Introduction to POSIX Security

POSIX is a family of standards designed to ensure portability of application programs across hardware and operating systems. These standards are the products of the IEEE Technical Committee on Operating Systems, P1003 Committee. For the purpose of this discussion, two of the standards produced by this committee are of primary interest:

• Posix System Application Program Interface Standard (ISO/IEC 9945-1: 1990) [ISO90a]- This is the base POSIX standard. It defines the basic system services and mechanisms (e.g., input/output services, process environment, etc.) and the system calls that provide the interface between application programs and those system services. This standard has been adopted by the National Institute of Standards and Technology (NIST) as Federal Information Processing Standard (FIPS) 151-2 [FIP93b]. It will be referred to as the ``POSIX.1 standard.''

• Posix System Application Program Interface - Amendment: Protection, Audit and Control Interfaces (IEEE P1003.6.1)[POS92b] - This standard specifies mechanisms and interfaces to security functionality not provided in the base (i.e., POSIX.1) standard. The general areas that are covered are:
  1. discretionary access control.
  2. audit trail mechanisms.
  3. privilege mechanisms.
  4. mandatory access control.
  5. information label mechanisms.
  The Protection, Audit and Control Interface Standard will be referred to as the ``POSIX.6 standard.''

Like the POSIX.1 standard, the POSIX.6 standard was originally grown out of work begun in /usr/group, now known as Uniforum. As the POSIX.1 standard was moved out of /usr/group and into IEEE, some security professionals within /usr/group saw the need to:

1. provide portable applications those interfaces necessary to utilize security relevant information.
2. improve on the security mechanisms that were being defined in the POSIX.1 standard.

The POSIX.6 Security Mechanisms address five areas of functionality:

• audit trail mechanisms,
• discretionary access control,
• information labels,
• mandatory access control,
• privilege.

According to the POSIX.6 draft, each option defines new functions, as well as security-related constraints for the functions and utilities defined by the other POSIX standards. The addition of these mechanisms to the POSIX.1 standard allows ``general purpose'' applications to take advantage of the security enhancements while maintaining portability. In addition, these areas are widely used by ``trusted'' programs - thus allowing for application portability of trusted programs.

These areas were chosen because it was felt that they encompass the de facto required areas for security in today's POSIX environments. While all these areas may not be required on a single system, some combination of them should be. Access control should be required on any multi-user system. The POSIX.6 standard supports a mechanism that allows the generation of an audit trail that can later be analyzed by an audit analysis tool. The use of audit on POSIX systems is highly encouraged. More and more users are discovering the many benefits of using information labels on their systems. The POSIX.6 standard supports these as well.

The POSIX.6 interfaces are positioned between the application system calls and the operating system. In this way the application is buffered from having to know the internals, formats, etc. that make systems unique. An application can request to know the mandatory access control label of a file without having to know where or how the label is stored internally. This is what makes application portability, and POSIX.6 focuses on providing application portability on systems that make use of the POSIX.6 mechanisms.

The standard that provides the POSIX.6 interfaces and mechanisms is currently in the balloting process. The DRAFT Standards P1003.6.1/D13 and P1003.6.2 [POS92c] were the current documents at the time of this writing. It should be realized that with any standard that is cycling through a balloting process, changes to the standard may occur. Therefore, differences (hopefully slight) may arise between the information presented here regarding specifics of the standard, and the final specifications of the standard upon final approval.