JP2007133632A - Method and program for setting security policy - Google Patents

Method and program for setting security policy Download PDF

Info

Publication number
JP2007133632A
JP2007133632A JP2005325720A JP2005325720A JP2007133632A JP 2007133632 A JP2007133632 A JP 2007133632A JP 2005325720 A JP2005325720 A JP 2005325720A JP 2005325720 A JP2005325720 A JP 2005325720A JP 2007133632 A JP2007133632 A JP 2007133632A
Authority
JP
Japan
Prior art keywords
security policy
access
type
step
resource
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
JP2005325720A
Other languages
Japanese (ja)
Inventor
Hideaki Saishiyo
秀明 才所
Original Assignee
Hitachi Software Eng Co Ltd
日立ソフトウエアエンジニアリング株式会社
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hitachi Software Eng Co Ltd, 日立ソフトウエアエンジニアリング株式会社 filed Critical Hitachi Software Eng Co Ltd
Priority to JP2005325720A priority Critical patent/JP2007133632A/en
Publication of JP2007133632A publication Critical patent/JP2007133632A/en
Application status is Pending legal-status Critical

Links

Images

Abstract

PROBLEM TO BE SOLVED: To provide a security policy setting method of a secure OS capable of minimizing a necessary memory amount while realizing a security policy permitting only necessary minimum access.
A first step of assigning different types to a security policy setting target resource, and executing a specific program one or more times in a type assignment environment in the first step to each resource A second step of accumulating the access log in the log information storage means, and aggregating access vectors related to the same domain and the same type into one access vector based on the accumulated access log, and the domain name, resource type and access vector A third step of determining a type that can be aggregated from the relationship, performing type aggregation, and storing the aggregation result in a security policy storage unit as a security policy of the secure OS.
[Selection] Figure 3

Description

  The present invention relates to a security policy setting method and a program for improving readability while giving a necessary minimum access authority when setting a security policy of a secure OS.

The security policy of the secure OS assigns a label relating to a security attribute to a process and resources such as a file and a directory, and describes an access right between them. For example, in SELinux (Security Enhanced Linux), a label called “domain” is assigned to a process, and a label called “type” is assigned to a resource. The accessible authority is called “access vector”. For example, when a process is given read authority for the object type “file” representing a normal file, an access vector “read” is set.
In SELinux, several to several tens of access vectors are prepared for each resource type, and access vectors allowed for types (resources) can be set as security policies for each domain (each process).

However, it is very difficult to set a security policy in a secure OS that allows flexible and fine access control settings such as SELinux. The reason is that the security policy setter understands the program call relationship and access to major resources, but does not understand access to other resources such as libraries and tmp files. is there. Therefore, it is very difficult to assign resource types and set access vectors.
In the secure OS, it is necessary to set the minimum necessary access setting based on the concept of the least privilege, but it is often easy to set the access easily.

Regarding setting of security policies, various setting tools and automatic setting tools have been announced as can be seen in Non-Patent Documents 1 to 3 below.
In addition, there is a method of automatically generating from a program source code or model as disclosed in Patent Document 1 below.
SELinux Policy Editor http://www.selinux.hitachi-sk.co.jp/tool/selpe/selpe-top.html SELinux / Aid http://www.selinux.hitachi-sk.co.jp/tool/selaid/selaid-top.html SE Linux Policy Tools http://www.tresys.com/selinux/selinux_policy_tools.html JP 2005-63224 A

However, the various setting tools and automatic setting tools proposed in Non-Patent Documents 1 to 3 are not perfect, although the minimum necessary settings are facilitated.
Further, even in a method of automatically generating a security policy from a program source code or model as in Patent Document 1, it is difficult to set access vectors for all resources.
In this case, there is a method of assigning different types to all resources and setting an access vector from the result of the operation test. Giving different types to all resources can be done mechanically. However, when the type becomes enormous, the amount of memory necessary for access control becomes enormous, and the load becomes a problem in actual operation.
In addition, it is necessary to perform the operation test for access vector setting many times, but if the result is used as it is for setting the access vector, the access vector setting between the same domain and type becomes multiple lines. A problem arises in that the program writer spends a great deal of effort checking the access vector settings.

  An object of the present invention is to realize a secure OS that can realize a security policy that permits only a minimum necessary access, minimizes a necessary memory amount, and allows a program creator to easily check a set access vector. It is to provide a security policy setting method and program.

In order to achieve the above object, the security policy setting method of the secure OS according to the present invention includes:
A first step of assigning different types to the security policy setting target resource, and a log of access logs to each resource by executing a specific program one or more times in the type assignment environment in the first step Based on the second step of accumulating in the information storage means and the accumulated access log, the access vectors related to the same domain and the same type are aggregated into one access vector, and from the relationship between the domain name, the type of resource and the access vector, A third step of discriminating types that can be aggregated, performing type aggregation, and storing an aggregation result in a security policy storage unit as a security policy of the secure OS.
Here, the specific program is a program scheduled to be used in the secure OS environment.
Further, the security policy setting target resource is a resource for which the secure OS performs access control.
(1) Resources that the security policy setter intends to exclude (ie, resources that are assigned the same type by the security policy setter)
(2) Resources that cannot be assigned different types due to restrictions on the secure OS specifications,
A resource that excludes.

In addition, the security policy setting program according to the present invention provides a computer equipped with a secure OS,
A first means for assigning different types to a security policy setting target resource, and a log of access logs to each resource by executing a specific program one or more times in a type assignment environment according to the first means Based on the second means to be accumulated in the storage means and the accumulated access log, the access vectors related to the same domain and the same type are aggregated into one access vector, and from the relationship between the domain name, the type of resource and the access vector, It is characterized by discriminating types that can be aggregated, performing type aggregation, and functioning as a third means for storing the aggregation result in the security policy storage means as the security policy of the secure OS.

  According to the present invention, different types are set in advance for the security policy setting target resource, and the program to be used in the environment of the secure OS is actually executed in the set state, and the execution result is obtained. Analyzing access logs to each resource, aggregate access vectors and types for the same domain and the same type, and set the aggregation result as a security policy for the secure OS, allowing only the minimum necessary access It is possible to set a security policy that can be easily confirmed by a program creator while minimizing the amount of memory required while realizing the security policy.

Hereinafter, an embodiment for carrying out the present invention will be specifically described with reference to the drawings.
FIG. 1 is a functional configuration block diagram showing an embodiment of a computer that implements the security policy setting method of the present invention.
The computer shown in this embodiment includes a CPU 1, an input device 2 composed of a keyboard and a mouse, a display device 3, a log information database (log information DB) 4, a memory 5, and a security system policy DB 6. A secure OS 50 is stored, and a security policy setting program 51 is stored.
The security policy setting program 51 includes a policy input unit 511, an automatic label addition processing unit 512, a policy reflection processing unit 513, an operation log input unit 514, a simple policy creation processing unit 515, a line aggregation processing unit 516, and a type aggregation processing unit 517. Composed.

  FIG. 2 is a diagram illustrating an example of an access log to resources accumulated in the log information DB 4. Here, an object class (resource) “dir” in which a type “var_t” is set and a domain “ftpd_t” In this example, access to the resource by the access vector “read” is denied.

FIG. 3 is a flowchart showing an outline of processing of the security policy setting program 51. The present invention will be described below with reference to this flowchart.
A user who is a security policy setter first creates a base policy and passes it to the policy input unit 511 (step 301). Here, the base policy is a domain setting given to a process and an access authority to resources as far as a setter can know. For example, some of them are domain settings, resource type assignment settings, and access vector settings as shown in the conceptual diagram of FIG.
FIG. 4 will be briefly described. The apache process is given a domain called httpd_t, and the vsftp process is given a domain called vsftp_t. The file and directory below “/ etc / httpd /” are assigned the type httpd_conf_t, and the file and directory below “/ var / www / html /” are assigned the type httpd_content_t. The types are given in the same manner below. Also, httpd_t to httpd_conf_t and http_content_t are given read (read) authority, and httpd_t and httpd_log_t are given append (append) authority. Here, the SELinux access vector setting is described as shown in FIG.

When the security policy setting program 51 receives a base policy as shown in FIG. 3 or FIG. 4, the automatic label assignment processing unit 512 searches for resources not set in the base policy and automatically assigns different labels. (Step 302). This can be realized by searching all the file systems of the system for setting the security policy. Then, the base policy and the result of label assignment performed in step 302 are added to the combined policy.
Here, the system is a computer in which the secure OS 50 is installed.
Next, the policy reflection processing unit 513 reflects it in the system (step 303). The policy reflection processing unit 513 is a function that is generally provided in the secure OS 50, and is normally used.

Next, an operation test is performed by executing a program scheduled to be used in the environment of the secure OS 50 in a mode in which a policy violation is output to the log. During this time, a policy violation access log is collected and stored in the log information DB 4 (step 304). In SELinux, this is the permissive mode.
Next, the collected log is fetched from the operation log input unit 514. Then, it is determined whether there is a log for which access is denied (step 305).
If there is a log in step 305, the simple policy creation processing unit 515 generates a simple policy to which access vector settings permitting the denied operation are added. For this, a function prepared in the secure OS may be used. For example, in SELinux, the audit2allow command can be used. Then, the process returns to step 303 (step 306).
In many cases, including the first time, steps 303 to 306 are repeated several times.
If there is no log in step 305, the line aggregation processing unit 516 performs policy line aggregation processing. When step 306 is performed several times, as shown in FIG. 6A, access vectors are set in a plurality of rows for the same domain and the same type.
Therefore, the row aggregation processing unit 516 searches for the same domain and type, and converts them into access vector settings as shown in FIG. 6B (step 307).

Next, the type aggregation processing unit 517 performs type aggregation and stores it in the security policy DB 6 (step 308). A flowchart of this type aggregation process is shown in FIG. Here, it is assumed that the security policy after step 307 has a type assignment setting as shown in FIG. 8 and an access vector setting as shown in FIG.
The type aggregation processing unit 517 first extracts types having the same domain and the same access vector setting in each domain (step 701). For example, from FIG. 9A, the relationship shown in FIG. 9B having the same access vector setting can be extracted.
910 indicates that the access vector setting from the domain X_t is the same “read write” 901 for the type A_t and the type B_t. The same applies hereinafter. In this relation extraction, even if there is no same thing as 915, it is extracted similarly.
Next, from FIG. 9B, a combination of types that does not include only one of them is searched (step 702). For example, A_t and B_t are included in 910 and 911, and A_t and B_t do not appear independently. On the other hand, C_t and D_t are not applicable because only D_t appears at 915.
Next, it is determined whether or not a corresponding combination is found in the execution result in step 701 (step 703). If found, type aggregation processing is performed (step 704).
In the example of FIG. 9B, a combination of A_t and B_t is found, and type aggregation is possible. Therefore, the type assignment setting 802 in FIG. 8 is converted to the same type A_t as 801 as indicated by 1001 in FIG.
Further, in the access vector setting of FIG. 9A, 901, 902, and 903 containing B_t are deleted and converted to the setting shown in FIG. 11 (step 704). Then, the process returns to step 702.
If no combination is found in step 703, type aggregation cannot be performed and the process ends.

With the above, you can implement a security policy that basically allows only the minimum necessary access by attaching different labels, while row aggregation and type aggregation minimize the required amount of memory and make access vector settings easy to see. Can be created.
In addition, when attaching different labels, the following cases are excluded as in the case of attaching different types of resources.
(1) When the security policy setter intentionally excludes it (that is, when the security policy setter intentionally gives the same label)
(2) When a different label cannot be assigned due to restrictions on the secure OS specifications

It is a functional block diagram of a computer to which the present invention is applied. It is a figure which shows the example of access log information. It is a flowchart which shows the outline | summary of the process sequence of a security policy setting program. It is a security policy conceptual diagram of a secure OS. It is a figure which shows the example of access vector setting of secure OS. It is a figure which shows the example of access vector setting before a line aggregation process and after a line aggregation process. It is a flowchart which shows the outline | summary of a type aggregation process. It is a figure which shows the type provision setting example before a type aggregation process. It is a figure which shows the example of the access vector setting example after a type aggregation process, and the relationship extraction result of a domain and a type. It is a figure which shows the example of a type provision setting after a type aggregation process. It is a figure which shows the example of access vector setting after a type aggregation process.

Explanation of symbols

4 log information DB
6 Security Policy DB
50 Secure OS
51 Security Policy Setting Program 511 Policy Input Unit 512 Automatic Label Assignment Processing Unit 513 Policy Reflection Processing Unit 514 Operation Log Input Unit 515 Simple Policy Creation Processing Unit 516 Line Aggregation Processing Unit 517 Type Aggregation Processing Unit

Claims (2)

  1. A method for setting a security policy for a secure OS,
    Security policy setting means
    A first step of assigning different types to the security policy setting target resource, and a log of access logs to each resource by executing a specific program one or more times in the type assignment environment in the first step Based on the second step of accumulating in the information storage means and the accumulated access log, the access vectors related to the same domain and the same type are aggregated into one access vector, and from the relationship between the domain name, the type of resource and the access vector, A security OS security policy setting method comprising: a third step of determining a type that can be aggregated, performing type aggregation, and storing the aggregation result in a security policy storage unit as a security policy of the secure OS .
  2. A program for setting a security policy for a secure OS,
    A computer with a secure OS installed
    A first means for assigning different types to a security policy setting target resource, and a log of access logs to each resource by executing a specific program one or more times in a type assignment environment according to the first means Based on the second means to be accumulated in the storage means and the accumulated access log, the access vectors related to the same domain and the same type are aggregated into one access vector, and from the relationship between the domain name, the type of resource and the access vector, A security policy setting program for discriminating types that can be aggregated, performing type aggregation, and functioning as a third means for storing an aggregation result in a security policy storage means as a security policy of the secure OS.
JP2005325720A 2005-11-10 2005-11-10 Method and program for setting security policy Pending JP2007133632A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
JP2005325720A JP2007133632A (en) 2005-11-10 2005-11-10 Method and program for setting security policy

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
JP2005325720A JP2007133632A (en) 2005-11-10 2005-11-10 Method and program for setting security policy

Publications (1)

Publication Number Publication Date
JP2007133632A true JP2007133632A (en) 2007-05-31

Family

ID=38155243

Family Applications (1)

Application Number Title Priority Date Filing Date
JP2005325720A Pending JP2007133632A (en) 2005-11-10 2005-11-10 Method and program for setting security policy

Country Status (1)

Country Link
JP (1) JP2007133632A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2009020782A (en) * 2007-07-13 2009-01-29 Hitachi Software Eng Co Ltd Method and program for optimizing security policy of secure os

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2004280831A (en) * 2003-03-14 2004-10-07 Websense Inc System and method of monitoring/controlling application file
JP2005063223A (en) * 2003-08-15 2005-03-10 Nippon Telegr & Teleph Corp <Ntt> Secure file sharing method and device
JP2005234661A (en) * 2004-02-17 2005-09-02 Nec Corp Access policy creation system, method and program

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2004280831A (en) * 2003-03-14 2004-10-07 Websense Inc System and method of monitoring/controlling application file
JP2005063223A (en) * 2003-08-15 2005-03-10 Nippon Telegr & Teleph Corp <Ntt> Secure file sharing method and device
JP2005234661A (en) * 2004-02-17 2005-09-02 Nec Corp Access policy creation system, method and program

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2009020782A (en) * 2007-07-13 2009-01-29 Hitachi Software Eng Co Ltd Method and program for optimizing security policy of secure os

Similar Documents

Publication Publication Date Title
Tryon et al. The BC TRY computer system of cluster and factor analysis
JP3912895B2 (en) Structured data management system, a computer-readable recording medium storing structured data management program, and structured data management method
AU600755B2 (en) Apparatus for distributing data processing across a plurality of loci of control
US8219987B1 (en) Optimized virtual machine specification for provisioning application specific runtime environment
US7299450B2 (en) Undoing changes in a software configuration management system
US6182245B1 (en) Software test case client/server system and method
US6539501B1 (en) Method, system, and program for logging statements to monitor execution of a program
US5717950A (en) Input/output device information management system for multi-computer system
US6651240B1 (en) Object-oriented software development support apparatus and development support method
US5428729A (en) System and method for computer aided software engineering
Robbes et al. How program history can improve code completion
CA1316262C (en) Version management tool
Balci Requirements for model development environments
ES2291278T3 (en) Appliance and method for cataloging symbolic data for use in computer program operation analysis.
US7424702B1 (en) Data integration techniques for use in enterprise architecture modeling
EP1540516B1 (en) Methods and systems for archiving data
US20070011211A1 (en) Auditing and tracking changes of data and code in spreadsheets and other documents
US7457933B2 (en) Methods and systems for archiving data
US20090100419A1 (en) Method for determining priority for installing a patch into multiple patch recipients of a network
US6243835B1 (en) Test specification generation system and storage medium storing a test specification generation program
US20030084063A1 (en) Method, system, and program for performing an impact analysis of program statements in at least one source code file
US7743414B2 (en) System and method for executing a permissions recorder analyzer
EP1040411A2 (en) Automatic configuration generation
US6757889B1 (en) Source program checking device and program and method for same
US20050125776A1 (en) Determining the possibility of adverse effects arising from a code change

Legal Events

Date Code Title Description
A621 Written request for application examination

Free format text: JAPANESE INTERMEDIATE CODE: A621

Effective date: 20080708

A131 Notification of reasons for refusal

Free format text: JAPANESE INTERMEDIATE CODE: A131

Effective date: 20101220

A977 Report on retrieval

Free format text: JAPANESE INTERMEDIATE CODE: A971007

Effective date: 20101222

A521 Written amendment

Free format text: JAPANESE INTERMEDIATE CODE: A523

Effective date: 20110217

A02 Decision of refusal

Free format text: JAPANESE INTERMEDIATE CODE: A02

Effective date: 20110307