More Web Proxy on the site http://driver.im/

short-paper

Authorizing and directing configuration updates in contemporary it infrastructures

Authors:

Bart Vanbrabant,

Wouter JoosenAuthors Info & Claims

SafeConfig '10: Proceedings of the 3rd ACM workshop on Assurable and usable security configuration

Pages 79 - 82

https://doi.org/10.1145/1866898.1866912

Published: 04 October 2010 Publication History

Abstract

All security and non-security equipment in a IT infrastructure has to be consistent with the configuration of the entire IT infrastructure. System management tools are used to manage contemporary IT infrastructures in an efficient and secure manner, and ensure its configuration is consistent and correct. System configuration tools achieve this by using a central configuration model from which all configuration is derived. The central configuration model determines the configuration of the infrastructure and needs to be protected against unauthorised access and changes. In large IT infrastructures there are multiple administrators. Each manages an aspect of the infrastructure and thus requires access to the central model. We propose an approach that enforces access control on the changes that are made to the configuration model. Our approach also includes a method to enforce complex authorisation workflows on configuration model updates in federated infrastructures. We developed a prototype that transforms low level textual updates, to updates to the model. This transformation enables access control at the same abstraction level as the configuration model. The first results of this work have been evaluated and published. In this position paper we argue for further research on securing configuration models and applying access control on updates to the configuration model.

References

[1]

}}Cfengine. http://www.cfengine.org, 2010.

[2]

}}LCFG: A large scale UNIX configuration system. http://www.lcfg.org, 2010.

[3]

}}Puppet Website. http://www.puppetlabs.com, 2010.

[4]

}}P. Anderson. Towards a high-level machine configuration system. In LISA '94: Proceedings of the 8th USENIX conference on System administration, page 19--26, Berkeley, CA, USA, 1993. USENIX Association, USENIX Association.

Digital Library

[5]

}}M. Burgess. Cfengine: a site configuration engine. USENIX Computing Systems, 8(3):309--402, 1995.

[6]

}}M. Burgess. Computer Immunology. In LISA '98: Proceedings of the 12th, pages 283--298, Berkeley, USENIX conference on System administration CA, USA, 1998. USENIX Association.

Digital Library

[7]

}}S. S. Chawathe and H. Garcia-Molina. Meaningful change detection in structured data. In Proceedings of the 1997 ACM SIGMOD International Conference on Management of Data - SIGMOD 97 SIGMOD 97, pages 26--37, New York, NY, USA, 1997. ACM.

Digital Library

[8]

}}S. Childs, M. E. Poleggi, C. Loomis, L. F. M. Mejías, M. Jouvin, R. Starink, S. De Weirdt, and G. C. Meliá. Devolved management of distributed infrastructures with quattor. In LISA '08: Proceedings of the 22nd conference on Large installation system administration conference, page 175--189, San Diego, California, 2008. USENIX Association, USENIX Association.

Digital Library

[9]

}}T. Delaet and W. Joosen. PoDIM: A language for high-level configuration management. In Proceedings of the 21st Large Installation System Administration (LISA) Conference, pages 1--13, Berkeley, CA, USA, 2007. USENIX Association.

Digital Library

[10]

}}T. Delaet, W. Joosen, and B. Vanbrabant. A survey of system configuration tools. In Proceedings of the 24th Large Installations Systems Administration (LISA) conference, San Jose, CA, USA, 11/2010 2010. Usenix Association, Usenix Association.

Digital Library

[11]

}}N. Desai. Bcfg2: A pay as you go approach to configuration complexity. In Australian Unix Users Group (AUUG2005), Sydney, Australia, 2005, 10/2005 2005.

[12]

}}C. Higgs. Authorisation and delegation in the machination configuration system. In LISA'08: Proceedings of the 22nd conference on Large installation system administration conference, page 191--199, San Diego, California, 2008. USENIX Association, USENIX Association.

Digital Library

[13]

}}J. McCarthy. Towards a mathematical science of computation. Information Processing, 62:21--28, 1962.

[14]

}}E. W. Myers. An O(ND) difference algorithm and its variations. Algorithmica, 1(1):251--266, 1986.

Digital Library

[15]

}}R. Routray and S. Nadgowda. Cimdiff: Advanced difference tracking tool for cim compliant devices. In Proceedings of the 23rd Large Installations Systems Administration (LISA) conference, page 145, Baltimore, MD, USA, 11/2009 2009. Usenix Association, Usenix Association.

Digital Library

[16]

}}B. Vanbrabant, T. Delaet, and W. Joosen. Federated access control and workflow enforcement in systems configuration. In Proceedings of the 23rd Large Installations Systems Administration (LISA) conference, page 129--143, Baltimore, MD, USA, 11/2009 2009. Usenix Association, Usenix Association.

Digital Library

Cited By

Calcaterra DTomarchio O(2023)Policy-Based Holistic Application Management with BPMN and TOSCASN Computer Science10.1007/s42979-022-01616-w4:3Online publication date: 23-Feb-2023
https://doi.org/10.1007/s42979-022-01616-w
Schaefer AReichenbach MFey D(2012)Continuous Integration and Automation for DevopsIAENG Transactions on Engineering Technologies10.1007/978-94-007-4786-9_28(345-358)Online publication date: 6-Sep-2012
https://doi.org/10.1007/978-94-007-4786-9_28

Index Terms

Authorizing and directing configuration updates in contemporary it infrastructures

Recommendations

An administrative model for UCON_ABC
AISC '10: Proceedings of the Eighth Australasian Conference on Information Security - Volume 105

UCON_ABC is an emerging access control framework that lacks an administration model. In this paper we define the problem of administration and propose a novel administrative model. At the core of this model is the concept of attribute, which is also the ...
PBDM: a flexible delegation model in RBAC
SACMAT '03: Proceedings of the eighth ACM symposium on Access control models and technologies

Role-based access control (RBAC) is recognized as an efficient access control model for large organizations. Most organizations have some business rules related to access control policy. Delegation of authority is among these rules. RBDM0 and RDM2000 ...
The integration of access control levels based on SDN

Systems and networks include several inputs and outputs from which they are accessed. Access controls exist to manage authentication and access controls through those inputs and outputs. One of the significant problems in this scope is the difficulty to ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

SafeConfig '10: Proceedings of the 3rd ACM workshop on Assurable and usable security configuration

October 2010

98 pages

ISBN:9781450300933

DOI:10.1145/1866898

General Chair:
Tony Sager
National Security Agency, USA
,
Program Chairs:
Gail-Joon Ahn
Arizona State University, USA
,
Krishna Kant
Intel Corp./ National Science Foundation, USA
,
Heather Richter Lipford
University of North Carolina at Charlotte, USA

Copyright © 2010 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 04 October 2010

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Short-paper

Conference

CCS '10

Sponsor:

SIGSAC

CCS '10: 17th ACM Conference on Computer and Communications Security 2010

October 4, 2010

Illinois, Chicago, USA

Acceptance Rates

Overall Acceptance Rate 22 of 61 submissions, 36%

Upcoming Conference

CCS '25

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 13 - 17, 2025

Taipei , Taiwan

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

1
Total Citations
View Citations
141
Total Downloads

Downloads (Last 12 months)4
Downloads (Last 6 weeks)0

Reflects downloads up to 21 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

Calcaterra DTomarchio O(2023)Policy-Based Holistic Application Management with BPMN and TOSCASN Computer Science10.1007/s42979-022-01616-w4:3Online publication date: 23-Feb-2023
https://doi.org/10.1007/s42979-022-01616-w
Schaefer AReichenbach MFey D(2012)Continuous Integration and Automation for DevopsIAENG Transactions on Engineering Technologies10.1007/978-94-007-4786-9_28(345-358)Online publication date: 6-Sep-2012
https://doi.org/10.1007/978-94-007-4786-9_28

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents