Chapter 15 - 02 - Discuss Various Data Security Controls - 02_ocred_fax_ocred.pdf

Full Transcript

Certified Cybersecurity Technician Exam 212-82
Data Security

ACL: Setting Access Controls and Permissions to Files and
Folders in Linux
QO
Q In Linux, ACLs are used to implement access control by setting access permissions for specific files and folders

% setfacl command: To assign alice read access to
alice@alice-Virtual-Machlne:~
alice@alice-Virtu al-Machlne:~ M[ == -- aQ
demo.txt file
demo.txt file
t~$ ls
t=$ s -1

root root 7 Feb ¢ Q root@alice-Virtual-Machine: /home/alice
/home/alice M = - 0
root root 85 Feb ¢4
2 alice alice 4096 Feb root@alice-virtual-Machine: /hone/alices
root@alice-virtual-Hachine: setfacl -m uialice:r |
2 allce allce 4096 Feb S /home falice/demo, txt
/homefalice/demo. txt
2 alice alice 4096 Feb root@alice-virtual-Machine: /hone/altces
root@alice-virtual-Hachine: /hone/alices ii
allce allce 8980 Feb
-x 2 alice alice 4096 Feb -
)X 2 all
2 2 s 4096 Fe..
SZiatiosfaticesiorcires
e allce
R 4096 A5 Feb —
p— % command:ToTo displays
getfacl command: "
the file
v
name, owner,
alice alice
"R“‘ -’{t“‘ :23:‘
4096 ;lg
Feb the group, and the access control list (ACL)
22 alice
alice alice
alice 4096
4 ri-b
e
=%
Q root@alice-Virtual-Machine: /home/alice [ = - D(=

Check permissions
Check permissions using
using Is
lS command
command | ““*
= —— M root@alice-Virtual-Machine: /home/allces getfacl
root@alice-Virtual-Machine:/home/allce# getfacl demo.txt
demo.txt
Access
Accens Aeadonly
Aead-only - % flle:e: demo.txt
# owner: root
othy # group: root
Access Aead-anly - User::rw-
user::irw-

t wecute
Leecute Al ow executing fle
file a525 pros
program

Check permissions using GUI root@alice-Virtual-Machine: /home/alices

Copyright © by EC-Councll. All Rights Reserved. ReproductionIs Strictly Prohibited

ACL: Setting Access Controls and Permissions to Files and Folders in Linux
In Linux, a user can use commands such as chmod, chown, chgrp, etc. to set the permissions on
files or folders. ACL provides detailed access control features. It can precisely configure
permissions on files or folders.

Steps to Configure ACLs to Set File and Folder Permissions
= Step 1: Install ACL Package
Install the acl package to use ACLs. You can use the below statement to install acl
package:
# yum install acl
= Step 2: Configure ACL Support on a File System
The file system consisting of the files or directories should be supported. Use the
following statement to mount a local ext3 file system with ACL support:
# mount -t ext3 -o acl [device-name] [mount-point]

For example,
# mount -t ext3 -o acl /dev/mapper/VolGroup00-LogVol00 /data

If /etc/fstab contains a partition, include the acl options:
# vi /etc/fstab
LABEL=/data /data ext3 acl 0 0

Module 15 Page 1769 Certified Cybersecurity Technician Copyright © by EG-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Certified Cybersecurity Technician Exam 212-82
Data Security

Step 3: ACL Rules

ACL rules define how a specific user or group can access the file or directory. There are
two types of ACL rules:
o Access ACLs: It specifies user and group access permissions for a specific file or
directory

o Default ACLs: It is applied only to a directory. It specifies the access permissions that
a directory inherits from its parent directory.
Commands for Setting up Access ACL Permission for Files
To set or modify one or more ACL rules on any file or directory, use setfacl command as
follows:
# setfacl -m [rules] [files]

where the rules are:

o0 u:name:permissions: It configures access ACL for a specific user [r, w, and x for
read, write, and execute, respectively]
O g:name: permissions: It configures access ACL for a specific group
o m:permissions: It configures the effective rights mask. It is a combination of
permissions for user / group.
o o:permissions: It configures access ACL for everyone
For example,

To set read and write permission in the ACL of file test for a guest user, use the following
statement:
# setfacl -m u:userl:rwx test

To remove all access ACL rules of the file test for a guest user, use the following
statement:
# setfacl -x u:guest test
To remove all ACL rules of the file test for a guest user, use the following statement:
# setfacl -b u:guest test
Command for Setting the Default ACLs
By adding d: before the access rule and defining a directory name in place of a file name,
you can configure the default ACL.
# setfacl -m d:o:rx /[directory]

For example,

To set default ACL for test directory, use the following statement:
# setfacl -m d:o:rx /Testdir

Module 15 Page 1770 Certified Cybersecurity Technician Copyright © by EG-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Certified Cybersecurity Technician Exam 212-82
Data Security

Q root@alice-Virtual-Machine: /home/alice
root@alice-virtual-Machine:
root@alice-Virtual-Machine: /home/alice# setfacl -m u:alice:r
/home/alice/demo. txt
root@alice-Virtual-Machine: /home/alice# I

Figure 15.5: setfacl command

Command to Display ACLs Rules on Files
To display ACL on any file or directory, you can use the getfacl command, as shown
below.
#getfacl [file/directory]
For example, #getfacl
#igetfacl test will display the ACL for the test file

Q root@alice-Virtual-Machine: /home/alice
/home/alice [~ = - o @&

root@alice-virtual-Machine: /home/alice# getfacl demo.txt
# file: demo.txt
# owner: root
# group: root
user::rw-
user:alice:r--
group::r--
mask::r--
other::r--

root@alice-Virtual-Machine: /home/alice#
root@alice-Vvirtual-Machine:

Figure 15.6: getfacl command

Q alice@alice-Virtual-Machine: ~

alice@alice-virtual-Machine:~$
alice@alice-Virtual-Machine:~$ 1s -1
total 52
“fW-F=--r--
“TW-r--r-- root root 7 Feb demo. txt
NNNNENNNRS RS

WWwwwwwwuuwdbsdbd
WWwwwwwwuuwdbhbd

“FW-r--r--
“FW-F=--r-- root root 85 Feb demo.txt.gpg
demo. txt.gpg
NNNNENNNRRS

drwxr-xr-x alice alice 4096 Feb
drwxr-xr-x alice alice 4096 Feb
drwxr-xr-x alice alice 4096 Feb
-fW-F=--r--
-FW-F=--r-- alice alice 8980 Feb examples.desktop
drwxr-xr-x alice alice 4096 Feb
drwxr-xr-x alice alice 4096 Feb
drwxr-xr-x alice alice 4096 Feb
drwxr-xr-x alice alice 4096 Feb
drwxr-xr-x 2 alice alice 4096 Feb
alice@alice-Virtual-Machine:~$ l

Figure 15.7: Checking permissions using Is command

Module 15 Page 1771 Certified Cybersecurity Technician Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Certified Cybersecurity Technician Exam 212-82
Data Security

examples.desktop Properties X

Basic Permissions Open With

Owner:
Access: Read and write v

Group: alice v

Access: Read-only v

Others

Access: Read-only v

Execute: Allow executing file as program

Security context: unknown

Figure 15.8: Checking permissions using GUI

Module 15 Page 1772 Certified Cybersecurity Technician Copyright © by EG-Gouncil
All Rights Reserved. Reproduction is Strictly Prohibited.
Certified Cybersecurity Technician Exam 212-82
Data Security

Encrypting “Data at Rest”

% QW
0
('7 D(
R)
ENCRYPT20!
'ENCRYPT.

Encryption of data in
Encryption of data Encryption of data Encryption of data
removable media
stored in files/folders | = | stored in files/folders stored in databases
devices.. Encryption of data in.
Encryption of data Encryption of data S p Encryption of data
removable media
stored in files/folders stored in files/folders devi stored in databases
devices
evices

Figure 15.9: “Data at rest” encryption

= Disk encryption: Encryption of data stored in a physical or logical disk. Full disk
encryption is the encryption of all data in a disk except the master boot record (MBR).
The data is automatically converted into a form which cannot be easily deciphered by an
unauthorized user. In full disk encryption, the data is encrypted while being written on
the disk, and decrypted when the user reads the data from the disk. The benefits of full
disk encryption are
o ltisasimple encryption method.
o The encryption method is clear and coherent to users, applications, and databases.

Module 15 Page 1773 Certified Cybersecurity Technician Copyright © by EG-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Certified Cybersecurity Technician Exam 212-82
Data Security

o Itis ahardware-based encryption with high performance.

File-level encryption: Encryption of data stored in files/folders. In this type of
encryption, the encryption occurs at a filesystem level, and in combination with a
cryptographic algorithm, the encrypted data will be extremely secure. File-level
encryption regulates the access of unauthorized users to files or folders on networks or
shared computers. The advantages of file-level encryption are as follows:

o Each file is encrypted with a discrete encryption key.
o Access control is enforced using public key cryptography.
o Both structured and unstructured data are supported.

Removable media encryption: Removable media encryption prevents removable media
devices such USB flash drives, portable hard disks, digital cameras, smartphones,
tablets, etc. from unauthorized access.

Database encryption: Encryption of a specific subset of data or entire data stored in a
database. The advantages of database encryption are as follows:

o Itsafeguards the data in a database.
o It protects against a wide range of threats, including malicious insiders.

Module 15 Page 1774 Certified Cybersecurity Technician Copyright © by EG-Gouncil
All Rights Reserved. Reproduction is Strictly Prohibited.