General Security Concepts: Access Control, Authentication, and Auditing • Chapter 1  9

                 have to have intimate knowledge of each of the levels of access defined on the
                 system to compromise it or make the Trojan horse viable within it.
                    To review briefly, MAC is:

                      ■  Non-discretionary The control settings are hard-coded and not modifi-
                         able by the user or owner
                      ■  Multilevel Control of access privileges is definable at multiple access
                         levels
                      ■  Label-based May be used to control access to objects in a database

                      ■  Universally Applied  Applied to all objects


                 DAC
                 DAC is the setting of access permissions on an object that a user or application has
                 created or has control of.This includes setting permissions on files, folders, and
                 shared resources.The “owner” of the object in most operating system (OS) envi-
                 ronments applies discretionary access controls.This ownership may be transferred
                 or controlled by root or other superuser/administrator accounts. It is important to
                 understand that DAC is assigned or controlled by the owner, rather than being hard
                 coded into the system. DAC does not allow the fine level of control available with
                 MAC, but requires less coding and administration of individual files and resources.
                    To summarize, DAC is:

                      ■  Discretionary  Not hard-coded and not automatically applied by the
                         OS/NOS or application

                      ■  Controllable  Controlled by the owner of the object (file, folder, or other
                         types)
                      ■  Transferable  The owner may give control away


                 RBAC

                 RBAC can be described in different ways.The most familiar process is a compar-
                 ison or illustration utilizing the “groups” concept. In Windows, UNIX/Linux, and
                 NetWare systems, the concept of groups is used to simplify the administration of
                 access control permissions and settings.When creating the appropriate groupings,
                 you have the ability to centralize the function of setting the access levels for various
                 resources within the system.We have been taught that this is the way to simplify
                 the general administration of resources within networks and local machines.


                                                                              www.syngress.com