Security policies

Policies and policy classes

A security policy or simply policy is a method that defines the rule for checking whether an event is permissible. Policies can be divided into two types:

• Rule policies are methods that return a decision of "allowed" or "denied". Rule policies can change the internal state of the security module.
• Expression policies are methods that return a value that can be used as an argument of other policies. If a value could not be returned, expression policies may also return "denied".

For more details, see "Rule policies and expression policies".

Security policies make a decision based on event data (for example, the name of the entity being started or the actual arguments of the method being called), and may also consider the state of a class object whose methods they provide (see below). Policy calls can be embedded into each other.

A security policy class is a set of semantically related policies that describe a specific security model.

KasperskyOS Community Edition provides the following policy classes:

• Base – base class that implements grant, assert and deny policies.
• Regex – class that implements text data validation based on static templates (regular expressions).
• HashSet – class that implements mechanisms for working with "hash table" data structures.
• StaticMap – class that implements mechanisms for working with "static key dictionary" data structures.
• Flow – implementation of a finite-state machine.
• RBAC – implementation of a Role-Based Access Control model.

For more details, see "Security policy classes".

Class object

Each policy is a method of a previously created class object. A class object has an internal state that policies can consider when making a decision of "allowed" or "denied".

Depending on the described security model, an object class may:

• Have a global internal state (in the security monitor context).
• Let you bind the data contained in its internal state to a specific user resource whose interaction must be monitored (such as files and ports).

A policy call consists of a class object method call in specific conditions and with specific arguments. Some rule policies can change the state of a class object whose methods they provide.

Linking to events and calling policies

When an entity initiates an event, e.g. by sending a request or response, starting another entity or calling a security interface, Kaspersky Security System calls all policies bound to a specific event. If all policies have returned an "allowed" decision, Kaspersky Security System returns an "allowed" decision. If even one policy returned a "denied" decision, Kaspersky Security System returns a "denied" decision.

If no security policy is bound to the event, Kaspersky Security System returns a "denied" decision. This means that, in KasperskyOS, everything that is not explicitly allowed, is denied (Default Deny principle).

The binding of events to policies is statically defined in a special file named security.psl, which is known as the solution security policy.

Page top