Unit 2 Discussion 1: Identifying Layers of Access Control in Linux
Learning Objectives and Outcomes
* You will be able to identify various layers of access control in a Linux server environment.
* You will make security recommendations using different layers of access control.
Really Cheap Used Computers, Inc. is an online seller of old school computers. The organization’s e-commerce Web site runs on a Linux server. The server is located at the organization’s local office in Boston, Massachusetts. The company has experienced tremendous growth and has hired you as the new security analyst. You access the server and find that there are virtually no layers of security other than the passwords set for user accounts.
Discuss at least three layers of access control that can be put in place on this server to create a more secure environment. Rationalize whether the given scenario represents ...view middle of the document...
* The student was able to identify and differentiate between the different layers of access control.
One of the most vital security tasks is to maintain control over incoming network connections. As system administrator, there are many layers of control over these connections. At the lowest level unplug network cables, but this is rarely necessary unless your computer has been badly cracked beyond all trust. More realistically, you have the following levels of control in software, from general to service-specific:
Network interface - The interface can be brought entirely down and up.
Firewall - By setting firewall rules in the Linux kernel, you control the handling of incoming (and outgoing and forwarded) packets. This topic is covered in Chapter 2.
A superdaemon or Internet services daemon- A superdaemon controls the invocation of specific network services. Suppose the system receives an incoming request for a Telnet connection. The superdaemon could accept or reject it based on the source address, the time of day, the count of other Telnet connections open... or it could simply forbid all Telnet access. Superdaemons typically have a set of configuration files for controlling your many services conveniently in one place.
Individual network services - Any network service, such as sshd or ftpd, may have built-in access control facilities of its own. For example, sshd has its AllowUsers configuration keyword, ftpd has /etc/ftpaccess, and various services require user authentication.
These levels all play a part when a network service request arrives.
This is considered a DAC (Discretionary Access Control) as it is not something the individual user controls as they are not an administrator, which only SELinux and AppArmor are examples of systems using MAC’s.
Jang, Michael H.. "Basic Components of Linux Security." In Security strategies in Linux platforms and applications. Sudbury, MA: Jones & Bartlett Learning, 2011. 28-50.
"Linux.com." Linux.com. https://www.linux.com/news/enterprise/systems-management/305234-five-things-to-know-about-linux-security- (accessed March 31, 2014).