Overview of Security Policies
Trusted RUBIX enforces five distinct security policies. In general, each policy must permit an operation for it to be successful.
- Multilevel Security (MLS): RDBMS objects and user sessions are assigned classifications levels. Fixed Bell-La Padula rules define allowable operations (users allowed to read objects with dominated classifications, users allowed to write objects with equal classifications). Trusted RUBIX labels its objects with the same MLS labels and security lattice as used by the underlying trusted operating system (TOS).
- Type Enforcement (TE, SELinux only): User sessions are assigned domains and RDBMS objects are assigned types. A scripting language is used to define which type is assigned to an object and which domain is assigned to a user session. The scripting language is also used to define if a user session may perform an operation on an object given the user session's domain, the object's type, and the RDBMS operation being performed. TE policy provides custom rules for requirements in cross domain environments. For an example of TE policy in such environments see: http://rubix.com/cms/te_xdomain.
- Attribute Based Access Control/SPM (ABAC): XML policies (based upon the XACML standard) are assigned to named RDBMS objects and control the RDBMS operations that may be performed on that object. Modular and dynamic policy logic uses numerous RDBMS attributes and consists of rules, policies, and policy sets. Policy driven actions may also be performed (e.g., produce a custom audit record, calculate and set a column value). Policies may be updated and applied in "real-time" and be configured to override the MAC policy. ABAC security policies are enforced by the TR Security Policy Manager (SPM). For an example of a policy which releases information in a cross domain environment see: http://rubix.com/cms/abac_xdomain.
- TR Role Based Access Control (RBAC): Named roles are given a set of authorizations (the ability to perform one or more RDBMS actions). Each role is assigned to any number of users. A user assumes a single role at a time and may transition between roles. The set of actions a user may perform is bounded by its current role. RBAC may cover RDBMS client based actions (e.g., connect to a database) and RDBMS administrative actions (e.g., backup the database). The authorizations allow rows to be constructed that divide the administrative power between users (separation of duties).
- Discretionary Access Control (DAC): Traditional SQL standard access control mechanism. An Access Control List consisting of the user/group ID, the object name, and the SQL operation is used to control access to objects.