11/14/2022

Access Control

Access Control
• RFC 4949, Internet Security Glossary, defines access
control as:

“A process by which use of system resources is regulated

according to a security policy and is permitted only by
authorized entities (users, programs, processes, or other
systems) according to that policy”

1
 11/14/2022

Access Control
• Access is the manner by which the user utilizes the information
systems to get information
– All users should not have the ability to access all systems and its
information
– Access should be restricted and granted on a need to know basis

• To manage access
– User accounts are established by issuing identifiers
– Authentication methods to verify these identifiers
– Authorization rules that limit access to resources and
– Accountability an independent review and examination of system
records and activities

Access Control

For users to be permitted to access any resource

• have the necessary credentials
• have been given the necessary rights or
privileges to perform the actions they are
requesting

It is necessary to track users’

activities and enforce accountability
for their actions

2
 11/14/2022

Access Control
Granting of a right or
permission to an entity to
access a system resource

Verification that the

credentials of a user or an
entity are valid

An independent review and

examination of system
records and activities
5

Identification
• Method of establishing the subject’s or user’s identity
– Person, program, process, client, software application, hardware, or
network
• It is what a user uses to differentiate itself from others
– A unique identifier
– Use of username or other public information
• Identification component requirements
– Each value should be unique
– Follow a standard naming scheme
– Non‐descriptive of the user’s position or tasks
– Must not be shared between users
• Once a user has an identifier the next step taken to access a
resource is authentication
– An individual’s identity must be verified during the authentication process
6

3
 11/14/2022

Authentication
• The process of validating the identity of the user ‐ method of
proving the identity
– Verifying that the credentials of a user or other system entity are valid,
thereby providing a level of trust
– Use of passwords, token, biometrics, or other private information
• Authentication usually involves a two-step process
– Entering public information (a username, employee number, account
number, or department ID), and then ‐ Identification step
– Entering private information (a static password, smart token, cognitive
password, one‐time password, or PIN) – Authentication step

• Authentication means an entity must prove she is who she says

she is
7

Authentication
• How to prove an identity? Three basic factors to authenticate an
identity
– Something you know (knowledge-based authentication)
• Password, PIN
– Something you have (Ownership-based Authentication)
• key, swipe card, access card
– Something you are (Biometric authentication)
• Retina scan
• A more reliable authentication process would require two or all
of these three factors such as something you know with
something you have
– This form is known as the two-factor or multilevel authentication
8

4
 11/14/2022

Authentication
• Computers and devices can be identified, authenticated,
monitored, and controlled based upon their MAC and IP
– Networks may have network access control (NAC) technology to
authenticate systems before they are allowed access to the network

Example: RFC 5209 ‐ Network Access Control – Posture Assessment

– A software agent running on endpoint devices evaluates and reports the
posture/compliance of the device
• E.g., Anti‐virus software running on the device or not
– The server validates the posture based on security policies for allowing to
connect the network or not

Something You Know

• Knowledge-based authentication
• Traditional authentication method
• The least expensive method to implement
• The downside
– Another person may acquire this knowledge and gain unauthorized
access to a resource

• Uses
– Password
– Passphrase
– Cognitive password
10

5
 11/14/2022

Something You Know

Password
• Protected string of characters – must be kept secret
• In March of 2020, NIST updated its guidelines concerning
passwords in SP 800‐63B
– Increased password length
• The recommended minimum password length is 8 characters
• The maximum recommended length is 64 characters
– Allow special characters
• Users should be allowed to use any special character, in their
passwords
– Disallow password hints
• Mostly help attackers

11

Something You Know

Password
Password Hashing
• Example: Linux stores passwords in the /etc/shadow file

• Password field has 3 parts: Algorithm used, Salt, Password hash

– 1st part: Number 1  MD5, 5SHA‐256, and 6SHA‐512
– 2nd part: Salt – A random string
– 3rd part: Password Hash

12

6
 11/14/2022

Something You Know

Password
• Purpose of Salt
– Using salt, same input can result in different hashes
• Even if two passwords are the same
• Rainbow table attack
– Password hash = one‐way hash rounds (password || random string)

Example

13

Something You Know

Password
• Limit Logon Attempts
– A threshold can be set to allow only a certain number of unsuccessful
logon attempts

– After the threshold is met, the user’s account can be locked for a period
of time or indefinitely, which requires an administrator to manually
unlock the account

– This protects against dictionary and other exhaustive attacks that

continually submit credentials until the right combination of username
and password is discovered

– What is the downside?

14

7
 11/14/2022

Something You Know

Passphrase
• Sequence of characters that is longer than a password ‐ a phrase
• User enters this phrase into an application which transforms the
value into a virtual password hat is used for the actual
authentication
– Hashed or encrypted form of the passphrase

• A passphrase is more secure than a password because it is longer,

and thus harder to obtain by an attacker
• In many cases, the user is more likely to remember a passphrase
than a password

15

Something You Know

Cognitive passwords
• Fact or opinion based information
• Created through several experience based questions
• Easy to remember!
– A person will not forget his birthplace, favorite color, dog's name, or
the school he graduated from

16

8
 11/14/2022

Something You Know

• Attacks against passwords

– Electronic monitoring
– Access the password file
– Brute force attacks
– Dictionary attacks
– Social engineering
– Shoulder surfing

17

Something You Have

• Authentication can also be based on something that the subject
has
– Some sort of physical or logical token
• A device such as a phone, identification card, or even an implanted
device
• A cryptographic key, such as a private key in public key infrastructure
(PKI)
• Sometimes, access to the token is protected by some other
authentication process, such as when you have to unlock your
phone to get to a software‐based token generator

18

9
 11/14/2022

Something You Have

One time passwords (OTP)
• Only used once
• Used in sensitive cases and places
• The password is generated by a token device, which is
something the person owns (or at least carries around)
– Token device generates the one‐time password for the user to submit
to an authentication server
• Token device commonly implemented in three formats as
– Dedicated physical device with a small screen that displays the OTP
– Smartphone application
– Service that sends an SMS message to your phone

19

Something You Have

Dedicated Token Device
• Usually a handheld device that has an LCD display and possibly a
keypad
• Separate from the computer the user is attempting to access
• Presents the user with a list of characters to be entered as a
password
– A one-time password, also called a token, and is no longer valid after initial
use

20

10
 11/14/2022

Something You Have

Token Device
Two types of token devices
• Synchronous token device
– Requires the device and the authentication service to advance to
the next OTP in sync with each other
– This change can be triggered by time (e.g., every 30 seconds a
new OTP is in play)
• OTP generation can be time-based or counter based

21

Something You Have

Token Device
• Asynchronous token device
– A challenge/response scheme to authenticate the user
– In this situation, the authentication server sends the user a challenge, a
random value, also called a nonce
– The user enters this random value into the token device, which
encrypts it and returns a value the user uses as an OTP
– The user sends this value, along with a username, to the authentication
server
– If the authentication server can decrypt the value and it is the same
challenge value sent earlier, the user is authenticated

22

11
 11/14/2022

Something You Have

Token Device

23

Something You Have

Token Device
• Two types of token devices
– The actual implementation and process that these devices
follow can differ between different vendors
– What is important to know is that
• Asynchronous is based on challenge/response mechanisms
• Synchronous is based on time‐ or counter‐driven mechanisms

24

12
 11/14/2022

Something You Have

Token Device
• Benefits
– Not vulnerable to electronic eavesdropping
• Wiretapping
• Sniffing
– Provide two factor authentication
• Limitations
– Human error
– Battery limitation

25

Something You Have

Smart Card
• Has a microprocessor and integrated circuits incorporated into
the card itself
– Holds and processes information
• Smart card could be used for:
– Holding biometric data in template
– Responding to challenge
• Used in ATM cards and building security access cards
• Holding private key
• The authentication process occurs at the reader, thereby
avoiding the trusted-path problem
– Protecting logon information between the user and the authentication
server
26

13
 11/14/2022

Something You Have

Types of Smart Card
• Contact
– Requires insertion into a smart card reader with a direct connection
to a conductive micro‐module on the surface of the card (typically
gold plated)
– Through these physical contact points, transmission of
commands, data, and card status takes place
• Contactless
– Requires only close proximity to a reader
– Both the reader and the card have antenna and it is via this
contactless link that two communicate

27

Something You Are

• The strongest authentication
• Unique personal physical characteristics is analyzed
• The measuring of this factor is called biometrics
• Encompasses all biometric techniques
– Fingerprints
– Retina scan
– Iris scan
– Hand geometry
– Facial scan
• The verifier needs to verify two things
– The biometric came from the person at the time of verification
– The biometric matches the master biometric on file
28

14
 11/14/2022

Authorization

29

Authorization
• The granting of a right or permission to subjects to access a
system resource
– Determines who is trusted for a given purpose
• Determines that the proven identity has some set of
characteristics associated with it that gives it the right to
access the requested resources
• Granting access rights to subjects should be based on the level
of trust a company has in a subject and the subject’s need to
know

30

15
 11/14/2022

Authorization
• Access criteria can be thought of as:
– Roles
• An efficient way to assign rights to a type of user who performs a certain
task (job assignment or function)
– Groups
• When several users require same type of access to information and
resources
– Location
• To restrict unauthorized individuals from being able to get in and
reconfigure the server remotely
– Time
• Restrict the times that certain actions or services can be accessed

31

Authorization
Access Control Elements
Subject
• An active entity that requests access to an object or the data in
an object
• Any user or application actually gains access to an object by
means of a process that represents that user or application
– The process takes on the attributes of the user, such as access rights
• A subject is typically held accountable for the actions they have
initiated
– An audit trail may be used to record the association of a subject with
security‐relevant actions performed on an object by the subject

32

16
 11/14/2022

Authorization
Access Control Elements
Subject
• Basic access control systems typically define three classes of
subject
• Owner: the creator of a resource, such as a file
• Group: in addition to the privileges assigned to an owner, a
named group of users may also be granted access rights
– Membership in the group is sufficient to exercise these access rights
– A user may belong to multiple groups
• World: users who are able to access the system but are not
included in the categories owner and group for this resource
33

Authorization
Access Control Elements
Object
• A resource to which access is controlled
• Examples include records, blocks, pages, segments, files,
portions of files, directories, directory trees, mailboxes,
messages, and programs
• Objects may be individual data fields or even the entire
database
• Some access control systems also encompass, bits, bytes, words,
processors, communication ports, clocks, and network nodes

34

17
 11/14/2022

Authorization
Access Control Elements
Access right
• Describes the way in which a subject may access an object
• Access rights could include
– Read: User may view information in a system resource
• Read access includes the ability to copy or print
– Write: User may add, modify, or delete data in system resource
• Write access includes read access
– Execute: User may execute specified programs
– Delete: User may delete certain system resources, such as files or
records
– Create: User may create new files, records, or fields
– Search: User may list the files in a directory or otherwise search the
directory
35

Authorization
Access Control Policies
• An access control policy embodies in an authorization
database
• Dictates
– What types of access are permitted
– Under what circumstances
– by whom
• Access control policies are grouped into
Discretionary access control (DAC)
– based on the identity of the requestor and on access rules
Mandatory access control (MAC)
– based on comparing security labels with clearances
Role‐based access control (RBAC)
– based on the roles and their accesses
Attribute‐based access control (ABAC)
36

18
 11/14/2022

Authorization
Discretionary Access Control (DAC)
• The traditional method of implementing access control
• Defines access control policy that restricts access to files and other
system resources based on identity
• Allows the owner of the resource to specify which subjects can access
which resources
– Access control is at the discretion of the owner
• Can be implemented through
Access Control Lists (ACLs)
– Specifies the list of subjects that are authorized to access a specific object
Capability Lists
– Specifies the access rights a certain subject possesses to specific objects
37

Authorization
Discretionary Access Control (DAC)
DAC Matrix
• DAC is provided using an access matrix
– Lists subjects in one dimension (rows)
– Lists objects in the other dimension (columns)
– Each entry in the matrix indicates the access rights of a particular
subject for a particular object

Access Matrix

38

19
 11/14/2022

Authorization
Discretionary Access Control (DAC)
An Authorization table
• A data structure that is not sparse, like
the access matrix
• but is more convenient than either
ACLs or capability lists
• Contains one row for one access right
of one subject to one resource

39

Authorization
Discretionary Access Control (DAC)
Example: Unix File Access Control
• Modern UNIX systems support ACLs
– Each UNIX user is assigned a unique user identification number (user ID)
– A user is also a member of a primary group, and possibly a number of
other groups, each identified by a group ID

40

20
 11/14/2022

Authorization
Discretionary Access Control (DAC)
Example: Unix File Access Control
• When a file is created, it is designated as owned by a particular
user and marked with that user’s ID
– All types of UNIX files are administered by the operating system by
means of inode (index node)
– inode is a control structure that contains the key information needed
by the operating system for a particular file
– owner ID, group ID, and protection bits are part of file’s inode

41

Discretionary Access Control(DAC)

Discretionary Access Control (DAC)
Example: Unix File Access Control
• Each file is associated with a set of 12 protection bits
• Nine of the protection bits specify read(r), write(w), and
execute(x) permission for
– The owner of the file
– Other members of the group to which this file belongs
– All other users

42

21
 11/14/2022

Discretionary Access Control(DAC)

Discretionary Access Control (DAC)

43

Authorization
Mandatory Access Control(MAC)
• Unlike DAC, users do not have the discretion of determining who
can access objects as in a DAC model
– Based on security label system
– Users given security clearance and data is classified
• Reduces the amount of rights, permissions, and functionality
that a user has
• Used in environments where information classification and
confidentiality is very important (e.g., the military)
• MAC based systems
– SELinux by NSA ‐ is an implementation of MAC in the Linux kernel

44

22
 11/14/2022

Authorization
Mandatory Access Control(MAC)
• MAC is considered a policy based control
• Every object and subject is given a sensitivity label
– Classification level
• Secret, Top secret, Confidential, etc.
– Category
• Information warfare, Treasury, UN, etc.

• The classification indicates the

sensitivity level, and the
categories enforce need-to-
know rules

45

Authorization
Mandatory Access Control(MAC)
• In MAC implementations
– Access decisions by comparing the subject’s clearance and need-to-
know level to the object’s security label

• Each classification is more trusted

than the one below it

46

23
 11/14/2022

Authorization
Mandatory Access Control(MAC)
• SELinux by NSA ‐ is an implementation of MAC in the Linux kernel
– Integrated into the 2.6.x kernel using the Linux Security Modules
– In Android 4.3 and higher
• In a DAC systems, an owner of a particular resource controls access
permissions associated with it
• This is coarse-grained and subject to unintended privilege escalation
• A MAC system, however, consults a central authority for a decision
on all access attempts

47

Authorization
Mandatory Access Control(MAC)
• SELinux can enforce a user‐customizable security policy on running
processes and their actions
– including attempts to access file system objects
• SELinux defines the access and rights of every user, application,
process, and file on the system
– SELinux kernel gives granular control over the entire system

48

24
 11/14/2022

Authorization
Mandatory Access Control(MAC)
• In standard Linux DAC
– An application or process running as a user (UID or SUID) has the user's
permissions to objects such as files, sockets, and other processes

• For instance: if the root user becomes compromised that user can
write to every block device
– However, SELinux can be used to label these devices so the process
assigned the root privilege can write to only those specified in the
associated policy

• Running a MAC kernel protects the system from malicious

applications that can damage or destroy the system

49

Authorization
Android Permission Framework
• At install-time, when the app asks for a permission in its manifest the
corresponding permission is assigned to the app
– package manager stores all permission information of an app in package.xml file
• At run-time, the Android middleware implements a reference
monitor providing mandatory access control (MAC) to monitor access
to application components
App1 Manifest App2 Manifest
P1 , P2 …. P3 , P4 ….

50

25
 11/14/2022

Authorization
Role Based Access Control(RBAC)
• Based on the roles that users assume in a system rather than the
user’s identity
• Typically, RBAC models define a role as a job function within an
organization
• RBAC systems assign access rights to roles instead of individual
users
– Users are assigned to different roles, according to their responsibilities
– The relationship of users to roles and roles to resources is many to many

51

Authorization
Role Based Access Control(RBAC)

52

26
 11/14/2022

Authorization
Role Based Access Control(RBAC)

• A user can be a member of many roles

• Each role can have many users as
members
• A user can invoke multiple sessions
• A permission can be assigned to many • In each session a user can invoke any
roles subset of roles that the user is a
• Each role can have many permissions member of
‐ read, write, execute, append…
53

Authorization
Context-Dependent Access Control
• Makes access decisions based on the context of a collection of
information rather than on the sensitivity of the data
– A system that is using context‐dependent access control
“reviews the situation” and then makes a decision

– For example, firewalls make context based access decisions when they
collect state information on a packet before allowing it into the network

54

27
 11/14/2022

Authorization
Attribute-Based Access Control
• Uses attributes of any part of a system to define allowable access
• Some possible attributes to describe our ABAC policies:
– Subjects: Clearance, position title, department, years with the organization,
training certification on a specific platform, member of a project team, location
– Objects: Classification, files pertaining to a particular project, human resources
(HR) records, location, security system component
– Actions: Review, approve, comment, archive, configure, restart
– Context: Time of day, project status (open/closed), fiscal year, ongoing audit

• ABAC provides the most granularity of any of the access control

models
– For example, to define and enforce a policy that allows only directors to
comment on (but not edit) files pertaining to a project that is currently being
audited 55

Authorization
Risk-Based Access Control
• Estimates the risk associated with a particular request in real
time and, if it doesn’t exceed a given threshold, grants the subject
access to the requested resource
– For example, suppose David works for a technology manufacturer that is
about to release a super‐secret new product that will revolutionize the world
– If the details of this product are leaked before the announcement, it will
negatively impact revenues and the return on investment of the marketing
campaigns
– Should David be granted access it?
• The risk factors are generally divided into categories like user context,
resource sensitivity, action severity, and risk history.

56

28
 11/14/2022

Authorization
Risk-Based Access Control

57

Implementing Identity Management

58

29
 11/14/2022

Identify Management
• Once an organization develops a security policy, supporting
procedures, standards, and guidelines
– It must choose the type of access control model to implement that will
support the organization's access control needs
• Why Identity management?
– Simplify the administration of distributed, overlapping, and conflicting
data about the users of an organization
• Identity management techniques or access control
administration comes in two basic forms:
– Centralized access control: all authorization verification by a single
entity within a system
– Decentralized access control: by various entities located throughout a
system
59

Single Sign‐On (SSO)

60

30
 11/14/2022

Single Sign‐On (SSO)

• A centralized access control technique
• Allows user credentials to be entered one time and to access
multiple resources without authenticating again.
• Enables users to logon to the authentication server and still
obtain access to all additional authorized networked systems
without additional identification and authentication
• Very convenient for users and increase security
• Advantages to SSO solutions

61

Single Sign‐On (SSO)

62

31
 11/14/2022

Single Sign‐On (SSO)

Advantage of SSO solutions
• Efficient log‐on process
• No need for multiple passwords
• Encourage users to create stronger passwords
• Standards can be enforced across entire SSO system
– Access control policies and standards, such as inactivity time-outs and
attempt thresholds, are easier to enforce

63

Single Sign‐On (SSO)

Issues with centralized SSO systems
• Protecting SSO password
– All of a user’s credentials are protected by a single password

• Strong monitoring and detection capabilities need to be

implemented ‐ Denial of service attack
– Any problems are caught and addressed as quickly as possible.

• Inclusion of unique platforms

– Requires significant integration
– A large enterprise utilize hundreds applications running on
• A wide variety of operating systems,
• Different user management methods
64

32
 11/14/2022

Single Sign On (SSO)

• SSO technologies include
– Directory Services ‐ LDAP
– Kerberos
– Radius ‐‐ FreeRadius
– TACAS
– Diameter

65

Single Sign On (SSO)

Federated Identity Management and SSO
• SSO is common on internal networks, and it also used on the
internet
• FIM extends identity management beyond a single organization
– Multiple organizations can join a federation
– Users in each organization can log on once in their own organization and
their credentials are matched with a federated identity
– Then they can use this federated identity to access resources in any
other organization within the group

66

33
 11/14/2022

Single Sign On (SSO)

Federated Identity Management and SSO

Cross-certification model

• If three companies participate (A, B, and

C), the number of trust relationships
grows to six (A trusts B, B trusts A, A
trusts C, C trusts A, B
trusts C, and C trusts B)

67

Single Sign On (SSO)

Federated Identity Management and SSO

Third-party Certification
Trust model

68

34
 11/14/2022

Single Sign On (SSO)

Federated Identity Management and SSO

69

Single Sign On (SSO)

Federated Identity Management and SSO
• Challenges
– Multiple companies communicating in a federation have
• Different operating systems
• Platforms
– So they need to share a common language
• Hypertext Markup Language
• Extensible Markup Language
• Security Assertion Markup Language (SAML)
• Service Provisioning Markup Language (SPML)
• Extensible Access Control Markup Language
• others
70

35
 11/14/2022

WLAN Authentication
• Authentication mechanisms for Wireless LANs
• Many different methods to authenticate wireless clients
– Open Authentication
– WEP (Wired Equivalent Privacy)‐ Shared Key Authentication
– 802.1X/EAP

71

WLAN Authentication
Open Authentication
• The client sends a probe request frames
– Data rates, SSID (BSSID: ff:ff:ff:ff:ff:ff)
• The APs send back probe responses
– SSID (wireless network name), supported data rates,
encryption types if required, and other 802.11
capabilities of the AP

72

36
 11/14/2022

WLAN Authentication
Open Authentication

• Public wireless network at an airport, hotel, or fast food restaurant

– Asks for credential ‐ no authentication at wireless level but on the upper layers
• Provides no way to check if a client is a valid client
• Any user who knows the SSID of the WLAN can access the network

Some hand-held devices that

do not have a capabilities for
complex authentication

73

WLAN Authentication
Shared Key Authentication
• The client sends an authentication request
to the AP
• The AP sends an authentication response
that contains the unencrypted challenge
text
• The client encrypts the challenge text with
the WEP key and sends the text to the AP
• The AP compares the unencrypted
challenge text with the encrypted challenge
text • Use the WEP key for
authentication and encryption
• Uses WEP encryption during the
client association process 74

37
 11/14/2022

WLAN Authentication
Shared Key Authentication

• Vulnerable to man-in-the-middle attack

– A hacker can listen to the unencrypted
challenge and the encrypted challenge,
and extract the WEP key (shared key)
from this information

75

WLAN Authentication
802.1X/EAP
• To address the shortcomings and Security vulnerabilities in the
methods of authentication by 802.11
• 802.1x requires these three logical entities to validate the
devices on a WLAN network
– Port‐based authentication

76

38
 11/14/2022

WLAN Authentication
802.1X/EAP
• The client is usually a user terminal
– The user triggers 802.1X authentication using client software
– Must support Extensible Authentication Protocol over LAN (EAPoL)
• The access device is usually a network device
– Provides a port, either physical or logical, for the client to access the LAN
• The authentication server, typically a RADIUS server, carries out
authentication, authorization, and accounting on users

77

WLAN Authentication
802.1X/EAP
• The client, access device, and authentication server exchange
information using the Extensible Authentication Protocol (EAP)
• 802.1X is a Layer 2 protocol
– EAP can run over the data link layer and upper layer protocols (such as
UDP and TCP)
– This offers great flexibility to 802.1X authentication.

78

39
 11/14/2022

WLAN Authentication
802.1X/EAP
• 802.1x defines the procedure to authenticate clients
• EAP type used in the 802.1x framework defines the type of
credentials and method of authentication
• EAP variants:
– EAP‐TLS—Extensible Authentication Protocol Transport Layer Security
– EAP‐MD5—EAP–Message Digest Algorithm 5
– EAP‐FAST—EAP Flexible Authentication via Secured Tunnel
– EAP‐SIM—EAP Subscriber Identity Module
– Cisco LEAP—Lightweight Extensible Authentication Protocol
– EAP‐PEAP—EAP Protected Extensible Authentication Protocol
– EAP‐OTP—EAP On‐Time Password
– EAP‐TTLS—EAP Tunneled Transport Layer Security

79

WLAN Authentication
802.1X/EAP

EAP-MD5

80

40
 11/14/2022

Accountability

81

Accountability
• Tracked by recording user, system, and application activities
• Audit information must be reviewed
– Event Oriented Audit Review
– Real Time and Near Real Time Review
– Audit Reduction Tools
– Variance Detection Tools
– Attack Signature Tools
• Other accountability concepts
– Keystroke Monitoring
• Can review and record keystroke entries by a user during an active session
• May have privacy implications for an organization
– Scrubbing: Removing specific incriminating (implicating) data within
audit logs
82

41
 11/14/2022

Access Control Practices

• Know the access control tasks that need to be accomplished
regularly to ensure satisfactory security
• Best practices include:
– Deny access to anonymous accounts
– Enforce strict access criteria
– Suspend inactive accounts
– Replace default passwords
– Enforce password rotation
– Audit and review
– Protect audit logs

83

42