LX0-104 · Question #384
Which of the following statements are advantages that Mandatory Access Control has over Discretionary? Access Control models? (Select TWO correct answers)
The correct answer is D. MAC lets the kernel help decide if an object, such as a device or process, can access another object. E. Trust is placed in the administrators and not in individual users.. Mandatory Access Control (MAC) provides a more secure and centralized control model than Discretionary Access Control (DAC) by involving the kernel in all access decisions and placing trust in administrators to define system-wide policies rather than individual users.
Question
Options
- AMAC policies are easier to configure than use of DAC.
- BMAC adds the concept of privileged remote users which is not available with simple DAC.
- CMAC policies increase the ability of the root user to correct errors.
- DMAC lets the kernel help decide if an object, such as a device or process, can access another object.
- ETrust is placed in the administrators and not in individual users.
How the community answered
(34 responses)- A6% (2)
- B9% (3)
- C3% (1)
- D82% (28)
Why each option
Mandatory Access Control (MAC) provides a more secure and centralized control model than Discretionary Access Control (DAC) by involving the kernel in all access decisions and placing trust in administrators to define system-wide policies rather than individual users.
MAC policies are generally more complex to configure correctly than DAC policies due to their granular and system-wide nature, requiring detailed understanding and precise definitions for subjects and objects.
The concept of privileged users exists in both DAC and MAC systems; MAC enhances security by being able to restrict even privileged users, rather than introducing the concept itself.
MAC policies, by design, can restrict even the root user from performing actions that violate the defined security policy, thus potentially reducing the root user's ability to bypass controls or correct errors if those actions are unauthorized by policy.
MAC empowers the operating system kernel to make all access decisions based on a system-wide security policy, rather than relying on the owner of an object, providing a centralized and consistent enforcement mechanism.
In MAC systems, security policies are defined and enforced by administrators, centralizing trust and control over system security with them, rather than distributing it among individual users who own resources, as in DAC.
Concept tested: Mandatory Access Control (MAC) advantages over Discretionary Access Control (DAC)
Source: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/using_selinux/understanding-mandatory-access-control-and-discretionary-access-control_using-selinux
Topics
Community Discussion
No community discussion yet for this question.