Some minor wording/grammar changes.
This commit is contained in:
Tom Rhodes
parent
c4661a24fb
commit
bb455d5117
Notes:
svn2git
2020-12-08 03:00:23 +00:00
svn path=/head/; revision=27615
1 changed files with 16 additions and 15 deletions
|
|
@ -32,7 +32,7 @@
|
|||
(<acronym>MAC</acronym>) facilities. Mandatory Access Control allows
|
||||
new access control modules to be loaded, implementing new security
|
||||
policies. Some provide protections of a narrow subset of the
|
||||
system, hardening a particular service, while others provide
|
||||
system, hardening a particular service Others provide
|
||||
comprehensive labeled security across all subjects and objects.
|
||||
The mandatory part
|
||||
of the definition comes from the fact that the enforcement of
|
||||
|
|
@ -42,7 +42,7 @@
|
|||
file and System V <acronym>IPC</acronym> permissions on &os;).</para>
|
||||
|
||||
<para>This chapter will focus on the
|
||||
Mandatory Access Control Framework (MAC Framework), and a set
|
||||
Mandatory Access Control Framework (<acronym>MAC</acronym> Framework), and a set
|
||||
of pluggable security policy modules enabling various security
|
||||
mechanisms.</para>
|
||||
|
||||
|
|
@ -127,7 +127,7 @@
|
|||
<title>What Will Not Be Covered</title>
|
||||
|
||||
<para>This chapter covers a broad range of security issues relating
|
||||
to the <acronym>MAC</acronym> framework; however, the
|
||||
to the <acronym>MAC</acronym> framework. The
|
||||
development of new <acronym>MAC</acronym> security policy modules
|
||||
will not be covered. A number of security policy modules included with the
|
||||
<acronym>MAC</acronym> framework have specific characteristics
|
||||
|
|
@ -972,12 +972,12 @@ test: biba/high</screen>
|
|||
is iterated until either a matching rule is located or the end
|
||||
is reached. This behavior may be changed by the use of a
|
||||
&man.sysctl.8; parameter,
|
||||
security.mac.bsdextended.firstmatch_enabled is set. Similar to
|
||||
other fire wall modules in &os;, a file containing access control
|
||||
security.mac.bsdextended.firstmatch_enabled. Similar to
|
||||
other firewall modules in &os;, a file containing access control
|
||||
rules can be created and read by the system at boot time using
|
||||
an &man.rc.conf.5; variable.</para>
|
||||
|
||||
<para>The rule list may be created using a utility, &man.ugidfw.8;,
|
||||
<para>The rule list may be entered using a utility, &man.ugidfw.8;,
|
||||
that has a syntax similar to that of &man.ipfw.8;. More tools
|
||||
can be written by using the functions in the
|
||||
&man.libugidfw.3; library.</para>
|
||||
|
|
@ -1032,7 +1032,7 @@ test: biba/high</screen>
|
|||
by these changes.</para>
|
||||
</note>
|
||||
|
||||
<para>This should give a general idea of how the
|
||||
<para>This should provide a general idea of how the
|
||||
&man.mac.bsdextended.4; module may be used to help fortify
|
||||
a file system. For more information, see the
|
||||
&man.mac.bsdextended.4; and the &man.ugidfw.8; manual
|
||||
|
|
@ -1445,17 +1445,18 @@ test: biba/high</screen>
|
|||
|
||||
<para>With the Multi-Level Security Policy Module, an
|
||||
administrator plans for controlling the flow of sensitive
|
||||
information. By default, with its block read up block read
|
||||
information. By default, with its block read up block write
|
||||
down nature, the system defaults everything to a low state.
|
||||
Everything is pretty much accessible and an administrator
|
||||
slowly changes this during the configuration stage.</para>
|
||||
Everything is accessible and an administrator
|
||||
slowly changes this during the configuration stage; augmenting
|
||||
the confidentiality of the information.</para>
|
||||
|
||||
<para>Beyond the three basic label options above, an administrator
|
||||
may group users and groups as required to block the information
|
||||
flow between them. It might be easier to look at the
|
||||
information in clearance levels familiarized with words, for
|
||||
instance classifications such as
|
||||
<literal>confidential</literal>, <literal>Secret</literal>,
|
||||
<literal>Confidential</literal>, <literal>Secret</literal>,
|
||||
and <literal>Top Secret</literal>. Some administrators might
|
||||
just create different groups based on project levels.
|
||||
Regardless of classification method, a well thought out plan
|
||||
|
|
@ -1592,9 +1593,9 @@ test: biba/low</screen>
|
|||
|
||||
<para>The &man.mac.biba.4; security policy module permits an
|
||||
administrator to address which files and programs a user or
|
||||
users may see and invoke, while assuring that the programs and
|
||||
users may see and invoke while assuring that the programs and
|
||||
files are free from threats and trusted by the system for that
|
||||
user or users.</para>
|
||||
user, or group of users.</para>
|
||||
|
||||
<para>During the initial planning phase, an administrator must be
|
||||
prepared to partition users into grades, levels, and areas.
|
||||
|
|
@ -1604,11 +1605,11 @@ test: biba/low</screen>
|
|||
it is up to the administrator to configure the different grades
|
||||
and levels for users. Instead of using clearance levels as
|
||||
described above, a good planning method could include topics.
|
||||
For instance, only allow developers to access the source code
|
||||
For instance, only allow developers modification access to the source code
|
||||
repository, source code compiler, and other development
|
||||
utilities. While other users would be grouped into other
|
||||
categories such as testers, designers, or just ordinary
|
||||
users.</para>
|
||||
users and would only be permitted read access.</para>
|
||||
|
||||
<para>With its natural security control, a lower integrity subject
|
||||
is unable to write to a higher integrity subject; a higher
|
||||
|
|
|
|||
Loading…
Reference in a new issue