Principles |
- With MAC, an operating system limits the ability of an initiator to access or perform actions on objects.
Objects such as files, directories, network ports, memory blocks.
- Every access or action is checked against a set of rules (policy) to decide whether it's allowed. Violations of the rules are logged and can generate notifications.
|
The State of MAC |
- Linux gained MAC in 2000. MS Windows still doesn't have MAC.
- Around 2008 Windows moved a little closer to MAC, but the design (MIC) is fundamentally wrong, since it uses levels of access rather than types.
- If MS Windows had MAC it wouldn't need ever-more numerous and complex (and fragile) defence mechanisms to attempt to compensate for its absence. Mechanisms which can often be bypassed.
- You can read another expert's comments here.
|
Web Server MAC example |
- If a way is found to upload malware to a MAC-protected web server, the MAC rules for the web server prevent the malware being executed. In fact those rules prevent any file being executed.
|
DNS Server MAC example |
- In July 2020 a serious MS Windows vulnerability was reported. Whereby the sending of certain data to a Windows DNS (Domain Name System) server made it possible to gain Domain Administrator privileges.
- An equivalent vulnerability on a MAC-enabled system does not enable privilege increase. Because the MAC rules for the DNS server prevent execution of any privilege-increasing software.
|
Further MAC use |
- We provide systems based on an Enterprise Linux. Its MAC subsystem is called SELinux, and it's enabled by default, and its policy is comprehensive.
- Every service is protected in an appropriate way. So that if a vulnerability is found any exploit attempts are either completely blocked or severely restricted.
- Rules also exist for limited-access user accounts. For example a user account that doesn't have network access.
- It's not hard to add extra rules for even-more-specialised uses.
|