Rule Set Based Access Control - PowerPoint PPT Presentation

1 / 24
About This Presentation
Title:

Rule Set Based Access Control

Description:

Insecurity of LINUX/UNIX access control. Crude granularity - drwxrwxrwx. Discretionary control ... grant or deny. ADF: Makes decisions. Security Officer (secoff) ... – PowerPoint PPT presentation

Number of Views:67
Avg rating:3.0/5.0
Slides: 25
Provided by: leeru6
Category:

less

Transcript and Presenter's Notes

Title: Rule Set Based Access Control


1
Rule Set Based Access Control
Presented by Tan Wee Hon Lee Ruiwen
2
Presentation Outline
  1. Introduction
  2. Framework
  3. Implemented Models Demo
  4. Application
  5. Advantages
  6. Resources References

3
Introduction
  • History
  • Why RSBAC?
  • Goals

4
History of RSBAC
  • Amon Ott
  • Nov 1996 Master thesis
  • Jan 1998 First public release
  • Current stable version 1.2.2

5
Why RSBAC?
  • Insecurity of LINUX/UNIX access control
  • Crude granularity - drwxrwxrwx
  • Discretionary control
  • Super user root

6
Goals of RSBAC
  • Secure access control
  • Flexible choice of models
  • Combination of models
  • Portability

7
Framework
  • Subjects, Objects and Requests
  • Architecture
  • Security Officer

8
Subjects, Objects Requests
  • Subjects
  • Processes
  • Objects (Targets)
  • e.g. FILE, DIR, USER, PROCESS
  • Requests
  • What a subject wants to do with an object
  • e.g. CHANGE_OWNER, DELETE, READ_OPEN, MOUNT

9
Components
  • ACI Access Control Information
  • AEF Access control Enforcement Facility
  • ADF Access control Decision Facility

10
Components
  • ACI Stores status data and configuration items
  • AEF Intercepts Linux kernel calls
  • ? grant or deny
  • ADF Makes decisions

11
(No Transcript)
12
Security Officer (secoff)
  • Configure modules using utilities provided in the
    RSBAC distribution
  • Difference between root and secoff is effort to
    obtain rights to access anything

13
Implemented Models
  • Authentication (AUTH)
  • Functional Control (FC)
  • Security Information Modification (SIM)
  • Privacy Model by Simone Fischer-Hübner (PM)
  • Malware Scan (MS)
  • Linux Capabilities (CAP)
  • Mandatory Access Control (MAC)
  • File Flags (FF)
  • Role Compatibility (RC)
  • Access Control Lists (ACL)

14
Implemented Models
  • Authentication (AUTH)
  • Functional Control (FC)
  • Security Information Modification (SIM)
  • Privacy Model by Simone Fischer-Hübner (PM)
  • Malware Scan (MS)
  • Linux Capabilities (CAP)
  • Mandatory Access Control (MAC)
  • File Flags (FF)
  • Role Compatibility (RC)
  • Access Control Lists (ACL)

15
Mandatory Access Control (MAC)
  • Bell-La Padula
  • 253 security levels
  • 64 categories (bit vector)
  • For programs not MAC aware, current security
    levels and categories are automatically adjusted
    as necessary, but within read and write level
    boundaries

16
File Flags (FF)
  • Conveniently assign rights to whole directory
    trees
  • Inheritable FILE, DIR, FIFO and SYMLINK
    attributes
  • e.g. read-only, no-execute, secure-delete

17
Role Compatibility (RC)
  • Roles and types
  • Role can access type only if compatible
  • Forced and Initial Roles based on program files
  • Separation of Administration Duties
  • Separate sets of roles e.g.
  • Admin Roles
  • Assign Roles
  • Additional access rights for types Admin,
    Assign, Access Control, Supervisor

18
Access Control Lists (ACL)
  • What subject may access which object with which
    requests
  • Subjects RC roles, Users, ACL Groups
  • ACL Groups
  • All users can have individual groups
  • Private and global groups
  • Inheritance with masks
  • Special Rights e.g. supervisor

19
Application
  • Workstations
  • Server systems
  • Examples

20
Workstations
  • Protection against unwanted configuration changes
  • Malicious software (malware) protection
  • Reduced administration work

21
Server Systems
  • Encapsulation of services
  • Need-to-Know principle
  • Malware protection
  • Firewalls DNS, Proxies
  • (Virtual) Webservers Apache
  • (Virtual) mail servers POP3, IMAP
  • File servers Samba
  • Application servers

22
Examples
  • Compuniverse Firewalls
  • More than one year with RSBAC
  • Use of AUTH, FF and RC models
  • Software selection for better RSBAC control, e.g.
    POP3 with separate authentication program

23
Advantages
  • Provides well-known and new models
  • Extensible
  • Flexible
  • Powerful logging system
  • Support for current Linux kernels, ports to
    others systems likely
  • Increasing downloads and feedback

24
Resources References
  • Homepage www.rsbac.org
  • The RSBAC Library
  • An Introduction
  • Programmers Reference Manual
  • Programmers Cookbook
  • Reference Manual
  • Cookbook
  • Detailed paper
  • Ott, Amon (2001). The Rule Set Based Access
    Control (RSBAC) Linux Kernel Security Extension.
    (International Linux Kongress, 2001)
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "Rule Set Based Access Control" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!