slide1 n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
In tr oduction PowerPoint Presentation
Download Presentation
In tr oduction

Loading in 2 Seconds...

play fullscreen
1 / 18

In tr oduction - PowerPoint PPT Presentation


  • 62 Views
  • Uploaded on

SECURITY ISSUES Access Control List & Audit Trail UNIX & Windows2000 Arun Asokan Karthikeyan Chandrasekaran Ramaselvi Balasubramanian. In tr oduction. The goals: Information Confidentiality System Integrity System Availability

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'In tr oduction' - millie


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
slide1

SECURITY ISSUESAccess Control List & Audit Trail UNIX & Windows2000Arun Asokan Karthikeyan Chandrasekaran Ramaselvi Balasubramanian

in tr oduction
Introduction

The goals:

          • Information Confidentiality
          • System Integrity
          • System Availability
  • They are mutually dependent
  • Confidentiality achieved by

ACCESS CONTROL

slide3

Access ControlCollection of mechanisms that permits managers of a system to exercise a directing influence over the behavior, use and content of the system

  • System Access Control
          • Password and other authentication
          • System Auditing
  • Discretionary Access Control
          • Access Control List
  • Mandatory Access Control
          • Reference Monitor
unix file system
UNIX File System
  • Ordinary files
  • Directory files
  • Special files
  • Pipes
basic access control
Basic Access Control
  • 1 : Type of file.
  • 2 – 4 : Owner’s permission.
  • 5 – 7 : Group’s permission.
  • 8 – 10 : Other’s permission.
access control list unix
Access Control ListUNIX
  • An access control list (ACL) is an ordered list of access control entries (ACEs) that define the protections that apply to an object and its properties
  • ACLs entry contains
        • Attributes:

Defines special file modes such as SETUID, SETGID & Sticky bit

        • Base permissions:

Reflect the basic access rights

        • Extended permissions:

specify, permit, deny

auditing
Auditing
  • Is a feature which provides accountability to all system activities from file access to network and database
  • Each audit event such as user login is formatted into fields such as the event type, user id, file names and time
  • Audit events
      • Administrative event class
          • Security administrator events
          • System administrator events
          • Operator events
      • Audit event class
          • Describes the operation of the audit system itself
audit trail
Audit Trail
  • Record of both completed and attempted access and service chronological record of system activities
  • Enables reconstruction and examination of the sequence of events and changes in audit event
  • Monitoring system changes
          • Files system permission & checksum should be set, snapshots taken & made read only
          • Snapshots are made regularly and compared with the original for changes

Eg: tripwire, rdist utility, securemax (from open Vision), ESM….

windows2000 file system
Windows2000 File System
  • Supports two file system
      • FAT (File Allocation Table)
          • File system does not record security information such as owner or access permission of a file or directory
      • NTFS (New Technology Files System)
          • Supports a variety of multi-user security models
  • NTFS Vs FAT
          • Fault tolerance
          • Access Control by directory or file
          • Can compress individual or directories
          • POSIX support
access control list1
Access Control List
  • Data structure of an ACL
          • ACL size - # of bytes of memory allocated
          • ACL Revision – revision # for the ACL’s data structure
          • ACE Count - # of ACE’s in the ACL
access control entries
Access Control Entries

Contains the following access control information

  • A security identifier (SID)
  • An access mask – specifies access rights
  • A set of bit flags that determines which child objects can inherit the ACE
  • A flag that indicates the type of ACE
ace types
ACE Types
  • 3 Generic types
  • 3 Object-Specific ACE types
access rights
Access Rights
  • Generic Access Rights
  • Standard Access Rights
          • Other rights like, SACL access rights, Object-specific access rights, user rights
access checking audit generation
Access Checking & Audit Generation
  • Function “AccessCheckAndAuditAlarm” determines whether the subject is allowed or denied access and then determines is there a need to generate an auditing entry in the security log.
  • It considers the following
          • Subjects access token
          • Subject’s desired access mask (a data structure 32 bit log, each bit corresponding to a particular access rights)
          • Object’s security descriptor
  • After the access-checking is complete, this function returns a granted access mask (it is identical to desired access mask except that all bits are initially turned off)
auditing1
Auditing
  • Here, we generate entries in the security log for successful or failed attempts to access an object
  • After the access checking is over, the function will tell us what need to be logged in
          • Subject’s access token
          • Desired access mask – subject
          • Granted access mask – access check
          • Object’s SACL
conclusion
Conclusion
  • UNIX Vs Win2000
      • Easy to control system configuration on UNIX
      • ACL's are much more complex than traditional UNIX style permissions
      • In basic UNIX, it is impossible to give a number of users different access rights