IBM 10 SP1 EAL4 User Manual
4.2.1.2.3 Kernel modules and device drivers
Kernel modules are pieces of code that can be loaded and unloaded into and out of the kernel upon demand.
They extend the functionality of the kernel without the need to reboot the system. Once loaded, the kernel
module object code can access other kernel code and data in the same manner as statically-linked kernel
object code.
A device driver is a special type of kernel module that allows the kernel to access the hardware connected to
the system. These devices can be a hard disk, monitor, or network interface. The driver interacts with the
remaining part of the kernel through a specific interface, which allows the kernel to deal with all devices in a
uniform way, independently of their underlying implementations.
They extend the functionality of the kernel without the need to reboot the system. Once loaded, the kernel
module object code can access other kernel code and data in the same manner as statically-linked kernel
object code.
A device driver is a special type of kernel module that allows the kernel to access the hardware connected to
the system. These devices can be a hard disk, monitor, or network interface. The driver interacts with the
remaining part of the kernel through a specific interface, which allows the kernel to deal with all devices in a
uniform way, independently of their underlying implementations.
4.2.2 Non-kernel TSF software
The non-kernel TSF software consists of trusted programs that are used to implement security functions. Note
that shared libraries, including PAM modules in some cases, are used by trusted programs. The trusted
commands can be grouped as follows.
that shared libraries, including PAM modules in some cases, are used by trusted programs. The trusted
commands can be grouped as follows.
•
Daemon processes that do not directly run on behalf of a user, but are started at system startup or
upon demand of a system administrator. Daemon processes are responsible for setting the
appropriate user identity when performing a service on behalf of a user. Following are the daemon
processes that provide TSF functionality.
upon demand of a system administrator. Daemon processes are responsible for setting the
appropriate user identity when performing a service on behalf of a user. Following are the daemon
processes that provide TSF functionality.
•
The atd daemon is the server that reads
at
jobs submitted by all users and performs tasks
specified in them on behalf of the user. atd is started by the init program during system
initialization.
•
The auditd daemon reads audit records from the kernel buffer through the audit device and
writes them to disk in the form of audit logs.
writes them to disk in the form of audit logs.
•
The cron daemon is the daemon that reads the crontab files for all users and performs
tasks specified in the crontab files on behalf of the user. The init program starts the cron
daemon during system initialization. The crontab file and cron daemon are the client-
server pair that allow the execution of commands on a recurring basis at a specified time.
•
The init program is the userspace process that is ancestor to all other userspace processes. It
starts processes as specified in the /etc/inittab file.
starts processes as specified in the /etc/inittab file.
•
The sshd daemon is the program for secure shell. The ssh command and sshd daemon are
the client-server pair that allow authorized users to log in from remote systems using secure
encrypted communications.
encrypted communications.
•
The vsftpd daemon is the Very Secure File Transfer Protocol daemon that allows authorized
users to transfer files to and from remote systems.
users to transfer files to and from remote systems.
•
The xinetd daemon accepts incoming network connections and dispatches the appropriate
child daemon to service each connection request.
child daemon to service each connection request.
•
Following are programs that are executed by an unprivileged user and need access to certain protected
databases to complete their work.
databases to complete their work.
•
The at program is the program used by all users to submit tasks to be performed at a later
time.
time.
•
The atrm program removes jobs already queued for execution. atrm deletes jobs, whose job
numbers are passed to the command line as arguments.
•
The chage command allows the system administrator to change the user password expiry
information. Refer to the chage man page for more detailed information.
information. Refer to the chage man page for more detailed information.
26