8      Chapter 1 • General Security Concepts: Access Control, Authentication, and Auditing

             MAC/DAC/RBAC


             In discussing access control, Mandatory Access Control (MAC), Discretionary
             Access Control (DAC), and Role-Based Access Control (RBAC) are individual
             areas that take on a new meaning.

                  ■   MAC, in this context, is not a network interface card (NIC) hardware
                      address, but rather a concept called Mandatory Access Control.

                  ■   DAC is short for Discretionary Access Control, which is often referred to
                      as the use of discretionary access control lists (DACLs).

                  ■   RBAC should not be confused with rule-based access control, but is
                      instead an access control method based on the use of the specific roles
                      played by individuals or systems.

                 All three methods have varying uses when trying to define or limit access to
             resources, devices, or networks.The following sections explore and illustrate each of
             the three access control methods.
             MAC

             MAC is generally built into and implemented within the operating system being
             used, although it may also be designed into applications. MAC components are
             present in UNIX, Linux, Microsoft’s Windows operating systems, OpenBSD, and
             others. Mandatory controls are usually hard-coded and set on each object or
             resource individually. MAC can be applied to any object within an operating
             system, and allows a high level of granularity and function in the granting or
             denying of access to the objects. MAC can be applied to each object, and can con-
             trol access by processes, applications, and users to the object. It cannot be modified
             by the owner or creator of the object.
                 The following example illustrates the level of control possible.When using
             MAC, if a file has a certain level of sensitivity (or context) set, the system will not
             allow certain users, programs, or administrators to perform operations on that file.
             Think of setting the file’s sensitivity higher than that of an e-mail program.You can
             read, write, and copy the file as desired, but without an access level of root, supe-
             ruser, or administrator, you cannot e-mail the file to another system, because the e-
             mail program lacks clearance to manipulate the file’s level of access control. For
             example, this level of control is useful in the prevention of Trojan horse attacks,
             since you can set the access levels appropriately to each system process, thus
             severely limiting the ability of the Trojan horse to operate.The Trojan horse would



          www.syngress.com