FreeBSD Mandatory Access Control Usage for Implementing Enterprise Security Policies

Security needs of organizations are becoming more and more sophisticated nowadays. Most general-purpose operating systems (GPOS) provide access control policies to meet these needs. There are cases when the traditionally deployed Discretionary Access Control (DAC) rules are not sufficient: they tend to quickly become unmanageable in the case of large installations, and also are not enough for controlling information flows. This is when the Mandatory Access Control (MAC) comes in: it provides for better manageability and directly targets the information flows. In their turn, the information flows address the confidentiality and integrity needs of information security within an organization. Until very recently, the GPOSes tended to provide various flavors of DAC only. The FreeBSD OS [1] was one of the first widely deployed open source GPOSes to support MAC [2], [3]. In this paper, a number of organizational policy examples are implemented in the environment of the FreeBSD MAC. The authors strongly believe that in order to implement a sound MAC policy it is important to understand MAC’s mathematical foundations. These foundations were set by Denning in [4]. There also exists a terminology confusion between MAC and LBAC (lattice-based access control). These models are the same, because MAC security labels [5] directly correspond to security classes of lattice-based models (this was also pointed to by Sandhu [6] and Osborn [7]). Let us first address the definition of the information flow. According to Denning and Sandhu, the security policies regulate how the information “flows from one object to another”. A typical object is a shared memory segment, a file system object or a network packet. Obviously, controlling the information flows is important to prevent the leakage of the confidential information, the one usually sought by insiders. Another goal is the forgery prevention, so that no untrusted reports are ever submitted to the top level of the organization hierarchy, and no top-ranking company officers take any unchecked or untrusted information into account during decision making. To implement the information flow control, every object is assigned a security label (also called a security classification), implemented by the FreeBSD file label. When the information flows from one object into another, an information flow from the security class of the first object to the security class of the second one also takes place. Whether the information flow is allowed is regulated by the relation between the object security classes. The subjects are the entities performing the information transfer between the objects. In our case, a subject appears when a user logs in to the system and is assigned a set of privileges. As we are considering MAC, the set of privileges is rendered as security clearance. It is implemented by the FreeBSD user label. This paper is organized as follows. In the next section an example of an organization and its document flow is described. The following sections implement organization’s information security goals, which gradually increase in complexity. The information security goals specify the target effect: preserving data and process integrity, restricting access to the confidential information, or implementing a consulting services policy. For every security goal, a corresponding classic MAC model or a combination of them is chosen. The models are then implemented in the FreeBSD MAC framework.