Mandatory Tag Management in MSVS 3.0

    I already wrote about the credential model in MSVS 3.0. This article describes configuration files and utilities for configuring credential access. This article has almost no theoretical descriptions of principles and properties. Here is a description of configuration files, graphics and console programs for us three of the mandatory access.

    All console commands described in this article have the --help option. I did not want to copy-paste the help pages, but I highly recommend reading it, there are a lot of interesting things! In the article I gave the most popular options for using commands.

    Some information
    In addition to discretionary restrictions on access to files, MSWS has a mandatory access restriction. The principle of operation of mandatory access restriction is to compare the mandatory label of a file and the mandatory label of the user accessing the file. The form of user access to the file depends on the result of the comparison.
    A label consists of a security level and a set of categories. The maximum number of levels is 8. The maximum number of categories is 61. The category and level consist of a numerical value and a name corresponding to the value. For categories, a numeric value in hexadecimal format. For example, the level may have a value of 0 10 , and the name is "Not Secret." The category can have a value of 0000000000000002 16 , the name is “Communication Troops”.
    When accessing files, you can configure the ignoring of mandatory levels / categories for writing / reading / starting.
    The Mandate model of OS MSVS 3.0 was described in more detail.

    Correct setting of credential access will help to avoid problems during development and administration. Levels and categories present in the system are described in the configuration files.

    Configuration files
    1. / etc / security / mac_levels - the file stores the relationship between the numerical values ​​of security levels and their names.
    2. / etc / security / mac_categories - the file stores the relationship between the numerical values ​​of categories in the hexadecimal number system and their names.
    The format of these two files is as follows:
    name: value
    Name - the name of the category or level, value - the numerical value of the level or category.
    3. / etc / security / mac - the file stores user credentials.
    The file has the following format:
    user_name: min_level: min_category: max_level: max_category
    Each line of this file refers to one of the users of the system. Min_level, min_category, max_level, max_category - numerical values ​​of the maximum and minimum levels and categories. Very often, min_level and min_category are not set for users, in which case their values ​​are equal to the minimum values. Therefore, the user can use the level from 0 to the maximum level allowed to him.
    In all configuration files, comments begin with “#”.

    System Setup
    You can also manage the number of security levels and categories using the macadmin graphical utility . Allows you to add and remove security levels and categories in the system.
    image

    User settings
    To manage user credentials, you can use both the graphical shell and the console commands. To manage labels in graphical mode, you can use the utility useradmin . When adding a new user through this utility, it will be necessary to set security levels and maximum permissible categories. You can change the credential mark, also in the user editing mode, in the "Security" tab.
    image
    It is also possible to set the maximum level of security, the maximum set of categories. It is also possible to grant the user privileges: MCBC_CAP_SETMAC, MCBC_CAP_CHMAC, MCBC_CAP_IGNMACLVL, MCBC_CAP_IGNMACCAT.
    To edit user labels in console mode, there is a usermac command. This command will allow for more flexible configuration of user credentials. Most often, it is used with the “-m” switch - to change the credentials of users.

    usermac –m 0:2 user

    The command sets user to the user, the minimum security level with a numerical value equal to 0, and the maximum security level with a numerical value equal to two.
    It is convenient to use the command to display the current user credentials macid.
    The result is the security level and category at the current moment in time for the current user.

    Configuring files
    To assign credential marks to files in the system there are also graphical and console utilities. The graphical utility is called by selecting the tab "Mandatory attributes" in the "File Properties" window (right-click on the file -> "Properties").

    image

    In this utility, you can assign a security level to a file. Select the categories this file belongs to. In addition, you can specify to ignore credentials for levels (top line) and for categories (bottom line).
    In the case of editing the properties of a directory, the selected security level and a set of categories can be applied recursively to all objects contained in the directory by checking the "recursively" box.
    To manage labels for files in console mode, use the chmac command.

    chmac –R 2 /tmp

    The command recursively assigns the security level with the numeric value 2 to the / tmp directory.


    Extension of the standard commands
    In addition to the individual access control commands described above, there are extensions for the standard commands.

    ls –M

    Displays the credential label of the file.

    ps –M

    Information about the credential labels of running processes.

    find –level / -category / -mac-attr

    Search for a file by security level or category or attributes.

    These utilities are the tools for configuring the credentials model in MSVS 3.0. Nothing extra, it seems to me.

    Also popular now: