rule set based access control
Download
Skip this Video
Download Presentation
Rule Set Based Access Control

Loading in 2 Seconds...

play fullscreen
1 / 24

Rule Set Based Access Control - PowerPoint PPT Presentation


  • 115 Views
  • Uploaded on

Rule Set Based Access Control. Presented by: Tan Wee Hon Lee Ruiwen. Presentation Outline. Introduction Framework Implemented Models & Demo Application Advantages Resources & References. Introduction. History Why RSBAC? Goals. History of RSBAC. Amon Ott Nov 1996: Master thesis

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' Rule Set Based Access Control' - dale


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
rule set based access control

Rule Set Based Access Control

Presented by:

Tan Wee Hon

Lee Ruiwen

presentation outline
Presentation Outline
  • Introduction
  • Framework
  • Implemented Models & Demo
  • Application
  • Advantages
  • Resources & References
introduction
Introduction
  • History
  • Why RSBAC?
  • Goals
history of rsbac
History of RSBAC
  • Amon Ott
  • Nov 1996: Master thesis
  • Jan 1998: First public release
  • Current stable version: 1.2.2
why rsbac
Why RSBAC?

Insecurity of LINUX/UNIX access control

  • Crude granularity - drwxrwxrwx
  • Discretionary control
  • Super user root
goals of rsbac
Goals of RSBAC
  • Secure access control
  • Flexible choice of models
  • Combination of models
  • Portability
framework
Framework
  • Subjects, Objects and Requests
  • Architecture
  • Security Officer
subjects objects requests
Subjects, Objects & Requests

Subjects

Processes

Objects (Targets)

e.g. FILE, DIR, USER, PROCESS

Requests

What a subject wants to do with an object

e.g. CHANGE_OWNER, DELETE, READ_OPEN, MOUNT

components
Components
  • ACI: Access Control Information
  • AEF: Access control Enforcement Facility
  • ADF: Access control Decision Facility
components1
Components
  • ACI: Stores status data and configuration items
  • AEF: Intercepts Linux kernel calls

 grant or deny

  • ADF: Makes decisions
security officer secoff
Security Officer (secoff)
  • Configure modules using utilities provided in the RSBAC distribution
  • Difference between root and secoff is effort to obtain rights to access anything
implemented models
Authentication (AUTH)

Functional Control (FC)

Security Information Modification (SIM)

Privacy Model by Simone Fischer-Hübner (PM)

Malware Scan (MS)

Linux Capabilities (CAP)

Mandatory Access Control (MAC)

File Flags (FF)

Role Compatibility (RC)

Access Control Lists (ACL)

Implemented Models
implemented models1
Authentication (AUTH)

Functional Control (FC)

Security Information Modification (SIM)

Privacy Model by Simone Fischer-Hübner (PM)

Malware Scan (MS)

Linux Capabilities (CAP)

Mandatory Access Control (MAC)

File Flags (FF)

Role Compatibility (RC)

Access Control Lists (ACL)

Implemented Models
mandatory access control mac
Mandatory Access Control (MAC)
  • Bell-La Padula
  • 253 security levels
  • 64 categories (bit vector)
  • For programs not MAC aware, current security levels and categories are automatically adjusted as necessary, but within read and write level boundaries
file flags ff
File Flags (FF)
  • Conveniently assign rights to whole directory trees
  • Inheritable FILE, DIR, FIFO and SYMLINK attributes
  • e.g. read-only, no-execute, secure-delete
role compatibility rc
Role Compatibility (RC)
  • Roles and types
  • Role can access type only if “compatible”
  • Forced and Initial Roles based on program files
  • Separation of Administration Duties
    • Separate sets of roles e.g.
      • Admin Roles
      • Assign Roles
    • Additional access rights for types: Admin, Assign, Access Control, Supervisor
access control lists acl
Access Control Lists (ACL)
  • What subject may access which object with which requests
  • Subjects: RC roles, Users, ACL Groups
  • ACL Groups:
    • All users can have individual groups
    • Private and global groups
  • Inheritance with masks
  • Special Rights e.g. supervisor
application
Application
  • Workstations
  • Server systems
  • Examples
workstations
Workstations
  • Protection against unwanted configuration changes
  • Malicious software (malware) protection
  • Reduced administration work
server systems
Server Systems
  • Encapsulation of services
  • Need-to-Know principle
  • Malware protection
  • Firewalls: DNS, Proxies
  • (Virtual) Webservers: Apache
  • (Virtual) mail servers: POP3, IMAP
  • File servers: Samba
  • Application servers
examples
Examples
  • Compuniverse Firewalls
    • More than one year with RSBAC
    • Use of AUTH, FF and RC models
    • Software selection for better RSBAC control, e.g. POP3 with separate authentication program
advantages
Advantages
  • Provides well-known and new models
  • Extensible
  • Flexible
  • Powerful logging system
  • Support for current Linux kernels, ports to others systems likely
  • Increasing downloads and feedback
resources references
Resources & References
  • Homepage: www.rsbac.org
  • The RSBAC Library
    • An Introduction
    • Programmer’s Reference Manual
    • Programmer’s Cookbook
    • Reference Manual
    • Cookbook
  • Detailed paper:

Ott, Amon (2001). The Rule Set Based Access Control (RSBAC) Linux Kernel Security Extension. (International Linux Kongress, 2001)

ad