1. Field of the Invention
The present application is related generally to a data processing system and in particular to a method and apparatus for computer system security. More particularly, the present application is directed to a computer implemented method, apparatus, and computer usable program code for a privilege monitor for granting privileges to other entities but not to self.
2. Description of the Related Art
Building a secure computer system has become very challenging due to the advent of open source software (OSS). Open source software allows the public to obtain and freely use source code for operating systems, application software, and various other types of software code. Open source software has permitted computer professionals to obtain greater knowledge of program code for use in upgrading, modifying, personalizing, and debugging software. However, open source software has also permitted hackers and other malicious computer users to find new and better ways to break into otherwise secure computer systems.
Multi level security (MLS), also known as labeled security, provides a secure computer environment by controlling access to data and processes on a data processing system through mandatory access control (MAC). Mandatory access control is a mechanism that allows objects and subjects to be marked with labels, such as unclassified, classified, secret, and top secret. Thus, multi level security allows data to be separated into different sensitivities within a single operating environment by labeling data and processes with privilege labels. This type of labeling is of great significance in defense sectors, governments sectors, and financial organizations, such as banks.
To properly administer a secure computer system in an MLS environment, it is necessary to separate various administrative functions into distinct user or entity roles. For example, in a traditional UNIX environment, system administration allows all privileges and authorizations to be managed and regulated by a single user ID, generally referred to as a super-user or root user. However, in a role-based access control (RBAC) multi level system environment, the default system administration roles are the information system security officer (ISSO), the system administrator (SA), and the system operator (SO).
Each of the roles in a role-based access control system has certain privileges and authorizations assigned to them which allow the users with these roles to execute certain privileged programs or processes, and/or access privileged data. Certain normal privileges are automatically assigned to a given user when a user session is set up. Other privileges are generally assigned or granted explicitly based on a user request for access to the program, process, or data. The sessions of users with authorized roles are assigned or granted privileges only by the ISSO. No other role or entity has the ability to grant privileges to other roles or entities. The set of privileges granted to an entity can include, but is not limited to, login, read-only, write-only, read and write, file-system access, mandatory access control (MAC), input/output (I/O), discretionary access control (DAC), and many more.
An information system security officer or super user in a multi level security environment can assign some of the highest privileges to its own processes without permission from or intervention of any other administrators. This can become a problem if the information system security officer or super user account is compromised.
If a malicious user, such as a hacker, is able to infiltrate the information system security officer or super user account, the malicious user can gain unauthorized access to system resources. The malicious user can use information system security officer or super user authorization to elevate the malicious user's privileges in order to access any sensitive data and/or processes. The malicious user can also cause damage to the computer system and organization by de-activating auditing features and making changes to the computer system to enable the user to gain future access to the computer system without being detected.
Activities by malicious users have serious ramifications for the stability of a computer system which can result in the loss of data and system integrity. Moreover, the utilization of information system security officer and super user authorizations by a malicious user to grant privileges to the malicious user without alerting other administrative roles or entities defeats the purpose of multi level labeled security.
Current implementations exist to enforce a two man rule in the form of certain roles being assigned to a user by means of an identity and authentication, such as a user ID and password. However, this implementation still does not protect against a malicious user that obtains access to an authorized user's identity and authentication. In such a case, a malicious user may still be able to access a system to grant privileges to the malicious user without requiring interventions from or alerting any other authorized administrative users.