Exam SY0-501 topic 1 question 57 discussion

Mandatory Access Control (MAC) is is a set of security policies constrained according to system classification, configuration, and authentication, which an administrator can only manage it. So the admin is correct.

It's a poorly worded question. In a MAC environment, user access to information is typically determined by as security officer or supervisor. The administrator configures the access as directed. The system then allows or denies access base on that configuration. Sooooo.... the answer is clearly "fire extinguisher". :P

fucking hell, you can read that in 2 ways: - who specifies - the admin - what specifies (qualifies) as a subject - user

Too much comments for simple question

If you are good at reading comprehension you can pass this exam. The wordings of questions always trick people. This is not a knowledge base exam, yes you need to know your material but you can pass without knowing everything

D. User "... which of the following specifies the subjects that can access specific data objects..." because "... security Admins assign labels to both subjects(Users) and objects (Files and folders) to determine access. ..."

C: Admin

The mandatory access control (MAC) model uses labels (sometimes referred to assensitivity labels or security labels) to determine access. Security administrators assign labels to both subjects (users) and objects (files or folders). When the labels match, the system can grant a subject access to an object. When the labels don’t match, the access model blocks access. CompTIA Security+ Get Certified Get Ahead - Darril Gibson The question says "specifies the subjects that can access specific data objects" - The administrator - C

Here, in this question they asked who assign(specify) rights and permission to specific data? So , it is System Admin who assign subjects and objects. By match these specification system grant access to the subject.

Answer is C. We can roll out B using process of elimination. Administrators control MAC and therefore they can access specific data objects.

"which of the following specifies the subjects that can access specific data objects?" Subjects- Users, applications, or processes that need access to objects. Objects- Data, applications, systems, networks, and physical space. It doesn't ask who can assign permissions or access control. I hate these questions too. Open for interpretation, my first thought was User.

A. Owner Check the blog link. It has a similar question and explanation. Source: https://blogs.getcertifiedgetahead.com/category/security/page/16/ The data owner will specify which subjects (such as users) can access certain data objects (such as files). A key word here is “specify” and specify indicates someone is stating a fact or requirement clearly and precisely. If the question was “Which of the following roles will implement the controls so that the subjects can access certain data objects?”, Administrator would be the correct answer. If the question was “Which of the following roles will enforce the controls so that subjects can access certain data objects?”, than system would be the correct answer. Users will not specify any permissions for access control in a MAC model.

C Mandatory access control (MAC) is a security strategy that restricts the ability individual resource owners have to grant or deny access to resource objects in a file system. MAC criteria are defined by the system administrator, strictly enforced by the operating system (OS) or security kernel, and are unable to be altered by end users. https://searchsecurity.techtarget.com/definition/mandatory-access-control-MAC

I think "When configuring settings" is a key statement here. The adninistrator configures the settings and based on Job role or some other factors, users are assigned a security level which should match with what is obtainable on the on the object. So it believe correct answer to be C

Reference: https://en.wikipedia.org/wiki/Mandatory_access_control ...Whenever a subject attempts to access an object, an authorization rule enforced by the operating system kernel examines these security attributes and decides whether the access can take place. Any operation by any subject on any object is tested against the set of authorization rules (aka policy) to determine if the operation is allowed. A database management system, in its access control mechanism, can also apply mandatory access control; in this case, the objects are tables, views, procedures, etc. The answer is System.

It says, ,,When configuring'' - administrators make the configs so the answer is C

In MAC the system tells who can access the object because it's based on classification however for DAC the owner of the object is the one who decides and the owner can be the administrator or user(in case if user own specific object)