<>** access control **
Access control is to give a set of methods , Identify all functions in the system , Organize , Trusteeship , Organize all data, identify it, and manage it ,
Then provide a simple and unique interface , One end of this interface is the application system and the other is the permission engine . What the permission engine answers is ： Who has implementation for a resource
An action （ motion , calculation ） Permissions for . The returned result is ： Yes , No, , The permission engine is abnormal .
Access control is almost all systems （ Including computer system and non computer system ） All need to be used
A technology . Access control is to restrict users' access to certain information items according to their identities and certain defined groups to which they belong , Or a technique that limits the use of certain control functions . Access control is usually used by system administrators to control users' access to servers , catalog , Access to network resources such as files .
<> Access control model
<>1. Autonomous access control DAC
Authorized users can transfer permissions to others independently , Permission modification is performed by privileged users .linux,unix ,windows They all take this form .
Permission information storage （ Access table ）:
(1) Access control table (ACL)： Take the object as the core , Then contact all subjects and their corresponding authorities to the object .
(2) Access control form (ACCL): Taking the subject as the core , List all its allowed objects and permissions .
(3) Access control matrix (ACM)： Binary matrix expresses authority relation , There will be redundancy .
characteristic : Flexible data access , Allow free transfer of permissions , But at the same time, it will bring security problems , Low data protection .
<>2. mandatory access control MAC
More stringent rights management , Give subject and object a certain level of security , Each user according to their own security level , You will have all your own access , This permission is strictly linked to the security level , Transfer not allowed , It is also not allowed to change for a single user .
Read write permission instance :（ Two strict mechanisms commonly used in the army ）
（1） Write up , Read down : Effectively prevent information leakage to low security level , Protect confidentiality .
（2） Write down , Read up : Effectively prevent the lower level from tampering with information , Protect integrity .
<>3. Role based access control RBAC
Users are no longer considered individually , It's organized into groups , And set the permissions of the object as roles , A role will have its own specific abilities , In this way, the user can obtain the permission in the way of role , Instead of getting permission directly .
such , That is, the flexibility of freedom is preserved , That is, users can take different roles to obtain different permissions , It also ensures the strictness of access , That is, the role is fixed , No free combination of characters , And role acquisition is controllable .
The administrator decides to obtain, add or delete roles , Not free access . This is RBAC and DAC The difference between .
Permissions are organized by roles , A role may obtain permissions at different security levels , So there is no concept of security level , Add roles on demand . This is RBAC and DAC The difference between .
<> Basic principles of access control model :
（1） Principle of least privilege : According to the minimum distribution of power required by the subject , Not much .
（2） Minimum leakage principle : During the exercise of authority , Minimize the information it gets .
（3） Multilevel security policy : Consider the level of information security , Avoid high-level information leaking to low-level subjects .
<> Implementation strategy
Network permission restriction
Directory level security control
Property security control
Network server security control
Network monitoring and lock-in control
Security control of network port and node