This document discusses various topics related to operating system security, including users and groups, SETUID and SETGID permissions, dangerous accounts, user policy, multilevel security models like the military security model and Graham-Denning model, information flow control models like Bell-LaPadula and Biba, secure operating system design principles, security kernels, backup policies, integrity protection strategies like prevention, detection and recovery, Unix operating modes, auditing tools like syslog, and log file vulnerabilities. It provides an overview of fundamental concepts in operating system security.
Here are the key points about the /etc/password file in Linux:
- It contains information about system users, including their username, UID, home directory, shell, and encrypted password or indicator that it is stored elsewhere (usually /etc/shadow)
- The username is used for logins and should be between 1-32 characters
- A password of x means the encrypted password is stored in /etc/shadow for better security
- Each user must have a unique UID, with 0 reserved for root and 1-99 reserved for other system users
So in summary, /etc/password defines Linux system users and contains their basic account details like username, UID, and password/encryption information. The UID
This document discusses protection and security in operating systems. It begins by defining protection as mechanisms within the OS to control access to programs and resources, while security refers to issues external to the OS like authentication. The document then outlines topics on protection mechanisms and security issues. It discusses the first computer virus as an example of how a program can reproduce itself and propagate in a way that is hard to detect. Finally, it covers goals of protection like least privilege and separating policy from mechanism in OS design.
SELinux Johannesburg Linux User Group (JoziJUg)Jumping Bean
SELinux presentation given at the Jozi Lug in March. If you are in Johannesburg, South Africa and want to join us see our page on meetup.com. Search for JLug.
http://www.meetup.com/Jozi-Linux-User-Group-JLUG/
This document provides an overview of operating system security. It discusses the key components and functions of an operating system including multitasking, resource management, user interfaces, and more. It then examines the security environment of an operating system including services, files, memory, authentication, authorization, and vulnerabilities. Finally, it outlines best practices for securing an operating system such as installing only necessary software, configuring users and permissions properly, applying patches and updates, and performing regular security monitoring, backups and testing.
Ch 8: Desktop and Server OS VulnerabilitesSam Bowne
Slides for a college course at City College San Francisco. Based on "Hands-On Ethical Hacking and Network Defense, Third Edition" by Michael T. Simpson, Kent Backman, and James Corley -- ISBN: 9781285454610.
Instructor: Sam Bowne
Class website: https://samsclass.info/123/123_S17.shtml
CNIT 123: 8: Desktop and Server OS VulnerabilitesSam Bowne
Slides for a college course based on "Hands-On Ethical Hacking and Network Defense, Second Edition by Michael T. Simpson, Kent Backman, and James Corley -- ISBN: 1133935613
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/123/123_F16.shtml
This document discusses protection in operating systems. It covers the goals of protection which include ensuring objects are only accessed by allowed processes. Principles of protection include least privilege and need-to-know. Protection domains and access matrices are used to specify allowed access. Implementation options for access matrices include access lists, capability lists, and lock-key systems. Role-based access control and revocation of access rights are also covered. Capability-based systems like Hydra and Cambridge CAP are described. Finally, language-based protection specifies policies through programming languages.
This document discusses using SE-Linux to protect confidential PDF files on a Linux system. It describes implementing SE-Linux in targeted mode with a custom module. A special "TopSecret" category is assigned to PDF files. The appserv user is given access to this category to allow the application server to access the PDFs. Strict restrictions are placed on administrator access using sudo, su, SSH, and auditing to log all access attempts to the protected PDF directory. The implementation provides mandatory access control while maintaining manageability for system operators.
Here are the key points about the /etc/password file in Linux:
- It contains information about system users, including their username, UID, home directory, shell, and encrypted password or indicator that it is stored elsewhere (usually /etc/shadow)
- The username is used for logins and should be between 1-32 characters
- A password of x means the encrypted password is stored in /etc/shadow for better security
- Each user must have a unique UID, with 0 reserved for root and 1-99 reserved for other system users
So in summary, /etc/password defines Linux system users and contains their basic account details like username, UID, and password/encryption information. The UID
This document discusses protection and security in operating systems. It begins by defining protection as mechanisms within the OS to control access to programs and resources, while security refers to issues external to the OS like authentication. The document then outlines topics on protection mechanisms and security issues. It discusses the first computer virus as an example of how a program can reproduce itself and propagate in a way that is hard to detect. Finally, it covers goals of protection like least privilege and separating policy from mechanism in OS design.
SELinux Johannesburg Linux User Group (JoziJUg)Jumping Bean
SELinux presentation given at the Jozi Lug in March. If you are in Johannesburg, South Africa and want to join us see our page on meetup.com. Search for JLug.
http://www.meetup.com/Jozi-Linux-User-Group-JLUG/
This document provides an overview of operating system security. It discusses the key components and functions of an operating system including multitasking, resource management, user interfaces, and more. It then examines the security environment of an operating system including services, files, memory, authentication, authorization, and vulnerabilities. Finally, it outlines best practices for securing an operating system such as installing only necessary software, configuring users and permissions properly, applying patches and updates, and performing regular security monitoring, backups and testing.
Ch 8: Desktop and Server OS VulnerabilitesSam Bowne
Slides for a college course at City College San Francisco. Based on "Hands-On Ethical Hacking and Network Defense, Third Edition" by Michael T. Simpson, Kent Backman, and James Corley -- ISBN: 9781285454610.
Instructor: Sam Bowne
Class website: https://samsclass.info/123/123_S17.shtml
CNIT 123: 8: Desktop and Server OS VulnerabilitesSam Bowne
Slides for a college course based on "Hands-On Ethical Hacking and Network Defense, Second Edition by Michael T. Simpson, Kent Backman, and James Corley -- ISBN: 1133935613
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/123/123_F16.shtml
This document discusses protection in operating systems. It covers the goals of protection which include ensuring objects are only accessed by allowed processes. Principles of protection include least privilege and need-to-know. Protection domains and access matrices are used to specify allowed access. Implementation options for access matrices include access lists, capability lists, and lock-key systems. Role-based access control and revocation of access rights are also covered. Capability-based systems like Hydra and Cambridge CAP are described. Finally, language-based protection specifies policies through programming languages.
This document discusses using SE-Linux to protect confidential PDF files on a Linux system. It describes implementing SE-Linux in targeted mode with a custom module. A special "TopSecret" category is assigned to PDF files. The appserv user is given access to this category to allow the application server to access the PDFs. Strict restrictions are placed on administrator access using sudo, su, SSH, and auditing to log all access attempts to the protected PDF directory. The implementation provides mandatory access control while maintaining manageability for system operators.
For a college class in Ethical Hacking and Network Defense at CCSF, by Sam Bowne. More info at https://samsclass.info/123/123_F17.shtml
Based on this book
Hands-On Ethical Hacking and Network Defense, Third Edition by Michael T. Simpson, Kent Backman, and James Corley -- ISBN: 9781285454610
CNIT 123 8: Desktop and Server OS VulnerabilitiesSam Bowne
For a college class in Ethical Hacking and Network Defense at CCSF, by Sam Bowne. More info at https://samsclass.info/123/123_S18.shtml
Based on this book
Hands-On Ethical Hacking and Network Defense, Third Edition by Michael T. Simpson, Kent Backman, and James Corley -- ISBN: 9781285454610
The document discusses information systems security. It introduces the CIA triad of confidentiality, integrity, and availability. It then describes several common information security tools including authentication, access control, encryption, passwords, backup, firewalls, virtual private networks, physical security, and security policies. It concludes by discussing steps individuals can take to improve their personal digital security.
The document discusses information systems security. It introduces the CIA triad of confidentiality, integrity, and availability. It then describes several common information security tools including authentication, access control, encryption, passwords, backup systems, firewalls, virtual private networks, physical security, and security policies. It concludes by discussing steps individuals can take to improve their personal digital security.
UKC - Feb 2013 - Analyzing the security of Windows 7 and Linux for cloud comp...Vincent Giersch
University of Kent 2013 - CO899 System security
Presentation of the article:
Salah K, et al, Computers & Security (2012), http://dx.doi.org/10.1016/j.cose.2012.12.001
The document discusses access control fundamentals, including definitions of access control, common terminology, and four access control models. It describes logical access control methods like access control lists, group policies, account restrictions, and passwords. Physical access control methods such as door security, video surveillance, and access logs are also mentioned. The objectives, access control terminology, models, and practices are explained in detail over multiple pages.
This chapter discusses protection in computer systems. It covers the goals of ensuring only authorized access to resources, the principle of least privilege, using access matrices to define access rights across protection domains, and different methods of implementing and revoking access controls, such as capability-based systems and language-based protections. Protection domains group objects and access rights, while access matrices specify the operations each domain can perform on different objects. Various operating systems implement domains and matrices in different ways to enforce access restrictions.
This chapter discusses protection in computer systems. It covers the goals of ensuring only authorized access to resources, the principle of least privilege, using access matrices to define access rights across protection domains, and different methods of implementing and revoking access controls, such as capability-based systems and language-based protections. Protection domains group objects and access rights, while access matrices specify the operations each domain can perform on different objects. Various operating systems implement domains and matrices in different ways, such as rings in Multics or roles in Solaris.
This document discusses security architecture and models at a high level. It covers security models related to confidentiality, integrity and information flow. It also discusses differences between commercial and government security requirements. The document outlines the role of evaluation criteria such as TCSEC, ITSEC and CC. It briefly discusses security practices for the Internet like IPSec. It provides an overview of technical platforms involving hardware, firmware and software. It also touches on system security techniques including preventative, detective and corrective controls.
The document provides an overview of operating systems, describing their objectives of convenience, efficiency, and ability to evolve. It discusses the key services operating systems provide such as program development and execution, access to I/O devices, error detection, and accounting. The document also outlines the evolution of operating systems from serial processing to time sharing and describes important operating system concepts like processes, memory management, and system structure.
The document provides an overview of operating systems, describing their objectives of convenience, efficiency, and ability to evolve. It discusses the key services operating systems provide such as program development and execution, access to I/O devices, error detection, and accounting. The document also outlines the evolution of operating systems from serial processing to time sharing and describes important operating system concepts like processes, memory management, and system structure.
This document provides an overview of a training course on system and network security for Windows 2003/XP/2000. It discusses what the course will cover, including the native security features of these Windows operating systems, how to lock down and secure Windows systems, and vulnerabilities and countermeasures. It also summarizes new and modified security features in Windows Server 2003 such as the Common Language Runtime, Internet Connection Firewall, account behavior changes, and enhancements to Encrypted File System, IPSec, authorization manager, and IIS 6.0.
Overview of NSA Security Enhanced Linux - FOSS.IN/2005James Morris
This document provides an overview of NSA Security Enhanced Linux (SELinux). SELinux implements mandatory access control (MAC) to provide fine-grained access control and confinement of processes. It uses type enforcement (TE) and role-based access control (RBAC) models to define types for objects and domains for processes. TE rules in the SELinux policy specify which domains can access which object types. SELinux has been merged into the Linux kernel and adopted by several distributions to enhance security for network-facing services. Current development focuses on multi-level security and a reference policy, with future work on tools, policies, and additional applications.
The operating system controls execution of application programs, acts as an interface between applications and hardware, and provides various services like program development, execution, I/O access, error detection, and accounting. It is responsible for managing computer system resources and functions by executing as a program itself while also relinquishing processor control periodically. The kernel is the core portion of the operating system resident in memory containing frequently used functions. Operating systems have evolved from serial processing without a system to modern designs using processes, virtual memory, multiprocessing, distributed systems, and object-oriented techniques.
Network Implementation and Support Lesson 14 Security Features - Eric Vande...Eric Vanderburg
This document discusses various security features in Windows networks including authentication methods like NTLM, Kerberos, and RADIUS. It covers access control using permissions and privileges as well as encryption methods like EFS, IPSec, and VPN. The document also discusses security policies, patch management, security templates, auditing, and several related acronyms. Security templates define security settings that can be applied through Group Policy to multiple machines. Auditing is used to track security events and access in logs but can consume significant disk space if used extensively.
Access control permits or denies access to resources based on authentication and authorization. Authentication verifies the identity of users and systems, while authorization determines the resources a user can access based on discretionary access control using access control lists, mandatory access control using security labels, or role-based access control assigning roles and permissions.
Protection in general purpose operating systemG Prachi
The document provides an overview of general purpose operating system protection. It discusses various file protection mechanisms including all-none protection, group protection, and individual permissions. It also covers user authentication methods such as passwords, biometrics, and one-time passwords. The document then examines security policies, models, and the design of trusted operating systems. It analyzes features like access control, identification, authentication, and auditing that are important for a trusted OS.
This document discusses database security and best practices for securing MySQL databases. It covers common database vulnerabilities like poor configurations, weak authentication, lack of encryption, and improper credential management. It also discusses database attacks like SQL injection and brute force attacks. The document provides recommendations for database administrators to properly configure access controls, encryption, auditing, backups and monitoring to harden MySQL databases.
Complete coverage of CISSP 7th Chapter - Security Operations. I have made sure to cover all topics from three books in this presentation. For corrections, clarifications, please feel free to reach me.
Information Security Lesson 4 - Baselines - Eric VanderburgEric Vanderburg
The document discusses security baselines and hardening systems and networks. It covers topics like disabling unused services, using security templates to configure Windows settings, implementing group policy for domain configurations, and applying patches and filters to harden applications, operating systems, databases, and network devices. The document also defines several common acronyms related to information security.
How to Make a Field Mandatory in Odoo 17Celine George
In Odoo, making a field required can be done through both Python code and XML views. When you set the required attribute to True in Python code, it makes the field required across all views where it's used. Conversely, when you set the required attribute in XML views, it makes the field required only in the context of that particular view.
For a college class in Ethical Hacking and Network Defense at CCSF, by Sam Bowne. More info at https://samsclass.info/123/123_F17.shtml
Based on this book
Hands-On Ethical Hacking and Network Defense, Third Edition by Michael T. Simpson, Kent Backman, and James Corley -- ISBN: 9781285454610
CNIT 123 8: Desktop and Server OS VulnerabilitiesSam Bowne
For a college class in Ethical Hacking and Network Defense at CCSF, by Sam Bowne. More info at https://samsclass.info/123/123_S18.shtml
Based on this book
Hands-On Ethical Hacking and Network Defense, Third Edition by Michael T. Simpson, Kent Backman, and James Corley -- ISBN: 9781285454610
The document discusses information systems security. It introduces the CIA triad of confidentiality, integrity, and availability. It then describes several common information security tools including authentication, access control, encryption, passwords, backup, firewalls, virtual private networks, physical security, and security policies. It concludes by discussing steps individuals can take to improve their personal digital security.
The document discusses information systems security. It introduces the CIA triad of confidentiality, integrity, and availability. It then describes several common information security tools including authentication, access control, encryption, passwords, backup systems, firewalls, virtual private networks, physical security, and security policies. It concludes by discussing steps individuals can take to improve their personal digital security.
UKC - Feb 2013 - Analyzing the security of Windows 7 and Linux for cloud comp...Vincent Giersch
University of Kent 2013 - CO899 System security
Presentation of the article:
Salah K, et al, Computers & Security (2012), http://dx.doi.org/10.1016/j.cose.2012.12.001
The document discusses access control fundamentals, including definitions of access control, common terminology, and four access control models. It describes logical access control methods like access control lists, group policies, account restrictions, and passwords. Physical access control methods such as door security, video surveillance, and access logs are also mentioned. The objectives, access control terminology, models, and practices are explained in detail over multiple pages.
This chapter discusses protection in computer systems. It covers the goals of ensuring only authorized access to resources, the principle of least privilege, using access matrices to define access rights across protection domains, and different methods of implementing and revoking access controls, such as capability-based systems and language-based protections. Protection domains group objects and access rights, while access matrices specify the operations each domain can perform on different objects. Various operating systems implement domains and matrices in different ways to enforce access restrictions.
This chapter discusses protection in computer systems. It covers the goals of ensuring only authorized access to resources, the principle of least privilege, using access matrices to define access rights across protection domains, and different methods of implementing and revoking access controls, such as capability-based systems and language-based protections. Protection domains group objects and access rights, while access matrices specify the operations each domain can perform on different objects. Various operating systems implement domains and matrices in different ways, such as rings in Multics or roles in Solaris.
This document discusses security architecture and models at a high level. It covers security models related to confidentiality, integrity and information flow. It also discusses differences between commercial and government security requirements. The document outlines the role of evaluation criteria such as TCSEC, ITSEC and CC. It briefly discusses security practices for the Internet like IPSec. It provides an overview of technical platforms involving hardware, firmware and software. It also touches on system security techniques including preventative, detective and corrective controls.
The document provides an overview of operating systems, describing their objectives of convenience, efficiency, and ability to evolve. It discusses the key services operating systems provide such as program development and execution, access to I/O devices, error detection, and accounting. The document also outlines the evolution of operating systems from serial processing to time sharing and describes important operating system concepts like processes, memory management, and system structure.
The document provides an overview of operating systems, describing their objectives of convenience, efficiency, and ability to evolve. It discusses the key services operating systems provide such as program development and execution, access to I/O devices, error detection, and accounting. The document also outlines the evolution of operating systems from serial processing to time sharing and describes important operating system concepts like processes, memory management, and system structure.
This document provides an overview of a training course on system and network security for Windows 2003/XP/2000. It discusses what the course will cover, including the native security features of these Windows operating systems, how to lock down and secure Windows systems, and vulnerabilities and countermeasures. It also summarizes new and modified security features in Windows Server 2003 such as the Common Language Runtime, Internet Connection Firewall, account behavior changes, and enhancements to Encrypted File System, IPSec, authorization manager, and IIS 6.0.
Overview of NSA Security Enhanced Linux - FOSS.IN/2005James Morris
This document provides an overview of NSA Security Enhanced Linux (SELinux). SELinux implements mandatory access control (MAC) to provide fine-grained access control and confinement of processes. It uses type enforcement (TE) and role-based access control (RBAC) models to define types for objects and domains for processes. TE rules in the SELinux policy specify which domains can access which object types. SELinux has been merged into the Linux kernel and adopted by several distributions to enhance security for network-facing services. Current development focuses on multi-level security and a reference policy, with future work on tools, policies, and additional applications.
The operating system controls execution of application programs, acts as an interface between applications and hardware, and provides various services like program development, execution, I/O access, error detection, and accounting. It is responsible for managing computer system resources and functions by executing as a program itself while also relinquishing processor control periodically. The kernel is the core portion of the operating system resident in memory containing frequently used functions. Operating systems have evolved from serial processing without a system to modern designs using processes, virtual memory, multiprocessing, distributed systems, and object-oriented techniques.
Network Implementation and Support Lesson 14 Security Features - Eric Vande...Eric Vanderburg
This document discusses various security features in Windows networks including authentication methods like NTLM, Kerberos, and RADIUS. It covers access control using permissions and privileges as well as encryption methods like EFS, IPSec, and VPN. The document also discusses security policies, patch management, security templates, auditing, and several related acronyms. Security templates define security settings that can be applied through Group Policy to multiple machines. Auditing is used to track security events and access in logs but can consume significant disk space if used extensively.
Access control permits or denies access to resources based on authentication and authorization. Authentication verifies the identity of users and systems, while authorization determines the resources a user can access based on discretionary access control using access control lists, mandatory access control using security labels, or role-based access control assigning roles and permissions.
Protection in general purpose operating systemG Prachi
The document provides an overview of general purpose operating system protection. It discusses various file protection mechanisms including all-none protection, group protection, and individual permissions. It also covers user authentication methods such as passwords, biometrics, and one-time passwords. The document then examines security policies, models, and the design of trusted operating systems. It analyzes features like access control, identification, authentication, and auditing that are important for a trusted OS.
This document discusses database security and best practices for securing MySQL databases. It covers common database vulnerabilities like poor configurations, weak authentication, lack of encryption, and improper credential management. It also discusses database attacks like SQL injection and brute force attacks. The document provides recommendations for database administrators to properly configure access controls, encryption, auditing, backups and monitoring to harden MySQL databases.
Complete coverage of CISSP 7th Chapter - Security Operations. I have made sure to cover all topics from three books in this presentation. For corrections, clarifications, please feel free to reach me.
Information Security Lesson 4 - Baselines - Eric VanderburgEric Vanderburg
The document discusses security baselines and hardening systems and networks. It covers topics like disabling unused services, using security templates to configure Windows settings, implementing group policy for domain configurations, and applying patches and filters to harden applications, operating systems, databases, and network devices. The document also defines several common acronyms related to information security.
How to Make a Field Mandatory in Odoo 17Celine George
In Odoo, making a field required can be done through both Python code and XML views. When you set the required attribute to True in Python code, it makes the field required across all views where it's used. Conversely, when you set the required attribute in XML views, it makes the field required only in the context of that particular view.
This presentation includes basic of PCOS their pathology and treatment and also Ayurveda correlation of PCOS and Ayurvedic line of treatment mentioned in classics.
বাংলাদেশের অর্থনৈতিক সমীক্ষা ২০২৪ [Bangladesh Economic Review 2024 Bangla.pdf] কম্পিউটার , ট্যাব ও স্মার্ট ফোন ভার্সন সহ সম্পূর্ণ বাংলা ই-বুক বা pdf বই " সুচিপত্র ...বুকমার্ক মেনু 🔖 ও হাইপার লিংক মেনু 📝👆 যুক্ত ..
আমাদের সবার জন্য খুব খুব গুরুত্বপূর্ণ একটি বই ..বিসিএস, ব্যাংক, ইউনিভার্সিটি ভর্তি ও যে কোন প্রতিযোগিতা মূলক পরীক্ষার জন্য এর খুব ইম্পরট্যান্ট একটি বিষয় ...তাছাড়া বাংলাদেশের সাম্প্রতিক যে কোন ডাটা বা তথ্য এই বইতে পাবেন ...
তাই একজন নাগরিক হিসাবে এই তথ্য গুলো আপনার জানা প্রয়োজন ...।
বিসিএস ও ব্যাংক এর লিখিত পরীক্ষা ...+এছাড়া মাধ্যমিক ও উচ্চমাধ্যমিকের স্টুডেন্টদের জন্য অনেক কাজে আসবে ...
How to Add Chatter in the odoo 17 ERP ModuleCeline George
In Odoo, the chatter is like a chat tool that helps you work together on records. You can leave notes and track things, making it easier to talk with your team and partners. Inside chatter, all communication history, activity, and changes will be displayed.
How to Build a Module in Odoo 17 Using the Scaffold MethodCeline George
Odoo provides an option for creating a module by using a single line command. By using this command the user can make a whole structure of a module. It is very easy for a beginner to make a module. There is no need to make each file manually. This slide will show how to create a module using the scaffold method.
Leveraging Generative AI to Drive Nonprofit InnovationTechSoup
In this webinar, participants learned how to utilize Generative AI to streamline operations and elevate member engagement. Amazon Web Service experts provided a customer specific use cases and dived into low/no-code tools that are quick and easy to deploy through Amazon Web Service (AWS.)
LAND USE LAND COVER AND NDVI OF MIRZAPUR DISTRICT, UPRAHUL
This Dissertation explores the particular circumstances of Mirzapur, a region located in the
core of India. Mirzapur, with its varied terrains and abundant biodiversity, offers an optimal
environment for investigating the changes in vegetation cover dynamics. Our study utilizes
advanced technologies such as GIS (Geographic Information Systems) and Remote sensing to
analyze the transformations that have taken place over the course of a decade.
The complex relationship between human activities and the environment has been the focus
of extensive research and worry. As the global community grapples with swift urbanization,
population expansion, and economic progress, the effects on natural ecosystems are becoming
more evident. A crucial element of this impact is the alteration of vegetation cover, which plays a
significant role in maintaining the ecological equilibrium of our planet.Land serves as the foundation for all human activities and provides the necessary materials for
these activities. As the most crucial natural resource, its utilization by humans results in different
'Land uses,' which are determined by both human activities and the physical characteristics of the
land.
The utilization of land is impacted by human needs and environmental factors. In countries
like India, rapid population growth and the emphasis on extensive resource exploitation can lead
to significant land degradation, adversely affecting the region's land cover.
Therefore, human intervention has significantly influenced land use patterns over many
centuries, evolving its structure over time and space. In the present era, these changes have
accelerated due to factors such as agriculture and urbanization. Information regarding land use and
cover is essential for various planning and management tasks related to the Earth's surface,
providing crucial environmental data for scientific, resource management, policy purposes, and
diverse human activities.
Accurate understanding of land use and cover is imperative for the development planning
of any area. Consequently, a wide range of professionals, including earth system scientists, land
and water managers, and urban planners, are interested in obtaining data on land use and cover
changes, conversion trends, and other related patterns. The spatial dimensions of land use and
cover support policymakers and scientists in making well-informed decisions, as alterations in
these patterns indicate shifts in economic and social conditions. Monitoring such changes with the
help of Advanced technologies like Remote Sensing and Geographic Information Systems is
crucial for coordinated efforts across different administrative levels. Advanced technologies like
Remote Sensing and Geographic Information Systems
9
Changes in vegetation cover refer to variations in the distribution, composition, and overall
structure of plant communities across different temporal and spatial scales. These changes can
occur natural.
Exploiting Artificial Intelligence for Empowering Researchers and Faculty, In...Dr. Vinod Kumar Kanvaria
Exploiting Artificial Intelligence for Empowering Researchers and Faculty,
International FDP on Fundamentals of Research in Social Sciences
at Integral University, Lucknow, 06.06.2024
By Dr. Vinod Kumar Kanvaria
2. 95-752:6-2
Users
• UNIX user -> username -> uid
– uid is systems real name for user
– integer 0 ... 65536 (varies in some systems)
– mapping is in /etc/passwd
shimeall:*:5003:20:Tim:/users/shimeall:csh
• More than one username may map to a uid
– Desired for some system purposes (program tracking)
– Problem for ordinary users (confused file ownership)
– Security problem (hacker makes duplicate uid account)
• Temporary uid change: su
3. 95-752:6-3
Groups
• User - one or more groups
• Group - zero or more users
– Used for file permissions
– Defined by /etc/groups and network sharing software
– ypcat group.byname
– gid - integer system name for group (generally unique)
• Listed for individual users with groups
• Change group of file with chgrp
– chgrp newgroup myfile
4. 95-752:6-4
SETUID and SETGID
• Special mechanisms: temporarily use a uid or gid
during the execution of a program)
• Part of mode bits
– s in user x field - setuid
– s in group x field - setgid
• To be effective, both s and x must be set
– chmod a+x myprog
– chmod u+s myprog
– chmod 4755 myprog
• WARNING: Lots of subtle security holes!
7. 95-752:6-7
Multilevel Security
• Users with different needs to know sharing
computer or network
• If don’t need to know – shouldn’t even be
able to determine if information exists
• Should be able to filter functionality based
on allowable information
• Mandatory and Discretionary protections
8. 95-752:6-8
Monitor Model
• General Schema:
– Takes user's request.
– Consults access control information.
– Allows or disallows request.
• Advantages
– Easy to implement.
– Easy to understand
• Disadvantages
– Bottleneck in system
– Controls only direct accesses (not inferences)
9. 95-752:6-9
Graham-Denning Model
• Introduces protection rules that operate on:
– A set of subjects S
– A set of objects O
– A set of rights R
– An access control matrix
Subjects S1 S2 O1 O2
s1 Control Read* Owner read
s2 Control Owner
11. 95-752:6-11
Military Security Model
• Information is ranked:
– Unclassified
– Confidential
– Secret
– Top Secret
• Least Privilege: Subject should have access to
fewest objects needed for successful work
– The system backup program may be allowed to bypass
read restrictions on files, but it would not have the
ability to modify files.
– Need to Know”
12. 95-752:6-12
Compartmentalization
Information may belong to one or more
compartments
Compartments are used to enforce need-to-know.
• Classification of Information:
<rank; compartments>
• Clearance: <rank; compartments>
– an indication of a level of trust
• A subject can access an object only if
– The clearance level of the subject is at least as high as
that of the information.
– The subject has a need to know about all compartments
for which the information is classified.
13. 95-752:6-13
Information Flow Models
• Acts as an intelligent filter to control the
transfer of information permitted by access
to a particular object.
• Information flow analysis can assure that
operating system modules that have access
to sensitive data cannot leak that data to
calling modules.
14. 95-752:6-14
Bell-LaPadula Model
• A formal description of the allowable paths of
information flow in a secure system.
– Applies only to privacy
– Identifies paths that could lead to inappropriate
disclosures.
– Is used as the basis for the design of systems that
handle data of multiple levels.
– Includes both discretionary and mandatory access rules
• B-LP Discretionary Access Control
– Uses Access Matrix similar to Graham-Denning Model
– Includes functions for dealing with the access matrix.
15. 95-752:6-15
Bell-LaPadula Mandatory
Controls
• Fixed security classes for each subject and
each object
• Security classes ordered by a relation
– Tranquility constraint prevents access classes of
objects from changing
• Simple Security Property
• * Property
16. 95-752:6-16
Bell-LaPadula Properties
Simple Security Property:
• Subject may have read access only if object
classified at same level or lower.
* - Property
• Subject may have write access only if all
objects read are at same level or higher than
object to be written.
17. 95-752:6-17
Biba Model
• Concerned with integrity rather than
secrecy.
• Defines integrity levels much like
sensitivity levels.
– Fixed integrity classes for each subject and
each object
– Ordered integrity classes
18. 95-752:6-18
Biba Properties
Simple Integrity Property:
• Subject can modify object only if integrity class at
least as high as the object. (untrusted subjects
reduce integrity class when writing)
* - Property:
• Subjects may have write access only if the
integrity of objects they are reading is at least as
high as the object to be written. (untrusted sources
reduce integrity of results)
19. 95-752:6-19
Integrity Preservation
A high integrity file is one whose contents are
created by high-integrity processes.
• high-integrity file cannot be contaminated by
information from low-integrity processes.
• high-integrity process cannot be subverted by low
integrity processes or data.
The integrity class label on a file guarantees that the
contents came only from sources of at least that
degree of integrity.
20. 95-752:6-20
Secure Operating Systems
Basic Features of a Multiprogramming OS
– Authentication of users.
– Protection of memory.
– File and I/O device access control.
– Allocation and access control to general objects.
– Enforcement of sharing.
– Guarantee of fair service.
– Interprocess communication and synchronization.
• Basic Considerations
– Security must be considered in every aspect of the
design of operating systems.
– It is difficult to add on security features.
21. 95-752:6-21
Basic Design Principles
• Least privilege - fewest possible privileges for
user.
• Economy of mechanism - small, simple, straight
forward.
• Open design
• Complete mediation - check every access
• Permission based - default is denial of access.
• Separation of privilege - no single super user.
• Least common mechanism - avoid shared objects.
• Easy to use.
22. 95-752:6-22
Security Kernel
• Responsible for implementing the security
mechanisms of the entire operating system.
• Provides the security interfaces among the
hardware, the operating system, and the
other parts of the computing system.
• Implementation of a security kernel:
– May degrade system performance (one more
layer).
– May be large.
– No guarantees.
23. 95-752:6-23
Backups
• First line of defense against denial-of-service and
modification threats
• Don’t depend on system backups for important
data
• User backups
• Administrator backups:
– Day-zero backup
– Upgrade backup
– Full backup
– Incremental backup
24. 95-752:6-24
Backup Policy
• One backup volume per partition
• Time backup for restoration
– How much work are we willing to lose?
• Verify backup at archive location
– Content - not just format
– Ensure operator training
– Ensure archive environment
• Rotate media
– Need more than most recent backup
• Maintain physical security on backups
• Maintain logical security on backups
• Be careful about legal issues on backups
25. 95-752:6-25
Integrity
• Compromise of integrity equal to compromise of
privacy
• Integrity threats:
– Change permissions to allow modification/reading
– Change password file
– Change device / interface configurations
– Move files
– Replace system programs with substitutes
– Replace log files with sanitized versions
• 95% of UNIX security incidents result of
misconfiguration
27. 95-752:6-27
Unix Operation Modes
• Normal Operating Mode:
– Any user login
– Diverse command set
– Network operations
– Import and export files
• Single User Mode:
– Intended for system maintenance / full backup
– Only root login allowed
– Restricted command set
– No network operations
– No file import/export
28. 95-752:6-28
Prevention Strategies
• Software Controls:
– File permissions
– Directory permissions
– Restrictions on root access
• Low-level operating system controls:
– Immutability - only change in single-user mode
– append - only add to file, except single-user mode
• Hardware controls:
– Read-only file systems (CD ROM, WORM)
– Write-protect options
29. 95-752:6-29
Detection Strategies
• Comparison copies:
– On read-only media
– On standard media, remote storage
– Large space, slow, expensive
• Metadata:
– Stored list of files
– Path to files
– Modification times
– Easy to fool
• Digital Signature
– Encrypt with private key of modifier
– Fast, small, hard to fool, requires extra work
30. 95-752:6-30
TRIPWIRE
• System to compute signatures on all files in
system
– Batch mode - compare against stored signatures &
report differences
– Interactive mode - compare against stored signatures &
confirm updates
– Both commercial and freeware products
• Detects:
– Corrupted file systems
– Unlogged administrator actions
– Replacement of system programs
31. 95-752:6-31
Recovery Strategies
• Restore from backup - Rollback (Data Loss)
• If data problem, may be able to replay changes -
Selective Rollback (some data loss)
• If redundant file system, vote file versions -
Masking
• If specific changes found - correct - Roll forward
• In general -- the more detection and prevention,
the easier the recovery
32. 95-752:6-32
Auditing
• Installing security protection is only a beginning
• Need to monitor systems
• Monitoring methods: Audits and Logs
– Audit - active scanning of current state of system
– Log - record of actions taken in operation of system
• Audits often use logs, and do more
33. 95-752:6-33
Log File Vulnerabilities
• Alteration
– Append mode
– Non-rewritable media (print)
• Deletion
– Non-rewritable media
– Move to restricted log host
– PC linked by serial line
• Flooding
– Ensure large storage
– Reduce before logging (look for repeating patterns)
34. 95-752:6-34
Syslog
• General purpose logging utility
• Any program can generate syslog messages
– Socket connect to syslogd process TCP port
• Messages to files, devices or computers
– Dependent on severity and service
• Messages marked with authentication level
– kern, user, mail, lpr, auth, demon, news, uucp,
local0...local7, mark
• Messages marked with priority
– emerg, alert, crit, err, warning, notice, info, debug, none
36. 95-752:6-36
Hand-Written Logs
• Journal System
• Ensure physical protection
• “Where do you keep them?”
• Ensure legitimate entries
– Signature rules
• Keep for system
• Keep for site