Premium Essay

Mandatory Access Control

In:

Submitted By msladye89
Words 969
Pages 4
In computer security, Discretionary Access Control (DAC) is a type of access control in which a user has complete control over all the programs it owns and executes, and also determines the permissions other users have those those files and programs. Because DAC requires permissions to be assigned to those who need access, DAC is commonly called described as a "need-to-know" access model.

In computer security, discretionary access control (DAC) is a type of access control defined by the Trusted Computer System Evaluation Criteria[1] "as a means of restricting access to objects based on the identity of subjects and/or groups to which they belong. The controls are discretionary in the sense that a subject with a certain access permission is capable of passing that permission (perhaps indirectly) on to any other subject (unless restrained by mandatory access control)".

Discretionary access control is commonly discussed in contrast to mandatory access control (MAC, sometimes termed non-discretionary access control). Occasionally a system as a whole is said to have "discretionary" or "purely discretionary" access control as a way of saying that the system lacks mandatory access control. On the other hand, systems can be said to implement both MAC and DAC simultaneously, where DAC refers to one category of access controls that subjects can transfer among each other, and MAC refers to a second category of access controls that imposes constraints upon the first.

In computer security Mandatory Access Control (MAC) is a type of access control in which only the administrator manages the access controls. The administrator defines the usage and access policy, which cannot be modified or changed by users, and the policy will indicate who has access to which programs and files. MAC is most often used in systems where priority is placed on confidentiality.

In computer

Similar Documents

Free Essay

Security in Linux

...Security in Linux Linux, like any other computing platform, is constantly changing. There are a few major focus points for new and upgraded platforms, one of which is how user friendly it is. User friendliness goes beyond the ability to simply point and click, it also goes behind the lines deep into the inner workings of the system. Security is one of the most important functions of any operating system, very commonly overlooked and taken for granted. A system administrator can configure tables that are provided by the Linux kernel firewall in a program called iptables. Iptables has the ability to redirect, modify or stop packets of data all based on the state of a connection at any given time. There are many different tables that can be defined and each table contains built in chains or user defined chains. Every chain is essentially a list of rules that matches a set of packets and it specifies what to do with a packet that matches the rules. For the casual user it is best to use the predefined rules, they are often more than adequate. In an enterprise situation the administrator would likely want to define additional rules in order to best suit the business needs. Before iptables Linux mainly used ipchains as a firewall package. Iptables is an improvement on ipchains because it monitors the state of connections. Iptables can use the state of the connection as opposed to ipchains using the source destination and content only, to redirect, modify or drop a packet. At least...

Words: 965 - Pages: 4

Free Essay

File Management

...computer there are many different items that make the system a whole. When it comes to the different operating systems there are different features available, even though when you think of computers a person might think security will all be the same but there are difference between each one. As you read more you will understand the security and the difference between a MAC, UNIX/LINUX and Windows systems and how each one works.       Access control goal is to protect a resource from unauthorized access while facilitating seamless and legitimate use of such resources. Presently, each day users hold the need to access to those resources through a broad line of devices, such as PCs, laptops, PDA, smartphones and kiosks. Most organizations need to provide protection for their files and allow the correct people to access. The fundamental goal of an Access management system is to maintain confidentiality of user information and access, integrity of information control, availability of information and resources and accountability for knowing who holds the access to such information. File Management File management and file systems are a core part of the user experience for most users. They provide many...

Words: 2672 - Pages: 11

Free Essay

Security Enhanced Linux (Selinux), Chroot Jail, and Iptables

...tools that can be added to a variety of Linux distributions. SELinux is currently a part of Fedora Core, and it is supported by Red Hat. Incarnations of SELinux packages are also available for Debian, SuSe, and Gentoo. Security-enhanced Linux is a set of patches to the Linux kernel and some utilities to incorporate a strong, flexible Mandatory Access Control (MAC). MAC provides an enhanced process to enforce the separation of information based on confidentiality and integrity requirements, as well as the confinement of damage that can be caused by malicious or flawed applications. The previous security structure, discretionary access control (DAC), allowed threats of tampering and avoidance of security mechanisms, because DAC gives the user ownership of files and allows users the ability to make policy decisions and assign security attributes. Under MAC, administrators control every interaction on the software of the system. Standard UNIX permissions are still present, and are consulted before the SELinux policy during access attempts. When the standard file permissions allow access, the SELinux policy will be consulted and access is either gained or denied based on security of the source...

Words: 848 - Pages: 4

Free Essay

Linux Security Technologies

...of potential threats and hazards. Our world today is ever so growing with its relationship with the internet or World Wide Web (WWW). Many places use the internet to access sites, software, music, book, and so forth, the list goes on. But with this advance in technology come lots of threats to consumers alike. Such as hackers, viruses, people who don’t know what they are doing, and even people who you may call your best friend. Threat comes in many shapes and sizes which is why operating systems such as Linux develop ways to keep your personal files safe from these unwarranted threats. Some of these measures include, but is not limited to; iptables, SELinux, chroot jail, TCP Wrappers, firewalls, PolicyKit, NX or No eXecute, PIE or Position Independent Executables, Netfilter, and the list goes on (“Fedora Projects” & Vepstas). When a user first approaches Linux it looks similar to what a windows operating system would resemble. With Linux a user has the ability to access every file within the operating system through the use of a terminal or command prompt. Through the use of Linux programming potential threats can gain access to you file system and everything housed within it. Linux is free software that comes with many great security features that any user or administrator greater access and control over the system. The choice can be a bit much for most, but we will discuss a few of these choices here. Security-Enhanced Linux also known as SELinux is a security program...

Words: 1082 - Pages: 5

Free Essay

Linux Security Technologies

...There are different types of Linux Security Technologies. Discretionary Access Control, SELinux (Security Enhanced Linux), chroot jail, and iptables are just a few. This paper is only going to discuss the latter three. Discretionary Access Control is the more traditional, however; DAC is not as secure and will not be discussed here.1 The U.S National Security Agency (NSA) is the organization behind the creation of SELinux. The reason the NSA is involved in this project is because this organization is responsible for carrying out the research and advanced development of technologies needed to enable NSA to provide the solutions, products, and services to achieve Information Assurance for information infrastructures critical to U.S. National Security interests. The NSA implemented a Mandatory Access control within the Linux Kernel. This MAC is named Flask.2 There are three main policies that SELinux uses to apply MAC. There is the Targeted, where the MAC controls will only be used for a specific process or processes, there is the Multilevel Security protection, and the Strict. The strict puts MAC controls to all processes. The targeted is not as secure as the strict, however; the targeted is easier to maintain. If one uses the strict, the administrator will have to customize the policy. Failure to do so could cause other users a significant problem in performing his or her assigned duties. 3 The main reason the MAC has been created is to help prevent security...

Words: 919 - Pages: 4

Free Essay

Linux System Administration

...IT302 Linux System Administration Research Assignment 1 SELinux or Security Enhanced Linux uses an architecture that separates enforcement from access policy decisions. With this architecture different types of policies can be implemented, including Role-Based Access Control (RBAC), Type Enforcement (TE), and Multi-Level Security (MLS). The module assigns security labels to each subject or object. It uses a security class to determine the kinds of relationship a pair of labels might have. The triplet consisting of a pair of labels and a class are then sent to a policy server to determine if access is allowed. The security labels are assigned dynamic integer security ID's (SID's); the reply from the policy server is cached in an 'access vector cache' for performance reasons. SELinux was developed in coordination with the open source community and the National Security Agency (NSA) to provide the highest level of security for the Linux operating system. The three basic elements of the VServer are: The security context. A process in one security context cannot see processes in other security contexts, neither with the 'ps' command, nor with 'cat /proc' nor in any other way. As side-effect, this means that a process in one context cannot kill processes in other contexts. Capabilities. The existing Linux kernel provides a wide variety of capabilities which can be taken away from processes. These include the ability to change network addresses, to change the ownership of a file...

Words: 291 - Pages: 2

Free Essay

It302 Linux System Administration Research Assignment 1

...IT302 Linux System Administration Research Assignment 1 SELinux or Security Enhanced Linux uses an architecture that separates enforcement from access policy decisions. With this architecture different types of policies can be implemented, including Role-Based Access Control (RBAC), Type Enforcement (TE), and Multi-Level Security (MLS). The module assigns security labels to each subject or object. It uses a security class to determine the kinds of relationship a pair of labels might have. The triplet consisting of a pair of labels and a class are then sent to a policy server to determine if access is allowed. The security labels are assigned dynamic integer security ID's (SID's); the reply from the policy server is cached in an 'access vector cache' for performance reasons. SELinux was developed in coordination with the open source community and the National Security Agency (NSA) to provide the highest level of security for the Linux operating system. Linux V-Server – The three basic elements of the VServer are: * The security context. A process in one security context cannot see processes in other security contexts, neither with the 'ps' command, nor with 'cat /proc' nor in any other way. As side-effect, this means that a process in one context cannot kill processes in other contexts. * Capabilities. The existing Linux kernel provides a wide variety of capabilities which can be taken away from processes. These include the ability to change network addresses...

Words: 423 - Pages: 2

Premium Essay

Assignment 2 Linux Security

...hackers or othe types of attacks . SELinux, Chroot Jail, IPTables, Mandatory Access Control and Discrestionary Access Control, just to name a few. SELinux is an access control implementation for the Linux kernel. Take for instants that you are the administrator and you define rules in user space and if the Linux kernel has been added with SELinux support, then those rules will be followed by the kernel. SELinux is a NSA Security-Enhanced Linux, in which the mandatory access control is flexible. The structure of SELinux supports against all kinds of mandatory access control policies. Some of which are Role-Based Access Control and Multi-Level Security. It was designed by NSA for the purpose of protecting a server against malicious daemons, by telling the daemons what they can and can’t do. This type of technology was created by Secure Computing Corporation, but was supported by the U.S. National Security Agency. In 1992, the thought for a more intense security system was needed and a project called Distributed Trusted Match was created. Some good solutions evolved from this, some of which were a part of the Fluke operating system. Which then became the Flux and finally led to the creation of the Flask architecture. Eventually it was combined with the Linux kernel, which created another project called SELinux. Since NSA realized that the Linux operation system did not have any security that would enforce access control and the information on what it should require to be consisant...

Words: 873 - Pages: 4

Premium Essay

File Management

...000 users could implement conventional UNIX file access controls if 4,990 of those users share the same level of security clearance. By means of a file access control structure on the UNIX operating system, each individual user is given a user ID (special user identification number). Users on a UNIX operating system will be allocated to a main class and possibly a variety of classes that will be associated with a unique class ID. Whenever a user creates a file, it is indicated by the individual’s unique user ID along with the user’s main class ID. Each individual user's accessibility is managed by the administrator with a file access control security type structure. The administrator can manage the permissions of all three main classes; read, write, and execute. Access is permitted to three types of users: the creator or owner of the file, the class the file belongs to, and various users with access to the system despite their class. The access control policy affects the level of access that is permitted by whom and under what conditions. Discretionary Access Control (DAC) manages permissions based on the requester’s identity and the regulations linked to access and permissions. Mandatory Access Control (MAC) manages permissions based on assessing protection labels that specify how delicate or crucial the systems resources are and requests accessibility centered on admissibility to specific resources. Role-Based Access Control (RBAC) manages permissions based on the permissions...

Words: 526 - Pages: 3

Premium Essay

Wk6 Discussion

...An access control mechanism is a means of safeguarding the security by detecting and preventing unauthorized access and by permitting authorized access in an automated system. An access control mechanism includes hardware or software features, operating procedures, management procedures, and various combination of these features. There are two different types of access control mechanisms: user-based and host-based. A few include Mandatory Access Control(MAC), Role Based Access Control(RBAC), Discretionary Access Control(DAC), and Rule Based Access Control. MAC is more secure than DAC; the MAC mechanisms assign security levels to all information, it assigns security clearances to users, and ensures that people have access to data that their clearance allows and not more. An example of MAC is like when the law allows the court access to driving records without the owners’ permission. DAC is when an individual user can set an access control mechanism to allow or deny access to an object. An example of that is Active Directory which system admins use to allow users access to certain files on a share drive and workstations. For Role Based and Rule Based Access Controls they are very similar. For Role Based it gives users access depending on their jobs for example an account of a company has access to the finance data where a customer representative does not because it has nothing to do with their job. An example of Rule Based is when the system admin grants you access to certain...

Words: 294 - Pages: 2

Premium Essay

320 Linux Admin

...Security Agency. It was then released for open source development on December 22, 2000 and was merged into the main Linux kernel version 2.6.0-test3 on August 8, 2003. SELinux was designed to change the access control protocols for Linux users, to make them more secure and computer resources and applications less likely to be exploited. Prior to the development of SELinux, systems used a form of DAC, Discretionary Access Control. In this set up, placed all clients into three categories: user, group, and other. If an application or file were "exploited," it would allow the current user to access the file(s) or application at the highest permission allow, the owner of the file, or user. SELinux introduced two new ways to allow permissions to be determined by the client computer. The first of these is MAC, Mandatory Access Control. This new protocol introduce the principle of least privilege, which simply allows programs to use what resources they need to do the task at hand, and nothing else. An example from an article I found online: "if you have a program that responds to socket requests but doesn't need to access the file system, then that program should be able to listen on a given socket but not have access to the file system." The second protocol is RBAC, Role-based Access Control. In this protocol, "permissions are provided based on roles that are granted by the security system." From what I read of roles, they are like groups but not. Both groups and roles can house multiple...

Words: 792 - Pages: 4

Free Essay

Unit 2 Discussion

...Unit 2 Discussion 1: Identifying Layers of Access Control in Linux Learning Objectives and Outcomes * You will be able to identify various layers of access control in a Linux server environment. * You will make security recommendations using different layers of access control. Assignment Requirements Really Cheap Used Computers, Inc. is an online seller of old school computers. The organization’s e-commerce Web site runs on a Linux server. The server is located at the organization’s local office in Boston, Massachusetts. The company has experienced tremendous growth and has hired you as the new security analyst. You access the server and find that there are virtually no layers of security other than the passwords set for user accounts. Discuss at least three layers of access control that can be put in place on this server to create a more secure environment. Rationalize whether the given scenario represents discretionary access control (DAC) or mandatory access control (MAC). Participate in this discussion by engaging in a meaningful debate regarding your choices of the three layers of access control in Linux. You must defend your choices with a valid rationale. Summarize your thoughts in a Word document and submit it to your instructor. Required Resources None Submission Requirements * Format: Microsoft Word * Font: Arial, Size 12, Double-Space * Citation Style: Chicago Manual of Style * Length: 1–2 pages * Due By:Unit 2 Assessment Checklist ...

Words: 568 - Pages: 3

Free Essay

Selinux

...saved onto devices. There are some security technologies that are available for certain Operating Systems such as SELinux, chroot jail, and iptables. SELinux stands for security enhanced Linux, it was developed by the National Information Assurance Research Laboratory of the NSA. They believe that creating a secure operating system is still a problem, but the NSA believes that a secure operating system can be accomplished through mandatory access control. Mandatory access control allows the administrator to manage access controls, which allows the administrator to define usage and access policy. The access policy indicates the access users have to files and programs. By using an access policy it it easier to limit the resources users have so that a user does not have access to information and programs they shouldn’t, thus bringing down the chances of a security breach. Security enhanced linux is not easily bypassed, by controlling the access users get it limits the amount of damage an attacker can do. Even if an attacker manages to get some limited control most of their commands will fall through, at the same time as SELinux logs everything the attacker is attempting to do making it much easier to spot them. SELinux is designed to stop many threats and make the operating system overall more secure. It prevents processes from reading or tampering with data and programs, bypassing application security mechanisms and executing untrustworthy programs. SELinux also helps to confine potential...

Words: 283 - Pages: 2

Premium Essay

Linux Security Technology

... SELinux, an implementation of Mandatory Access Control (MAC) in the Linux kernel, adds the ability to administratively define policies on all subjects (processes) and objects (devices, files, and signaled processes). This mechanism is in the Linux kernel, checking for allowed operations after standard Linux Discretionary Access Controls DAC are checked. Security-Enhanced Linux (SELinux) is a Linux feature that provides a mechanism for supporting access control security policies, including United States Department of Defense-style mandatory access controls, through the use of Linux Security Modules (LSM) in the Linux kernel. It is not a Linux distribution, but rather a set of Kernel modifications and user-space tools that can be added to various Linux distributions. Its architecture strives to separate enforcement of security decisions from the security policy itself and streamlines the volume of software charged with security policy enforcement. The key concepts underlying SELinux can be traced to several earlier projects by the United States National Security Agency (NSA), It has been integrated into the mainline Linux kernel since version 2.6. NSA, the original primary developer of SELinux, released the first version to the open source development community under the GNU GPL on December 22, 2000. Security-enhanced Linux (SELinux) is a reference implementation of the Flask security architecture for flexible mandatory access control. It was created to demonstrate the...

Words: 1860 - Pages: 8

Free Essay

Linux

...qwertyuiopasdfghjklzxcvbnmqwertyuiopasdfghjklzxcvbnmqwertyuiopasdfghjklzxcvbnmqwertyuiopasdfghjklzxcvbnmqwertyuiopasdfghjklzxcvbnmqwertyuiopasdfghjklzxcvbnmqwertyuiopasdfghjklzxcvbnmqwertyuiopasdfghjklzxcvbnmqwertyuiopasdfghjklzxcvbnmqwertyuiopasdfghjklzxcvbnmqwertyuiopasdfghjklzxcvbnmqwertyuiopasdfghjklzxcvbnmqwertyuiopasdfghjklzxcvbnmqwertyuiopasdfghjklzxcvbnmqwertyuiopasdfghjklzxcvbnmqwertyuiopasdfghjklzxcvbnmqwertyuiopasdfghjklzxcvbnmqwertyuiopasdfghjklzxcvbnmrtyuiopasdfghjklzxcvbnmqwertyuiopasdfghjklzxcvbnmqwertyuiopasdfghjklzxcvbnmqwertyuiopasdfghjklzxcvbnmqwertyuiopasdfghjklzxcvbnmqwertyuiopasdfghjklzxcvbnmqwertyuiopasdfghjklzxcvbnmqwertyuiopasdfghjklzxcvbnmqwertyuiopasdfghjklzxcvbnmqwertyuiopasdfghjklzxcvbnmqwertyuiopasdfghjklzxcvbnmqwertyuiopasdfghjklzxcvbnmqwertyuiopasdfghjklzxcvbnmrtyuiopasdfghjklzxcvbnmqwertyuiopasdfghjklzxcvbnmqwertyuiopasdfghjklzxcvbnmqwertyuiopasdfghjklzxcvbnmqwertyuiopasdfghjklzxcvbnmqwertyuiopasdfghjklzxcvbnmqwertyuiopasdfghjklzxcvbnmqwertyuiopasdfghjklzxcvbnmqwertyuiopasdfghjklzxcvbnmqwertyuiopasdfghjklzxcvbnmqwertyuiopasdfghjklzxcvbnmqwertyuiopasdfghjklzxcvbnmqwertyuiopasdfghjklzxcvbnmrtyuiopasdfghjklzxcvbnmqwertyuiopasdfghjklzxcvbnmqwertyuiopasdfghjklzxcvbnmqwertyuiopasdfghjklzxcvbnmqwertyuiopasdfghjklzxcvbnmqwertyuiopasdfghjklzxcvbnmqwertyuiopasdfghjklzxcvbnmqwertyuiopasdfghjklzxcvbnmqwertyuiopasdfghjklzxcvbnmqwertyuiopasdfghjklzxcvbnmqwertyuiopasdfghjklzxcvbnmqwertyuiopasdfghjklzxcvbnmqwertyuiopasdfghjklzxcvbnmrtyuiopasdfghjklzxcvbnmqwer...

Words: 1010 - Pages: 5