|
In computing, a mandatory access control (MAC) technique protects and contains computer processes, data, and system devices from misuse. This may extend or replace discretionary access control for file-system permissions and the concepts of users and groups. Originally, the word computing was synonymous with counting and calculating, and a science that deals with the original sense of computing mathematical calculations. ...
Discretionary Access Control (DAC) defines basic access control policies to objects in a filesystem. ...
In computing, a file system is a method for storing and organizing computer files and the data they contain to make it easy to find and access them. ...
MAC's most important feature involves denying users full control over the access to resources that they create. The system security policy (as set by the administrator) entirely determines the access rights granted, and a user may not grant less restrictive access to their resources than the administrator specifies. (Discretionary access control systems permit users to entirely determine the access granted to their resources, which means that they can (through accident or malice) give access to unauthorised users.) Discretionary Access Control (DAC) defines basic access control policies to objects in a filesystem. ...
MAC has the goal of defining an architecture that requires the evaluation of all security-related labels and making decisions based upon the operations context and those same data labels. The FLASK and Generalized Framework for Access Control (GFAC) architectures, coupled with MAC, become enabling technologies of multilevel security systems. Systems Architecture. ...
Look up flask in Wiktionary, the free dictionary. ...
Multilevel Security or MLS is the capability of a computer system to carry information with different sensitivities (i. ...
Such an architecture prevents an authenticated user or process at a specific classification or trust-level from accessing information, processes, or devices in a different level. This provides a containment mechanism of users and processes, both known and unknown (an unknown program (for example) might comprise an untrusted application where the system should monitor and/or control accesses to devices and files).
Requirements of an architecture that works to separate data and operations within a computer include:
- non-bypassable
- evaluatable (to determine the usefulness and effectiveness of a rule)
- always-invoked (to preclude by-passing the system)
- tamper-proof
Mainstream MAC implementations
- An NSA research project called SELinux (Security-Enhanced Linux) added a Mandatory Access Control architecture to the Linux kernel. In Red Hat Enterprise Linux version 4 (and future versions), the developers have compiled SELinux into the kernel. The standard Linux kernel from kernel.org has all SE Linux kernel code. SE Linux is capable of restricting all processes in the system, however for ease of use the supported policy in RHEL only restricts the most vulnerable programs.
- SUSE Linux (now supported by Novell) has added a MAC implementation called AppArmor. AppArmor utilizes a Linux 2.6 kernel feature called LSM (Linux Security Modules interface). LSM provides a kernel API, which allows modules of kernel code to govern access control. AppArmor is not capable of restricting all programs and is not yet included in the kernel.org kernel source tree.
- Beginning with version 5.0, the work of the TrustedBSD project has been incorporated into releases of the FreeBSD operating system. Development is a work in progress, and the implementation models as well as the capabilities are constantly improving. MAC on FreeBSD comes with pre-built structures for implementing MAC models such as Biba and Multi-Level Security.
- Sun's Trusted Solaris uses a mandatory and system-enforced access control mechanism (MAC), where clearances and labels are used to enforce a security policy. The applications a user runs are combined with the security level at which the user works in the session. Access to information, programs and devices are controlled and granted at the same or lower level only. MAC prevents users from writing to files at lower levels and is enforced according to the site's security policy. It cannot be overridden without special authorization or privileges.
NSA can stand for: National Security Agency of the USA The British Librarys National Sound Archive This page concerning a three-letter acronym or abbreviation is a disambiguation page — a navigational aid which lists other pages that might otherwise share the same title. ...
Security-Enhanced Linux (SELinux) is an implementation of mandatory access control using Linux Security Modules (LSM) in the Linux kernel, based on the principle of least privilege. ...
Linux (also known as GNU/Linux) is a computer operating system. ...
In computer science, the kernel is the core piece of most operating systems. ...
Red Hat Enterprise Linux 4 Red Hat Enterprise Linux (often abbreviated to RHEL) is a Linux distribution produced by Red Hat and targeted toward the commercial market. ...
Red Hat Enterprise Linux 4 Red Hat Enterprise Linux (often abbreviated to RHEL) is a Linux distribution produced by Red Hat and targeted toward the commercial market. ...
SUSE (properly pronounced , but often pronounced /suzi/) is a major retail Linux distribution, produced in Germany. ...
2006 is a common year starting on Sunday of the Gregorian calendar. ...
Novell, Inc. ...
AppArmor is security product for Linux, currently maintained by Novell. ...
Look up the abbreviation LSM in Wiktionary LSM is a three letter abbreviation that may refer to: Laser Scanning Microscopy (see Confocal laser scanning microscopy), a type of microscopy in which laser light is used for illumination Linux Software Map, a standard text format for describing Linux software Linux Security...
An application programming interface (API) is the interface that a computer system, library or application provides in order to allow requests for service to be made of it by other computer programs, and/or to allow data to be exchanged between them. ...
The TrustedBSD project provides a set of trusted operating system extensions to the FreeBSD operating system, begun primarily by Robert Watson, the goal of the project has been implementing concepts from the Common Criteria for Information Technology Security Evaluation, the Orange Book. ...
FreeBSD is a Unix-like free software operating system descended from AT&T UNIX via the Berkeley Software Distribution (BSD) branch through 386BSD and 4. ...
This model was developed to circumvent a weakness in the Bell La Padula computer operating system protection model which did not include the possibility of implicit deletion of security objects by writing to them. ...
Multi-Level Security or (MLS) is the concept of processing information with different classifications and categories that simultaneously permits access by users with different security clearances and denies access to users who lack authorization. ...
Historical MAC architectures Several security-focused operating systems implement MAC, and it forms a core part of the FLASK operating systems. This is an alphabetical list of operating systems with a sharp security focus. ...
Look up flask in Wiktionary, the free dictionary. ...
See also Classified information is secret information to which access is restricted by law or corporate rules to a particular hierarchical class of people. ...
The concept of Type enforcement (TE) in the field of information technology is related to access control. ...
FreeBSD is a Unix-like free software operating system descended from AT&T UNIX via the Berkeley Software Distribution (BSD) branch through 386BSD and 4. ...
The TrustedBSD project provides a set of trusted operating system extensions to the FreeBSD operating system, begun primarily by Robert Watson, the goal of the project has been implementing concepts from the Common Criteria for Information Technology Security Evaluation, the Orange Book. ...
Security-Enhanced Linux (SELinux) is a version of the Linux kernel and utilities, which contains support for mandatory access controls based on the principle of least privilege. ...
RSBAC (Rule Set Based Access Control) is a flexible, powerful and fast open source access control framework for current Linux kernels, which has been in stable production use since January 2000 (version 1. ...
Generally, Security Modes refer to information systems security modes of operations used in mandatory access control (MAC) systems. ...
The Bell-La Padula security model, described mathematically by D.E. Bell and L.J. La Padula in the 1970s, is a model for computer operating system security based on the concept of security subjects and security objects, and the capabilities subjects have to change objects. ...
Multi-Level Security or (MLS) is the concept of processing information with different classifications and categories that simultaneously permits access by users with different security clearances and denies access to users who lack authorization. ...
Discretionary Access Control (DAC) defines basic access control policies to objects in a filesystem. ...
In computer systems security Role-Based Access Control (RBAC) is an approach to restricting system access to authorized users. ...
The Biba Model is a formal state transition system of computer security policy that describes a set of access control rules designed to ensure that data is not contaminated. ...
The Take-Grant Protection Model is a formal model used in the field of computer security to establish or disprove the safety of a given computer system that follows specific rules. ...
The Clark-Wilson integrity model is based on transactions. ...
The Graham-Denning Model addresses the security issues associated with how to define a set of basic rights on how specific subjects can execute security functions on an object. ...
External Links - Weblog post on the how virtualization can be used to implement Mandatory Access Control.
|
Feeds |
Contact