adam's notes

Endpoint Configuration

Access Control

Access control refers to regulating and managing the permissions granted to individuals, software, systems, and networks to access resources or information.

File System Permissions

  • each object in the file system has an access control list (ACL) associated with it
    • each ACL contains a list of accounts (principals) allowed to access the resource and the permissions they have over it
  • order of access control entries (ACE) determines the effective permissions for a given account
  • ACLs can be enforced by a file system that supports permissions
    • e.g., NTFS, ext3/4, ZFS

Linux Permissions

  • 3 basic permissions:
    • Read (r)
      • is the ability to access and view the contents of a file or list the contents of a directory
    • Write (w)
      • is the ability to save changes to a file, or create, rename, and delete files in a directory (also requires execute)
    • Execute (x)
      • is the ability to
        • run a script, program, or other software file
        • or the ability to access a directory, execute a file from that directory, or perform a task on that directory, such as file search
  • permissions can be applied in the context of:
    • the owner user (u)
    • a group account (g)
    • and all other users/world (o)
  • A permission string lists the permissions granted in each of these contexts:
    • d rwx r-x r-x home
  • the chmod command is used to modify file permissions in Unix/Linux systems
    • 2 modes
      • symbolic mode
        • to append or remove permissions:
          • chmod g+w, o-x home
        • set exact permissions:
          • chmod u=rwx,g=rx,o=rx home
      • absolute mode
        • permissions are applied using octal notation
          • r=4, w=2, x=1
        • chmod 755 home
          • user permission is 7 = 4+2+1 (r+w+x)
          • group and all is 5 = 4+1 (r+x)

Application allow lists and block lists

Allow list is a security configuration where access is denied to any entity (software process, IP/domain, and so on) unless the entity appears on an allow list.

  • denies execution unless the process is explicitly authorized

Block list is a security configuration where access is generally permitted to a software process, IP/domain, or other subject unless it is listed as explicitly prohibited.

  • allows execution but explicitly prohibits listed processes

  • contents of allow lists and block lists needs to be updated in response to incidents and ongoing threat hunting and monitoring

Monitoring

Configuration enforcement

Configuration enforcement describes methods used to ensure that systems and devices within an organization’s network adhere to mandatory security configurations.

  • depend on these capabilities:
    • standardized configuration baselines
      • used as the benchmark for how systems and devices should be configured
      • defined by organizations like NIST, CIS, or the organization itself
    • automated configuration management tools
      • used to apply and maintain standardized configuration baselines across the environment automatically
    • continuous monitoring and compliance checks
      • crucial to detect deviations from mandatory configurations
    • change management processes
      • ensure configuration changes are properly reviewed, tested, and approved before implementation

Group Policy

Group Policy is a feature of the Microsoft Windows operating system and provides centralized management and configuration of operating systems, applications, and user settings in an Active Directory environment.

  • enforce security settings by applying consistent settings across all systems linked to specific Group Policies
  • are linked to containers called Organizational Units (OUs) that normally contain user and computer objects
    • Group Policies linked to the OU apply to all objects contained within it
  • e.g.,
    • password policies
    • user rights
    • Windows Firewall settings
    • system update settings
    • etc.
  • reduces potential issues related to misconfigurations or inconsistent settings
  • edit with Group Policy Editor (gpedit.msc)

SELinux

SELinux is a security feature of the Linux kernel that supports access control security policies, including mandatory access controls (MAC).

  • is the default context-based permissions scheme provided with CentOS and Red Hat Enterprise Linux
  • allows more granular permission control over every process and system object within an operating system
    • strictly limiting the resources a process can access and what operations it can perform
  • operates on the principle that if a process or user does not need resource access to operate, it will be blocked
  • also available on the Android operating system
    • enabled using SEAndroid to provide similar functionality but using a separately maintained codebase

Graph View

Backlinks