1. Field of the Invention
The present invention generally relates to computer resource security and, in particular, to a system and method for simplifying selection of security profile rules within a computer system by displaying a categorized list of the security rules.
2. Related Art
To protect a computer system against vulnerabilities (e.g., attacks from hackers), the computer system is often “locked down” via a security application. As known in the art, a security application locks down a computer system by controlling a machine state or configuration of the computer system such that the computer system (e.g., an operating system within the computer system) enforces a set of security rules that prevent unauthorized users from accessing and/or modifying certain applications, files, and/or other resources within the computer system. For example, a security application may set the configuration of the computer system such that the computer system enforces a rule that restricts which users may access a particular file. In this regard, the computer system may maintain a list, commonly referred to as an access control list, that identifies which users are authorized to access and/or use various computer resources. To cause the computer system to enforce the foregoing rule, the security application modifies the access control list such that it indicates which users may access the particular file. When a user attempts to access this file, the computer system first checks the access control list to determine whether or not the user is one of the specified users that may access the file. If the user is one of the specified users, then the computer system allows the access to occur. However, if the user is not one of the specified users, then the computer system prevents the access and displays a message to the user indicating that access to the requested file has been denied.
The security application normally includes data that defines a list of security rules that may be enforced by a computer system. The security application displays this list of security rules and allows a particular user or set of users, referred to herein as the “system administrator,” to select which of the rules that the system administrator would like enforced by the computer system. The security application, in turn, modifies the configuration or, in other words, the machine state of the computer system such that the computer system enforces the rules selected by the system administrator.
Note that the security application normally sets the configuration of the computer system, and the computer's operating system enforces the selected security rules based on the settings controlled by the security application. In other words, the security application causes the operating system to enforce the selected rules by manipulating the configuration of the computer system. Thus, once the security application has set the configuration of the computer system, as described above, the security application usually provides no further functionality in enforcing the selected rules. The security application may, however, change the computer system's settings in order to change which rules are enforced by the operating system in response to inputs for changing the security profile from the system administrator.
As described above, the system administrator selects which security rules should be enforced based on the level of security desired by the administrator, and the degree to which the computer system is locked down by the security application depends on the rules selected by the system administrator. Generally, the more rules that are enforced, the more secure the system becomes and, in other words, the more the system is locked down. Thus, if the system administrator desires to have a more secure computer system, the system administrator typically selects more rules for enforcement and/or selects particular rules that provide a particularly secure environment in an area of interest to the system administrator. However, in general, the compatibility of the computer system decreases as the security of the computer system increases. Therefore, if security is not a high priority to the system administrator, then he or she may select for enforcement fewer rules and/or rules that do not provide a high level of security, thereby reducing the degree to which the computer system is locked down.
Moreover, the degree to which the computer system is locked down by the security application depends on the competing interests of system security and system compatibility. Therefore, the rules selected for enforcement usually vary from computer system to computer system based on the desires of the system administrators in establishing the security profile of each of the computer systems. As used herein, a “security profile” refers to the collective set of rules that have been selected for locking down a computer system in order to prevent unauthorized users from accessing and/or modifying certain resources within the computer system. Security applications that set the configuration of the computer system to induce the computer system to enforce the selected security rules or that, in other words, set the security profiles of computer systems are well known in the art and are often referred to as “lock down products” or “lock down applications.” Normally, a security application only allows the system administrator or a user designated by the system administrator to change the computer system's security profile.
Since the security profiles of computer systems typically vary from computer system to computer system, most security applications do not provide a standard set of security rules for implementation. In this regard, most security applications list for the system administrator each security rule that may be selected for enforcement. The system administrator then reviews the displayed list of rules and selects the rules that the administrator would like enforced by the computer system and, in other words, added to the security profile of the computer system.
Unfortunately, as the need for more secure systems has increased, the list of security rules from which a system administrator may select in defining a computer system's security profile has increased as well. Thus, the process of selecting which rules should be included in the computer system's security profile can be a tedious and time consuming process. Furthermore, if the system administrator is not familiar with the ramifications of selecting many of the rules, then it can be difficult for the system administrator to select the appropriate set of rules that provides the computer system with the desired level of security.
Indeed, the system administrator after selecting and implementing a particular security profile often changes which rules are included in the security profile. Such changes may have been necessitated by the system administrator's inability to initially define the desired level of security or may have been necessitated by changing security needs. In changing the computer system's security profile, the administrator may make mistakes. In this regard, the system administrator, due to human error or due to the administrator's lack of understanding the ramifications of the changes, may mistakenly add undesirable rules and/or remove desirable rules, thereby changing the security profile in an undesirable way.
Attempting to discover and remedy the undesirable effects introduced by the system administrator in changing the security profile can be difficult and/or time consuming. In this regard, the system administrator typically traverses through the list of selected and/or unselected rules in order to determine why the security application is not behaving as intended. However, understanding the ramifications of whether or not particular rules are selected is paramount in such a debugging process, and not all system administrators are familiar enough with the security application in order to make well informed decisions in debugging and/or changing the security profile. Further, in some situations, it is possible that the errors introduced by changing the security profile lock authorized users and even the system administrator out of the computer system and/or the security application, thereby making the process of correcting for the administrator's mistakes even more difficult and problematic.
Thus, a heretofore unaddressed need exists in the industry for providing a system and method for simplifying selection of security profile rules within a computer system.