Method and system for implementing mandatory file access control in native discretionary access control environments
First Claim
1. A computer system configured to act as a Domain Controller (DC) for a computer network comprising plurality of client computers, the plurality of client computers running an operating system that uses a discretionary access policy regarding file operations, the computer system comprising:
- one or more hardware processors communicatively coupled to a non-transitory computer readable storage medium wherein the non-transitory computer readable storage medium comprises instructions stored thereon that when executed by the one or more processors cause the one or more processors to;
receive a login request associated with a first user on a first client computer of the plurality of client computers; and
receive an indication from a mandatory access control agent executing on the first client computer to modify a login session in response to the login request, the login session configured to exclude the first user from a default user group and to associate the first user with a second user group for a duration of the login session;
wherein protected files accessible on the computer network are associated with an access control list that denies access to the default user group and allows access to the second user group; and
wherein the access control agent and the DC implement a security policy regarding file operations within the computer network that is configured by default with the discretionary access policy regarding file operations.
12 Assignments
0 Petitions
Accused Products
Abstract
A method is provided for implementing a mandatory access control model in operating systems which natively use a discretionary access control scheme. A method for implementing mandatory access control in a system comprising a plurality of computers, the system comprising a plurality of information assets, stored as files on the plurality of computers, and a network communicatively connecting the plurality of computers, wherein each of the plurality of computers includes an operating system that uses a discretionary access control policy, and wherein each of a subset of the plurality of computers includes a software agent component operable to perform the steps of intercepting a request for a file operation on a file from a user of one of the plurality of computers including the software agent, determining whether the file is protected, if the file is protected, altering ownership of the file from the user to another owner, and providing access to the file based on a mandatory access control policy.
-
Citations
21 Claims
-
1. A computer system configured to act as a Domain Controller (DC) for a computer network comprising plurality of client computers, the plurality of client computers running an operating system that uses a discretionary access policy regarding file operations, the computer system comprising:
one or more hardware processors communicatively coupled to a non-transitory computer readable storage medium wherein the non-transitory computer readable storage medium comprises instructions stored thereon that when executed by the one or more processors cause the one or more processors to; receive a login request associated with a first user on a first client computer of the plurality of client computers; and receive an indication from a mandatory access control agent executing on the first client computer to modify a login session in response to the login request, the login session configured to exclude the first user from a default user group and to associate the first user with a second user group for a duration of the login session; wherein protected files accessible on the computer network are associated with an access control list that denies access to the default user group and allows access to the second user group; and wherein the access control agent and the DC implement a security policy regarding file operations within the computer network that is configured by default with the discretionary access policy regarding file operations. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
10. One or more non-transitory computer readable media comprising instructions stored thereon that when executed by a programmable device configure the programmable device to act as a Domain Controller (DC) for a computer network comprising a plurality of client computers, the plurality of client computers running an operating system that uses a discretionary access policy regarding file operations, the instructions further comprising instructions to configure the programmable device to:
-
receive a login request associated with a first user on a first client computer selected from the plurality of client computers; and accept an indication from a mandatory access control agent executing on the first client computer to modify a login session in response to the login request, the login session configured to exclude the first user from a default user group and to associate the first user with a second user group for a duration of the login session; wherein protected files accessible on the computer network include an access control list that denies access to the default user group and allows access to the second user group; and wherein the access control agent and the DC implement an security policy regarding file operations within the computer network that is configured by default with the discretionary access policy regarding file operations. - View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
-
-
19. A method for configuring a programmable device to act as a Domain Controller (DC) for a computer network comprising a plurality of client computers, the plurality of client computers running an operating system that uses a discretionary access policy regarding file operations, the method comprising:
-
receiving a login request associated with a first user on a first client computer selected from the plurality of client computers; and accepting an indication from a mandatory access control agent executing on the first client computer to modify a login session in response to the login request, the login session configured to exclude the first user from a default user group and to associate the first user with a second user group for a duration of the login session; wherein protected files accessible on the computer network include an access control list that denies access to the default user group and allows access to the second user group; and wherein the access control agent and the DC implement an security policy regarding file operations within the computer network that is configured by default with the discretionary access policy regarding file operations. - View Dependent Claims (20, 21)
-
Specification