Access Control and Audit

Slides:



Advertisements
Similar presentations
CSC 360- Instructor: K. Wu Overview of Operating Systems.
Advertisements

CS426Fall 2010/Lecture 71 Computer Security CS 426 Lecture 7 Operating System Security Basics.
CSC 405 Introduction to Computer Security
Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.
CSCD 303 Essential Computer Security Fall 2010 Lecture 4 - Desktop Security Reading:
1 School of Computing Science Simon Fraser University CMPT 300: Operating Systems I Dr. Mohamed Hefeeda.
OS Fall ’ 02 Introduction Operating Systems Fall 2002.
1 CS 333 Introduction to Operating Systems Class 2 – OS-Related Hardware & Software The Process Concept Jonathan Walpole Computer Science Portland State.
Introduction to Kernel
Home: Phones OFF Please Unix Kernel Parminder Singh Kang Home:
OS Spring’03 Introduction Operating Systems Spring 2003.
Cs238 Lecture 3 Operating System Structures Dr. Alan R. Davis.
Computer System Structures memory memory controller disk controller disk controller printer controller printer controller tape-drive controller tape-drive.
1 CSE 380 Computer Operating Systems Instructor: Insup Lee and Dianna Xu University of Pennsylvania Fall 2003 Lecture Note: Protection Mechanisms.
Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 4 “Overview”.
Authentication and authorization Access control consists of two steps, authentication and authorization. Subject Do operation Reference monitor Object.
Guide to Operating System Security Chapter 5 File, Directory, and Shared Resource Security.
Systems Security & Audit Operating Systems security.
OPERATING SYSTEM OVERVIEW. Contents Basic hardware elements.
G53SEC 1 Reference Monitors Enforcement of Access Control.
OS provide a user-friendly environment and manage resources of the computer system. Operating systems manage: –Processes –Memory –Storage –I/O subsystem.
Three fundamental concepts in computer security: Reference Monitors: An access control concept that refers to an abstract machine that mediates all accesses.
IOS110 Introduction to Operating Systems using Windows Session 8 1.
Managing Files CSCI N321 – System and Network Administration Copyright © 2000, 2011 by the Trustees of Indiana University except as noted.
Section 3.1: Operating Systems Concepts 1. A Computer Model An operating system has to deal with the fact that a computer is made up of a CPU, random.
Managing Processes CSCI N321 – System and Network Administration Copyright © 2000, 2011 by Scott Orr and the Trustees of Indiana University.
Recall: Three I/O Methods Synchronous: Wait for I/O operation to complete. Asynchronous: Post I/O request and switch to other work. DMA (Direct Memory.
Chapter 13 Users, Groups Profiles and Policies. Learning Objectives Understand Windows XP Professional user accounts Understand the different types of.
Lecture 3 Process Concepts. What is a Process? A process is the dynamic execution context of an executing program. Several processes may run concurrently,
Hardware process When the computer is powered up, it begins to execute fetch-execute cycle for the program that is stored in memory at the boot strap entry.
G53SEC 1 Access Control principals, objects and their operations.
G53SEC 1 Reference Monitors Enforcement of Access Control.
Operating Systems Lecture November 2015© Copyright Virtual University of Pakistan 2 Agenda for Today Review of previous lecture Hardware (I/O, memory,
UNIX Security From UNIX SYSTEMS Programming, Robbins & Robbins Benjamin Brewster, OSU 2006.
Operating System Structure A key concept of operating systems is multiprogramming. –Goal of multiprogramming is to efficiently utilize all of the computing.
We will focus on operating system concepts What does it do? How is it implemented? Apply to Windows, Linux, Unix, Solaris, Mac OS X. Will discuss differences.
1 Computer Systems II Introduction to Processes. 2 First Two Major Computer System Evolution Steps Led to the idea of multiprogramming (multiple concurrent.
UNIX Unit 1- Architecture of Unix - By Pratima.
Managing Files CSCI N321 – System and Network Administration Copyright © 2000, 2007 by the Trustees of Indiana University except as noted.
System Administration. Logging in as System Administrator System Admin login (aka superuser, aka root) –login id: root –Default PS1 prompt: # –Home directory:
OSes: 2. Structs 1 Operating Systems v Objective –to give a (selective) overview of computer system architectures Certificate Program in Software Development.
1 Process Description and Control Chapter 3. 2 Process A program in execution An instance of a program running on a computer The entity that can be assigned.
Lecture 5 Rootkits Hoglund/Butler (Chapters 1-3).
Introduction to Operating System. 1.1 What is Operating System? An operating system is a program that manages the computer hardware. It also provides.
Managing Users CSCI N321 – System and Network Administration Copyright © 2000, 2011 by Scott Orr and the Trustees of Indiana University.
CSE Operating System Principles Protection.
Karlstad University Operating System security Ge Zhang Karlstad University.
Introduction to Operating Systems Concepts
4.4.1 The Operating System.
Introduction to Kernel
SYSTEM ADMINISTRATION PART I by İlker Korkmaz and Kaya Oğuz
Lecture 1: Operating System Services
Processes and threads.
Microprocessor Systems Design I
Chapter 1: Introduction
UNIX System Overview.
Introduction to Operating System (OS)
What is an Operating System?
Chapter 14: Protection.
Unix Access Control Basic CE 2
OS Virtualization.
Windows Internals Brown-Bag Seminar Chapter 1 – Concepts and Tools
Computer-System Architecture
SECURITY IN THE LINUX OPERATING SYSTEM
Process Description and Control
Process Description and Control
Operating Systems Lecture 3.
Introduction to Operating Systems
CS149D Elements of Computer Science
Chapter 2 Processes and Threads 2.1 Processes 2.2 Threads
Presentation transcript:

Access Control and Audit CS490 - Security in Computing Copyright © 2005 by Scott Orr and the Trustees of Indiana University

Section Overview OS Reference Model CPU protection Memory protection Resource access control Audits

References Security in Computing, 3rd Ed. Online Resources Chapter 4 (pgs. 179-209) Online Resources Role Based Access Control by Michael Lebkicher (SANS Reading Room)

Access Control Model Subject Object OS Reference Monitor Access request OS Reference Monitor Access Granted Object

I/O Device Controllers Hardware Components CPU Memory Bus I/O Device Controllers

Dual-Mode Operation Interrupt User Supervisor Resume

Pentium Protection Rings Application Software I/O Drivers Operating System Kernel

Interrupt vector table Interrupt Handling Memory User Interrupt Handler n System Call Supervisor Interrupt Vector 0 Interrupt Vector n-1 Interrupt Vector n Trap n Interrupt vector table

Interrupt Uses I/O Device Protection CPU Protection Users cannot access devices directly Must go through kernel System calls CPU Protection Exception Handling Fair use (timer)

Fence Registers Operating System n n+1 n+1 User Program Space All memory requests by user programs must be for addresses n+1 or higher. Memory

Base/Bound Registers Operating System n n+1 User A Program Space n+1 p User B Program Space p+1 Bound Register q User C Program Space q+1 Memory requests must fall between base and bound register addresses Memory

Fetch<Data_Seg, 20> Segmentation Seg. Translation Table C: Sub Segment Addr Main b Seg_A e Sub Data_Seg f a B: Data_Seg b Main C: Main c A: Main Seg_A d B: Main Fetch<Data_Seg, 20> e C: Seg_A Sub f + C: Data_Seg Data_Seg g A: Data_Seg h B: Seg_A Program C Memory

Paging Page 0 Page 1 Page 2 Page 3 Page 4 Page 5 Program C Memory c f Translation Table Page 1 Page 0 Page Addr b 1 f 2 i 3 o 4 c 5 g Page 4 c Page 6 Page 2 Page 0 Page 1 f Page 1 Page 1 Page 5 Page 7 Page 2 i Fetch<3, 37> Page 2 Page 0 Page 3 Page 4 l Page 4 Page 4 Page 5 Page 3 Page 5 o + Page 3 Page 2 Program C Page 3 r Page 0 Can be combined with Segmentation Memory

MS File/Directory Attributes Read-Only Hidden System Archive

User Accounts UserID User’s Full Name Password Home Directory Groups System Interface?

“Principle of Least Privilege” Special Users Guest System Accounts Superuser / Administrator Full Access to all system resources Superuser Equivalency “Principle of Least Privilege”

UNIX Accounts Username Password UID GID GCOS Home Directory Default Shell Stored in /etc/passwd: sorr:VsjqYhTwQiJPw:126:10:Scott Orr:/home/sorr:/bin/csh

Microsoft Security Identifiers Created for every user, group, and machine Never reused S-1-5-21-D1-D2-D3-RID S-1-5-21: Standard prefix for NT D1-D2-D3: Local or domain identifier RID (Relative ID): Unique part of SID

File/Directory Permissions Read Create Write Append Delete Execute Search Ownership Access Control Permissions on newly created files/directories?

Access Control Matrix File-1 File-2 Dir-1 Printer-1 alice Read, Write Execute Search Write bob Read Read, Search scott

Object Access Control Lists User Access alice Read, Write bob Read scott File-1

Group Access Users requiring same access to object Simplifies adding/removing of access Adding/Removing users Adding/removing permissions to object Multiple group membership interaction Union Interception Deny permissions

Superuser processes have full system access!!! Programs which are running Inherits access rights from parent Restricting User processes Priority based Process size Number of concurrent user processes Superuser processes have full system access!!!

Permissions and Paths Must have execute permissions to run Running Programs Absolute location Shortcuts PATH environment variable Lists directories to search for programs Order important Having the current directory in your path may be hazardous to your health!!!

Who Controls Access? Discretionary Access Control (DAC) Object owner decides Does not require administrator assistance Mandatory Access Control (MAC) Administration decide Multi-level Security Requirements Role-Based Access Control (RBAC) Based on “role” within an organization Transaction based Least privileged based

UNIX SUID/SGID Programs Permits controlled access to restricted resources SetUID (SUID) – Runs with access permissions of program owner SetGID (SGID) – Runs with access permissions of default group owner Root SUID/SGID programs often the target of Buffer-Overflow Attacks

Using Administrative accounts Principle of Least Privilege Selective use of administrative access UNIX su “switch user” command Microsoft “Run As” command All attempts logged UNIX sudo command Grant specific users root access to programs No need to share root password Remember to avoid ‘.’ in root’s path!!!

Active Audits Monitor what is happening currently Memory/CPU Usage System Load Free memory/swap Time since last reboot Disk Space Usage Current Users

Historical Records Events logged into files Log reduction? Login/Logout Access Programs run Software/Hardware Errors Resource Usage Application logs Log reduction? Log integrity and centralization

How long to keep logs? Don’t log at all Reset the logs periodically Rotate Logs periodically Permanently archive log data File compression tools Tape CDROM/DVD

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.