Whenever a new technology is implemented, a planning phase is always a good idea.
During the planning stages, an administrator should in general look at the “big
picture”, trying to keep in view at least the following:
For MAC installations, these include:
-
How to classify information and resources available on the target systems.
-
What sorts of information or resources to restrict access to along with the type of
restrictions that should be applied.
-
Which MAC module or modules will be required to
achieve this goal.
It is always possible to reconfigure and change the system resources and security
settings, it is quite often very inconvenient to search through the system and fix
existing files and user accounts. Planning helps to ensure a trouble-free and efficient
trusted system implementation. A trial run of the trusted system, including the
configuration, is often vital and definitely beneficial before a MAC
implementation is used on production systems. The idea of just letting loose on a system
with MAC is like setting up for failure.
Different environments may have explicit needs and requirements. Establishing an in
depth and complete security profile will decrease the need of changes once the system
goes live. As such, the future sections will cover the different modules available to
administrators; describe their use and configuration; and in some cases provide insight
on what situations they would be most suitable for. For instance, a web server might roll
out the mac_biba(4) and mac_bsdextended(4)
policies. In other cases, a machine with very few local users, the mac_partition(4) might
be a good choice.