|
|
|
CA Access Control protects the following entities:
Is a user authorized to access a particular file?
CA Access Control restricts a user's ability to access a file. You can give a user one or more types of access, such as READ, WRITE, EXECUTE, DELETE, and RENAME. The access can be specified regarding an individual file or to a set of similarly named files.
Is a user authorized to use a particular terminal?
This check is done during the login process. Individual terminals and groups of terminals can be defined in the CA Access Control database, with access rules that state which users, or groups of users, are allowed to use the terminal or terminal group. Terminal protection ensures that no unauthorized terminal or station can be used to log into the accounts of powerfully authorized users.
Is a user authorized to log on at a particular time on a particular day?
Most users use their stations only on weekdays and only during work hours; the time‑of‑day and day‑of‑week login restrictions, as well as holiday restrictions, provide protection from hackers and from other unauthorized accessors.
Is another station authorized to receive TCP/IP services from the local computer? Is another station authorized to supply TCP/IP services to the local computer? Is another station permitted to receive services from every user of the local station?
The advantage of an open system-a system in which both the computers and the networks are open-is also a disadvantage. Once a computer is connected to the outside world, one can never be sure who enters the system and what damage an alien user may do, whether intentionally or by mistake. CA Access Control includes “firewalls” that prevent local stations and servers from providing services to unknown stations.
Is the user permitted to log in from a second terminal?
The term concurrent logins refers to a user's ability to be logged onto the system from more than one terminal. CA Access Control can prevent a user from logging in more than once. This prevents intruders from logging into the accounts of users who are already logged in.
You can define and protect both regular entities (such as TCP/IP services and terminals) and functional entities (known as abstract objects; such as performing a transaction and accessing a record in a database).
CA Access Control provides the means to both delegate superuser authorities to operators and restrict the privilege of the superuser account.
Are users authorized to substitute their user IDs?
The UNIX setuid system call, one of the most sensitive services provided by the operating system, is intercepted by CA Access Control to check whether the user is authorized to perform the substitution. The substitute‑user authority check includes program pathing-users are permitted to substitute their user IDs only through specific programs. This is especially important in controlling who can substitute to root and thereby gain root access.
Is a user authorized to issue the newgrp (substitute‑group) command?
Substitute‑group protection is similar to substitute‑user protection.
Can a particular setuid or setgid program be trusted? Is the user authorized to invoke it?
The security administrator can test programs that are marked as setuid or setgid executables to ensure that they do not contain any security loopholes that can be used to gain unauthorized access. Programs that pass the test and are considered safe are defined as trusted programs. The CA Access Control Self‑Protection Module (also referred to as the CA Access Control watchdog) knows which program is in control at a particular time and checks whether the program has been modified or moved since it was classified as trusted. If a trusted program is modified or moved, the program is no longer considered trusted and CA Access Control does not allow it to run.
In addition, CA Access Control protects against various deliberate and accidental threats, including:
CA Access Control can be used to protect critical servers and services or daemons against kill attempts.
CA Access Control protects against various types of password attacks, enforces the password‑definition policies of your site, and detects break‑in attempts.
CA Access Control policies delineate rules that force users to create and use passwords of sufficient quality. To ensure that users create and use acceptable passwords, CA Access Control can set maximum and minimum lifetimes for passwords, restrict certain words, prohibit repetitive characters, and enforce other restrictions. Passwords are not permitted to last too long.
CA Access Control policies ensure that dormant accounts are dealt with appropriately.
CA Access Control can implement password protection and enforce security across NIS and non‑NIS domains.
| Copyright © 2012 CA. All rights reserved. |
|