Software Assist to Find Least Privilege

[ljknews at mac.com (ljknews)]

At 12:26 PM -0500 11/25/08, Mark Rockman wrote:

> It be difficult to determine a priori the settings for all the access
> control lists and other security parameters that one must establish for
> CAS to work.  Perhaps a software assist would work according to the
> following scenario.  Run the program in the environment in which it will
> actually be used.  Assume minimal permissions.  Each time the program
> would fail due to violation of some permission, notate the event and plow
> on.  Assuming this is repeated for every use case, the resulting reports
> would be a very good guide to how CAS settings should be established for
> production.  Of course, everytime the program is changed in any way, the
> process would have to be repeated.

The approach my company recommends is intended to minimize any
possible impact on existing operations (we deal exclusively
with existing installations).

        1)      Enable auditing for use of privilege.
        2)      Wait for a period of normal operation
                (time period depends on the nature of
                the business).
        3)      Remove privileges from any user who never
                used a particular privilege.

Of course that must be accompanied by an aggressive policy
of requiring justification of every assignment of privilege
to an individual.  In many cases, permissions have been given
for an individual to modify particular data when in fact they
should only be authorized to do that when using a particular
program.  Tightening that up uses a mechanism whose name will
vary depending on the operating system in use, but it is bound
to require modification and security analysis of applications.

The context in which we are recommending this is typically
where external security requirements are suddenly raised,
e.g. 800-53a, PCI DSS, 8500.2.
-- 
Larry Kilgallen