Components
|
|
Components
Code associated with the TrustedBSD Project is generally under
a two-clause BSD-style license, permitting broad open source,
closed source, non-commercial, and commercial reuse.
For more information on licensing, see Legal
Information.
All code currently available for download on this page is
extremely experimental, and not intended for use by those who are
not experienced kernel programmers.
Comments on code, as well as on new features and bug fixes, are
welcome.
TrustedBSD is developed in a
Perforce repository, and is made available via CVSup
server cvsup10.FreeBSD.org. A sample supfile is available. See the
list below for information on the collection names associated with
the various development branches. As features reach maturity,
the are merged into the main FreeBSD development tree, and in
some cases, have also been adopted into the OpenBSD and Darwin
development trees.
To subscribe to the trustedbsd-cvs mailing list, see the
instructions on the mailing lists page. This provides access
to CVS and Perforce commit messages associated with development
occuring in the TrustedBSD development trees, including the
Base (vendor) branch, Capabilities branch, Audit branch, MAC
branch, SEBSD branch, and SEDarwin branch.
There are seven main branches of TrustedBSD development:
Access Control Lists -
Access control lists allow more fine-grained discretionary
access controls to be placed on files and directories.
ACLs have been a production feature in the FreeBSD operating
since being integrated in FreeBSD 5.0-RELEASE.
Portions of the TrustedBSD ACLs implementation also appear in
Mac OS X and Linux. Visit the TrustedBSD
ACLs web page for more information.
BSMtrace -
BSMtrace is a finite state
machine-based intrusion detection system that works using
OpenBSM-derived data generated by
the TrustedBSD audit implementation.
Event Auditing and OpenBSM -
Collection:
p4-cvs-trustedbsd-audit3
Event auditing permits the selective logging of
security-relevant system events for the purposes of post-mortem
analysis, intrusion detection, and system monitoring. The
TrustedBSD audit implementation
provides a complete kernel audit event framework, extensive
auditing of system events, and user space application
integration. The user space libraries, tools, and file format
are based on the de facto industry standard Sun Basic Security
Module (BSM) API and file format. The
OpenBSM library and tool suite provides a portable,
BSD-licensed implementation, and is based on source code
donated by Apple Computer, Inc.
Extended Attributes and UFS2 -
Extended attributes allow the kernel and userland
processes to tag files with arbitrary named data. This
provides a location to store the extensive security data
required for the various TrustedBSD security extensions,
including ACLs, capabilities and MAC labels. Extended
attribute support has been developed for FreeBSD's UFS1
file system and integrated with the FreeBSD development
tree, and was included in FreeBSD 5.0. UFS2 was
implemented to provide improved performance and reliability
for extended attributes, and has been available since
FreeBSD 5.0. UFS2 became the default in FreeBSD 5.1,
and is the recommended file system for TrustedBSD
functionality.
Fine-Grained Capabilities -
Collection:
p4-cvs-trustedbsd-cap
Capabilities provide support for fine-grained process
capabilities to authorize non-root processes to access
privileged system resources, reducing requirements for a
superuser account, and reducing risk in the event of
compromise. The capabilities development branch is
largely complete, but is based on an older FreeBSD
5.0-CURRENT snapshot. Elements of this implementation
are being updated for FreeBSD 5.2 and are available as
part of the SEBSD version of the TrustedBSD MAC Framework.
For more information, see the Capability
Page.
GEOM -
GEOM is a modular I/O request transformation framework allowing
kernel modules to attach to I/O devices providing a variety of
layout and data transformations.
GEOM was created as part of the TrustedBSD Project in order to
support cryptographic disk services, such as GBDE, on the FreeBSD
platform. GEOM has been present in FreeBSD since FreeBSD
5.0-RELEASE, with increasing numbers of transform modules.
Mandatory Access Control -
Collection:
p4-cvs-trustedbsd-mac
Mandatory access controls extend discretionary access
controls by allowing administrators to enforce additional
security for all subjects (e.g. processes or sockets) and
objects (e.g. sockets, file system objects, sysctl nodes) in
the system. Development of those new access control models
is facilitated by the development of a flexible kernel
access control extension framework, the TrustedBSD MAC
Framework. This permits new access control models to be
introduced as kernel modules.
More information on the TrustedBSD MAC Framework and
available policy modules, including Biba integrity,
Multi-Level Security (MLS), and a port of NSA's FLASK
architecture and Type Enforcement to FreeBSD, may be
found on the MAC page.
OpenPAM -
OpenPAM is a BSD-licensed
Pluggable Authentication Modules implementation now used in
FreeBSD and NetBSD, and produced as part of the TrustedBSD
Project.
Security-Enhanced BSD (SEBSD) -
Collection:
p4-cvs-trustedbsd-sebsd
More information on the port of NSA's FLASK/TE implementation
in SELinux to run on FreeBSD as a plug-in module to the MAC
Framework may be found on the SEBSD
page.
Security-Enhanced Darwin (SEDarwin) -
Collection:
p4-cvs-trustedbsd-sedarwin
More information on the port of the TrustedBSD MAC Framework,
sample policy modules, and SEBSD policy module to Apple's
Darwin operating system may be found on the SEDarwin page.
|
