Classification

All information should be classified in terms of
  • Confidentiality,
  • Integrity and
  • Availability
(CIA triade) so that the information can be adequately protected.

Implementation of the Confidentiality Classes Using an Example with Apache

Our SSO (AuthType shibboleth) is used, clarify details (e. g. for group query) with ZID!

The file attribute-map.xml looks like this:

  <Attribute name="urn:oid:CO-TCSMAIL-C" id="TCSMAIL" />
  <Attribute name="urn:oid:CO-ACCOUNTTYPE-STATUS-C-oid" id="STATUS" />
  <Attribute name="urn:oid:TUGONLINE-GROUPMEMBERSHIP" id="groupMembership" />
  <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.11" id="ASSURANCE" /> 
Such lines are then to be entered in the httpd.conf:

Example for data classified as  TLP:WHITE ,  TLP:GREEN  or  TLP:AMBER 

  <VirtualHost *:80>
   ServerName your_server.tugraz.at
   Redirect permanent / https://your_server.tugraz.at/
  <VirtualHost>
  <VirtualHost your_server.tugraz.at:443>
   ServerName your_server.tugraz.at
   …
   DocumentRoot /path/to/white
   …
   <Directory "/path/to/green/">
    AuthType shibboleth
    ShibRequireSession On
    <RequireAll>
     Require shib-attr STATUS ~ BEDIENSTETE:OK
    </RequireAll>
   </Directory>
   …
   <Directory "/path/to/amber/">
    AuthType shibboleth
    ShibRequireSession On
    <RequireAll>
     Require shib-attr groupMembership "CN="
    </RequireAll>
   </Directory>
  </VirtualHost>
 

Data classified as  TLP:RED  should ideally not end up on a publicly accessible web server at all, as they could become public in the event of a misconfiguration or an attack.
However, if the web server serves as an archive, for example, access should be restricted to very few authorised users:

  <Directory "/path/to/red/">
   AuthType shibboleth
   ShibRequireSession On
   require valid-user
   <RequireAll>
    Require shib-attr USERNAME your_username
   </RequireAll>
  </Directory> 
or
  <Directory "/path/to/red/">
   AuthType shibboleth
   ShibRequireSession On
   require valid-user
   <RequireAll>
    Require shib-attr TCSMAIL your_email_address
   </RequireAll>
  </Directory> 

eduPersonAssurance

Via the attribute eduPersonAssurance (here called ASSURANCE), one can see to which groups of persons an identity belongs, here is an example of how this can be evaluated by a csh script:
# ungeprüfte Identität:
#  der User hat seine Daten eingegeben, diese wurden aber von Mitarbeitenden
#  der TU Graz noch nicht verifiziert
# geprüft Identität:
#  die vom User eingegeben Daten wurden von Mitarbeitenden gegen eine Kopie
#  eines amtlichen Lichtbildausweises geprüft
#
#    1 = 00000000001
#        ungeprüfte Identität (ungeprüft) 
#    2 = 00000000010
#        Basisanwender/Studierendenvoranmeldung (ungeprüft)
#        (= über TUGRAZonline)
#    4 = 00000000100
#        Basisanwender/Bulk-Registrierung (ungeprüft)
#        (= über TUGRAZonline)
#    8 = 00000001000
#        Basisanwender/Selbstregistrierung (geprüft)
#        (= über Keycloak)
#   16 = 00000010000
#        Mitarbeitende (geprüft)
#        (= Bediensteten Profil)
#   32 = 00000100000
#        Alumni (geprüft) (= Alumni Profil)
#   64 = 00001000000
#        Studierende/TU (geprüft) (= Studierenden Profil)
#  128 = 00010000000
#        Studierende/Mitbeleger NAWI (geprüft)
#        (= Studierenden Profil + NAWI Studium)
#  256 = 00100000000
#        Studierende/Mitbeleger Entwicklungsverbund Süd-Ost (geprüft)
#        (= Studierenden Profil + Lehramtsstudium)
#  512 = 01000000000
#        externe Lehrende
#        (Studienkooperationen z.b. NAWI, ohne DV zur TU Graz)
# 1024 = 10000000000
#        Benutzer aus Förderation (fremd geprüft)
#        (über Keycloak)
#

set binary_array = (0 0 0 0 0 0 0 0 0 0 0)
@ length = 12

# convert to binary
@ binary = $ASSURANCE
while ($binary > 0)
 @ length --
 @ digit = $binary % 2
 @ binary_array[$length] = $digit
 @ binary /= 2
end

if ($binary_array[11] == 1) echo "ungeprüft "
if ($binary_array[10] == 1) echo "Basisanwender/in (Voranmeldung) "
if ($binary_array[9] == 1) echo "Basisanwender/in (Bulk) "
if ($binary_array[8] == 1) echo "Basisanwender/in (Selbstregistrierung) "
if ($binary_array[7] == 1) echo "Mitarbeiter/in "
if ($binary_array[6] == 1) echo "Alumni "
if ($binary_array[5] == 1) echo "Studierende/r "
if ($binary_array[4] == 1) echo "NAWI Graz "
if ($binary_array[3] == 1) echo "Lehramtsstudium "
if ($binary_array[2] == 1) echo "Externe/r Lehrende/r "
if ($binary_array[1] == 1) echo "Föderation"

# Example:
#  ASSURANCE = 112 = 00001110000
#  → Mitarbeiter/in Alumni Studierende/r

ID Austria

It is also possible to query whether a registration has been made with ID Austria, which provides an even higher level of trust.