SECURITY POLICY MANAGEMENT

US 20160217286A1
Filed: 01/27/2015
Published: 07/28/2016
Est. Priority Date: 01/27/2015
Status: Active Grant

First Claim

Patent Images

1. A method performed by a computing system, the method comprising:

with a computing system, receiving an application and a security policy corresponding to the application, the security policy for use with a security enforcement mechanism;

with the computing system, receiving a data structure associated with the application and the security policy, wherein the data structure associates a logged denial by the security enforcement mechanism with a rule of the security policy, wherein the data structure further associates the logged denial with a test for the rule, the test to determine if the rule prevents the denial;

with the computing system, applying the test using a temporary security policy, the temporary security policy having the rule removed; and

with the computing system, in response to determining that the applying does not result in a denial corresponding to the logged denial, flagging the data structure.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method performed by a computing system includes, with a computing system, receiving an application and a security policy corresponding to the application, the security policy for use with a security enforcement mechanism, with the computing system, receiving a data structure associated with the application and the security policy, wherein the data structure associates a logged denial by the security enforcement mechanism with a rule of the security policy, wherein the data structure further associates the logged denial with a test for the rule, the test to determine if the rule prevents the denial, with the computing system, applying the test using a temporary security policy, the temporary security policy having the rule removed, and with the computing system, in response to determining that the applying does not result in a denial corresponding to the logged denial, flagging the data structure.

9 Citations

View as Search Results

20 Claims

1. A method performed by a computing system, the method comprising:
- with a computing system, receiving an application and a security policy corresponding to the application, the security policy for use with a security enforcement mechanism;
  
  with the computing system, receiving a data structure associated with the application and the security policy, wherein the data structure associates a logged denial by the security enforcement mechanism with a rule of the security policy, wherein the data structure further associates the logged denial with a test for the rule, the test to determine if the rule prevents the denial;
  
  with the computing system, applying the test using a temporary security policy, the temporary security policy having the rule removed; and
  
  with the computing system, in response to determining that the applying does not result in a denial corresponding to the logged denial, flagging the data structure.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 17, 19, 20)
- - 2. The method of claim 1, wherein to create the data structure, the method further comprises:
    - during development of the application, running the application with the security policy on a system that uses the security enforcement mechanism;
      
      in response to determining that the application causes a denial, creating the rule for the security policy to prevent the denial and creating the test to determine whether running the application with the rule causes the denial; and
      
      placing the denial, the rule, and the test in the data structure.
  - 3. The method of claim 1, wherein to create the data structure, the method further comprises;
    - after development of the application, determining a plurality of rules from the security policy; and
      
      determining a plurality of tests, each of the plurality of tests corresponding to one of the plurality of rules;
      
      wherein the test of the data structure is one of the plurality of tests and the rule of the data structure is one of the plurality of rules corresponding to the one of the plurality of tests.
  - 4. The method of claim 3, wherein the plurality of rules comprise rules of a type deemed to be a greater security risk than other types of rules.
  - 5. The method of claim 1, wherein the data structure comprises a tuple of a database, the database associating denials with corresponding rules and corresponding tests.
  - 6. The method of claim 5, further comprising, for each tuple in the database:
    - applying the test of that tuple using a temporary security policy, the temporary security policy having the rule of that tuple disabled; and
      
      in response to determining that the applying the test of that tuple does not result in a denial corresponding to the logged denial of that tuple, flagging the rule of that tuple for investigation.
  - 7. The method of claim 1, further comprising, in response to determining that the applying does result in a denial corresponding to the logged denial, maintaining the rule.
  - 8. The method of claim 1, further comprising, for a flagged rule:
    - verifying the test; and
      
      in response to creating a revised test, applying the revised test using the temporary security policy.
  - 9. The method of claim 1, further comprising, for a flagged rule, opening a ticket in a bugtracker for the application, the security policy, and the rule.
  - 10. The method of claim 1, further comprising, removing the flagged rule.
  - 11. The method of claim 1, wherein the security policy enforcement mechanism comprises Security-Enhanced Linux (SELinux).
  - 12. The method of claim 11, wherein the logged denial comprises an Access Vector Cache (AVC) denial.
  - 17. The method of claim 1, further comprising, removing the flagged rule from the security policy.
  - 19. The method of claim 1, wherein the test causes the application to execute portions of code that caused the denial to determine whether the rule prevents the denial.
  - 20. The method of claim 1, wherein the rule is an allow rule that allows an operation that caused the denial.

13. A method comprising:
- with a computing system, receiving an application and a security policy corresponding to the application, the security policy for use with a security enforcement mechanism;
  
  with the computing system, receiving a data structure associated with the application and the security policy, the data structure comprising a set of tuples, each tuple associating a logged denial by the security enforcement mechanism with a rule of the security policy that caused that denial and a test for the rule;
  
  with the computing system, for each tuple, applying the test of that tuple using a temporary security policy, the temporary security policy having the rule of that tuple removed; and
  
  with the computing system, in response to determining that the applying does not result in a denial corresponding to the logged denial of that tuple, flagging the tuple.
- View Dependent Claims (14, 15, 16)
- - 14. The method of claim 13, wherein the data structure is created during development of the application.
  - 15. The method of claim 13, wherein the data structure is created after development of the application.
  - 16. The method of claim 13, further comprising, for a flagged rule:
    - creating a revised test for the rule; and
      
      applying the revised test using the temporary security policy.

18. A method performed by a computing system, the method comprising:
- with a computing system, during a testing phase for development of an application, running the application with a security policy on a system that uses a security enforcement mechanism;
  
  with the computing system, in response to determining that the application causes a denial, creating a data structure that associates the denial with the rule intended to prevent the denial and a test used to determine if the rule prevents the denial;
  
  with the computing system, after the testing phase, applying the test using a temporary security policy, the temporary security policy having the rule disabled; and
  
  with the computing system, in response to determining that the applying does not result in a new denial corresponding to the denial, flagging the information within the data structure.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Red Hat, Inc. (International Business Machines Corporation)
Original Assignee
Red Hat, Inc. (International Business Machines Corporation)
Inventors
Pazdziora, Jan

Granted Patent

US 10,104,042 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 21/34   involving the use of extern...

G06F 21/57   Certifying or maintaining t...

H04L 63/0263   Rule management

H04L 63/20   for managing network securi...

SECURITY POLICY MANAGEMENT

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

9 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

SECURITY POLICY MANAGEMENT

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

9 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links