An administrator implements SELinux on a production web server. After implementing this, the web server no longer serves up files from users’ home directories. To rectify this, the administrator creates a new policy as the root user. This is an example of which of the following? (Select TWO).
A. Enforcing SELinux in the OS kernel is role-based access control B. Enforcing SELinux in the OS kernel is rule-based access control C. The policy added by the root user is mandatory access control D. Enforcing SELinux in the OS kernel is mandatory access control E. The policy added by the root user is role-based access control F. The policy added by the root user is rule-based access control
Answer: D,F
Explanation: Enforcing SELinux in the OS kernel is mandatory access control. SELinux is Security Enhanced Linux which is a locked down version of the OS kernel.
Mandatory Access Control (MAC) is a relatively inflexible method for how information access is permitted. In a MAC environment, all access capabilities are predefined. Users can’t share information unless their rights to share it are established by administrators. Consequently, administrators must make any changes that need to be made to such rights. This process enforces a rigid model of security. However, it is also considered the most secure security model.
The policy added by the root user is rule-based access control. The administrator has defined a policy that states that users folders should be served by the web server. Rule-Based Access Control (RBAC) uses the settings in preconfigured security policies to make all decisions.
A technician wants to implement a dual factor authentication system that will enable the organization to authorize access to sensitive systems on a need-to-know basis. Which of the following should be implemented during the authorization stage?
A. Biometrics B. Mandatory access control C. Single sign-on D. Role-based access control
Answer: A
Explanation: This question is asking about “authorization”, not authentication.
Mandatory access control (MAC) is a form of access control commonly employed by government and military environments. MAC specifies that access is granted based on a set of rules rather than at the discretion of a user. The rules that govern MAC are hierarchical in nature and are often called sensitivity labels, security domains, or classifications.
MAC can also be deployed in private sector or corporate business environments. Such cases typically involve the following four security domain levels (in order from least sensitive to most sensitive):
Public Sensitive Private Confidential
A MAC environment works by assigning subjects a clearance level and assigning objects a sensitivity label—in other words, everything is assigned a classification marker. Subjects or users are assigned clearance levels. The name of the clearance level is the same as the name of the sensitivity label assigned to objects or resources. A person (or other subject, such as a program or a computer system) must have the same or greater assigned clearance level as the resources they wish to access. In this manner, access is granted or restricted based on the rules of classification (that is, sensitivity labels and clearance levels). MAC is named as it is because the access control it imposes on an environment is mandatory. Its assigned classifications and the resulting granting and restriction of access can’t be altered by users. Instead, the rules that define the environment and judge the assignment of sensitivity labels and clearance levels control authorization. MAC isn’t a very granularly controlled security environment. An improvement to MAC includes the use of need to know: a security restriction where some objects (resources or data) are restricted unless the subject has a need to know them. The objects that require a specific need to know are assigned a sensitivity label, but they’re compartmentalized from the rest of the objects with the same sensitivity label (in the same security domain). The need to know is a rule in and of itself, which states that access is granted only to users who have been assigned work tasks that require access to the cordoned-off object. Even if users have the proper level of clearance, without need to know, they’re denied access. Need to know is the MAC equivalent of the principle of least privilege from DAC
A security administrator implements access controls based on the security classification of the data and need-to-know information. Which of the following BEST describes this level of access control?
A. Implicit deny B. Role-based Access Control C. Mandatory Access Controls D. Least privilege
Answer: C
Explanation: Mandatory Access Control allows access to be granted or restricted based on the rules of classification. MAC also includes the use of need to know. Need to know is a security restriction where some objects are restricted unless the subject has a need to know them.
After Ann, a user, logs into her banking websites she has access to her financial institution mortgage, credit card, and brokerage websites as well. Which of the following is being described?
A. Trusted OS B. Mandatory access control C. Separation of duties D. Single sign-on
Answer: D
Explanation: Single sign-on means that once a user (or other subject) is authenticated into a realm, re-authentication is not required for access to resources on any realm entity. The question states that when Ann logs into her banking websites she has access to her financial institution mortgage, credit card, and brokerage websites as well. This describes an SSO scenario.
Peter Has read and write access to his own home directory. Peter and Ann are collaborating on a project, and Peter would like to give Ann write access to one particular file in this home directory. Which of the following types of access control would this reflect?
A. Role-based access control B. Rule-based access control C. Mandatory access control D. Discretionary access control
Answer: D
Explanation: Discretionary access control (DAC) allows access to be granted or restricted by an object’s owner based on user identity and on the discretion of the object owner.
Which of the following common access control models is commonly used on systems to ensure a “need to know” based on classification levels?
A. Role Based Access Controls B. Mandatory Access Controls C. Discretionary Access Controls D. Access Control List
Answer: B
Explanation: Mandatory Access Control allows access to be granted or restricted based on the rules of classification. MAC also includes the use of need to know. Need to know is a security restriction where some objects are restricted unless the subject has a need to know them.
Which of the following access controls enforces permissions based on data labeling at specific levels?
A. Mandatory access control B. Separation of duties access control C. Discretionary access control D. Role based access control
Answer: A
Explanation: In a MAC environment everything is assigned a classification marker. Subjects are assigned a clearance level and objects are assigned a sensitivity label.
A security technician is working with the network firewall team to implement access controls at the company’s demarc as part of the initiation of configuration management processes. One of the network technicians asks the security technician to explain the access control type found in a firewall. With which of the following should the security technician respond?
A. Rule based access control B. Role based access control C. Discretionary access control D. Mandatory access control
Answer: A
Explanation: Rule-based access control is used for network devices, such as firewalls and routers, which filter traffic based on filtering rules.
The IT department has setup a share point site to be used on the intranet. Security has established the groups and permissions on the site. No one may modify the permissions and all requests for access are centrally managed by the security team. This is an example of which of the following control types?
A. Rule based access control B. Mandatory access control C. User assigned privilege D. Discretionary access control
Answer: D
Explanation: Discretionary access control (DAC) allows access to be granted or restricted by an object’s owner based on user identity and on the discretion of the object owner.