Access Control Lab

Verified

Added on 2019/09/22

AI Summary

This practical assignment involves designing and implementing a file system access control structure for a health information system, based on a provided case study. Students will create a directory tree, define access control lists (ACLs) for each directory, and write Bash scripts to create users, groups, directories, assign permissions, and audit the system. The assignment requires a report detailing the directory structure, security groups, justification for the design, and challenges encountered during implementation. A Bash script will automate the creation of users, groups, directories, and the access control structure, and another script will audit the system to verify that the implemented ACLs meet the policy standards. The assignment emphasizes the practical application of access control concepts and the use of Bash scripting for system administration tasks.

Contribute Materials

Your contribution can guide someone’s learning journey. Share your documents today.

1
This lab will be based on information taken from the following case study:
Evered, M. and Bogeholz, S., A case study in access control requirements for a health information
system, Proceedings of the second workshop on Australasian information security, Data Mining and
Web Intelligence, and Software Internationalisation, 32, 53--61, 2004.
The case study is based on a Health Information System for an aged-care facility. The facility offers single
room accommodation for some 30 residents.
Users
For this lab, we will use 10 users:
Gloria (Manager) [username: gloria]
Linda (Health Care Worker) [username: linda]
Ian (Health Care Worker) [username: ian]
Mary (Doctor) [username: mary]
Markus (Doctor) [username: markus]
Margaret (Patient) [username: margaret]
George (Patient) [username: george]
Russell (Patient) [username: russell]
Patricia (Patient) [username: patricia]
Mangle (admin/superuser) [username: amangle]
The audit scripts will be tested using the admin/super user. All usernames must be as listed
above for auditing purposes.

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.

2
Data
 Personal Information
o Static data entered into the system when a resident is admitted. This includes personal
details such as name, sex, religion etc., medical insurance information; medical
information such as blood group, allergies etc.; contact details for the resident’s doctor;
contact details of a responsible person who is to be contacted in emergencies; and
contact details for whom, if the resident is not mentally capable, can make decisions
and provide signatures on behalf of the resident.
 Care Plan
o This is a working document that contains detailed information and instructions
regarding the day-to-day care of the resident, eg. assistance required with meals,
hygiene etc. A care plan is started for each resident on admission and is updated on a
regular basis. Old versions of the care plan are archived.
 Progress Notes
o These are observational entries covering such aspects as physical mobility, appetite,
behavior, mood and the general state of the resident. Progress notes are used to update
the care plan. Progress notes older than one year are also archived.
 Medical Records
o A number of different doctors visit the facility with one doctor visiting each week on
‘clinical day’. Residents can choose which of these doctors they wish to attend to them.
The facility requires that each resident undergo a medical examination at least every six
months and medication is reviewed at least every three months. After each examination
the doctor adds an entry to the medical records of the patient.
Access Rules
 Manager
o Has the broadest access to the information, including access to personal, financial,
clinical and medical information about each resident.
o The manager has full control of past and present medical records and is the only person
who can rename or delete records from the system
o Only the manager is allowed to edit personal information and to start or update the care
plan of a resident. The care plan is updated in consultation with the resident or the
responsible person.
o Only the manager is allowed to delete the information about a resident but here also
that right is restricted. Privacy laws require that the information be held for a certain
period after a resident leaves the facility.
 Health Care Workers
o Health care workers can view the care plan for each resident and add progress note
entries based on their observations.
o Access to emergency details is available for all staff.
o Health care workers can view recent medical records of residents (up to one year old)
but cannot normally view older medical information. For a special purpose, access to an
older medical record can be sought and obtained from the manager.
 Doctors
o Doctors have access to all the medical information of all residents and can add entries to
their medical records.
o Doctors can also add private notes about a resident, which, on the basis of doctor-
patient confidentiality, are not visible to health care staff or the manager.

3
 Residents
o Privacy laws require that a person should have full access to any information stored
about them (unless the well-being of a third party would be jeopardized by revealing the
information). Assume that residents have access to the information but must request
any change to records to be made by the manager.
Normally a system like this would be implemented using a database but since this is an OS security lab
for access control, we will assume that the system is to be implemented using a file system. In this lab
you will design a file system and access control structure to support this scenario. I would recommend
first designing your directory tree structure and for each directory, design an access control list. Feel
free to work on the design in groups or one big group because this will likely require a number of
perspectives.
Implementation
Write a script to implement your file system. When the script is run it should create all directories,
users, groups, and assign permissions based on your access control design. You can write your script to
implement your access control scheme in either Linux or Windows. In Linux you should write a BASH
script using the ACL package to set fine grained permissions
Deliverables:
You should prepare a report consisting of the following information:
1) A written description of the directory and security group structure that you used and evidence
of its implementation in Linux. The policy has been given to you and the deliverable is the
model. (15 points)
a. A summary of the directory and security group (3 pts)
b. A diagram of the directory structure including groups structure (3 pts)
c. A diagram with the directory with groups and security structure (3 pts)
d. Supporting justification for b and c in written format to support the auditors and explain
why the model was created (6 pts)
2) Your BASH script that sets up the directory structure, users, groups, and access structure.
Building off your model from deliverable one, you will select the mechanism (Bash) and
implement the model (15 pts)
a. A script in BASH that will
i. Create users (3 pts)
ii. Places the users in the proper groups (3 pts)
iii. Creates the directories for each users (3 pts)
iv. Creates the access structure (3 pts)
v. Places blank files in each directory [test.txt] (3pts)
3) Write about your experience implementing the ACLs. Based on the set of permissions offered
by the operating system, was it possible to implement all of the access control constraints
required by the case study?
a. Details the challenges encountered and addressed when implementing ACL in at least
two paragraphs (7 pts)
b. Details best practices for future implementations for classmates and future students (3
pts)
4) You will develop an audit script using BASH and perform an audit to verify the policies, models,
and implementations are appropriate. A report must be submitted based on the reports of the

4
audit identifying where the results that did correspond to the policy created in the first
deliverable.
a. A script (BASH) that will automatically audit a system to determine if the implemented
ACL meets the policy standard. This will be created off your interpretation of the
policy/model but applied to someone else’s system. The program should provide a
pass/fail for each user. If all users pass, an overall pass score should be displayed other
wise the audit will fail. This will be tested / implemented in class (10 pts)
Resources for Linux ACL package:
http://www.tecmint.com/secure-files-using-acls-in-linux/
Bash Scripting
http://tldp.org/HOWTO/Bash-Prog-Intro-HOWTO.html
http://www.tldp.org/LDP/abs/html/
PowerShell
http://technet.microsoft.com/en-us/library/bb978526.aspx
http://www.powershellpro.com/

1 out of 4

Access Control Lab

Contribute Materials

Secure Best Marks with AI Grader

Related Documents

Victoria University System Analysis and Design Report: Pharmacy System

+13062052269

info@desklib.com