Access Control Flashcards
DAC
Discretionary Access Control:
The access control policy is determined by the owner
DAC is used commonly
- Every object in a system must have an owner
- Each owner determines access rights and permissions for each object
MAC
Mandatory Access Control:
An access control policy where the computer system determines the access control for an object
MAC relies on security labels being assigned to every user (called a subject) and every file/folder/device or network connection (called an object)
Data labels create trust levels for all subjects and objects
MAC is implemented through the Rule-based and the Latticebased access control methods
Rule-Based Access Control
Label-based access control that defines whether access should be granted or denied to objects by comparing the object label and the subject label
Lattice-Based Access Control
Utilizes complex mathematics to create sets of objects and subjects to define how they interact
Mandatory Access Control is a feature in FreeBSD & SELinux
Only in high security systems due to its complex configuration
RBAC
Role-Based Access Control:
An access model that is controlled by the system (like MAC) but utilizes a set of permissions instead of a single data label to define the permission level
Power Users is a role-based permission
ABAC
Attribute-Based Access Control:
An access model that is dynamic and context-aware using IF-THEN statements
Most specific/detailed access control
If Jason is in HR, then give him access to \fileserver\HR
chmod
chmod 760 filename
Bash command used to change file permissions
R (Read) = 4
W (Write) = 2
X (Execute) = 1
7 = Owner can RWX
6 = Group can RW
0 = All Users (no access)
Privilege Creep
Occurs when a user gets additional permission over time as they rotate through different positions or roles
Privilege creep violates the principles of least privilege
Permissions
Permissions are inherited by default from the parent when a new folder is created
Any permissions added/removed from the parent folder will pass to the child by default too!
Use Groups for roles and do not assign users directly to a folder’s permissions
If you copy a folder, then permissions are inherited from the parent folder it is copied into
If you move a folder, then permissions are retained from its original permissions