents a grouping,
- such as a work group, department, project, or topic. Using
- compartments, it is possible to implement a need-to-know
- security policy.</para>
- </listitem>
-
- <listitem>
- <para><emphasis>high water mark</emphasis>: A high water mark
- policy is one which permits the raising of security levels
- for the purpose of accessing higher level information. In
- most cases, the original level is restored after the process
- is complete. Currently, the &os; <acronym>MAC</acronym>
- framework does not have a policy for this, but the definition
- is included for completeness.</para>
- </listitem>
-
- <listitem>
- <para><emphasis>integrity</emphasis>: Integrity, as a key
- concept, is the level of trust which can be placed on data.
- As the integrity of the data is elevated, so does the ability
- to trust that data.</para>
- </listitem>
-
- <listitem>
- <para><emphasis>label</emphasis>: A label is a security
- attribute which can be applied to files, directories, or
- other items in the system. It could be considered
- a confidentiality stamp; when a label is placed on
- a file it describes the security properties for that specific
- file and will only permit access by files, users, resources,
- etc. with a similar security setting. The meaning and
- interpretation of label values depends on the policy configuration: while
----------------------------------------------
Diff block truncated. (Max lines = 200)
----------------------------------------------
To Unsubscribe: send mail to majordomo(at)de.FreeBSD.org
with "unsubscribe de-cvs-doc" in the body of the message
Received on Tue 12 May 2009 - 13:02:17 CEST