1 |
> > Hmm... configuration-wise, I'm envisioning a directory tree under |
2 |
> > /etc/grsec |
3 |
> > with per-user and per-application branches (because detailed grsec policy |
4 |
> > files get very big very quickly), so that differences or changes in |
5 |
> > requirements can be managed easily via comparing differences between flat |
6 |
> > files. |
7 |
> |
8 |
> We could have something similar to SELinux here. I mean: a policy |
9 |
> structure in directories, which could be used to generate the final policy |
10 |
> file. That would keep the effort in userland. |
11 |
|
12 |
This is pretty much what I meant, yes :) |
13 |
|
14 |
> Udev-event based mechanism for eg. |
15 |
|
16 |
The idea of udev-style notification mechanism works for me. |
17 |
|
18 |
> RSBAC have console type graphical UI for config editing. |
19 |
> I really like the idea of having a separate security officer in RSBAC as |
20 |
> well as the separate authentication system for grsecurity. It's a second |
21 |
> line defense mechanism makes it harder to bypass. But it also makes harder |
22 |
> to an everyday user to easily tamper with the security policy. I think |
23 |
> this second line should be kept. |
24 |
|
25 |
Ah, I'd forgotten about this - it's been a while since I've dallied with |
26 |
RSBAC. I agree - the security officer is a good idea for systems where |
27 |
everything runs by default as root. I see it as another tactic in the whole |
28 |
privilege separation strategy of trying to maintain process security. |
29 |
|
30 |
I've forgotten why I'd abandoned RSBAC - perhaps it was the difficulty in |
31 |
getting a fully functional system running. (Maybe that's changed since I last |
32 |
tried it. I remember admiring the set-based ideas behind it - maybe I should |
33 |
give it another shot sometime.) |
34 |
|
35 |
I know I settled on the Hardened sources because it was easier to selectively |
36 |
turn on or off security systems where they interfered with processes I wanted |
37 |
to run - which brings me back to my rant about easily managed security |
38 |
systems. If you can't selectively disable parts of the system without a |
39 |
reboot or kernel recompile, it's going to be 'all too hard' for many users. |
40 |
|
41 |
On Thu, 14 Feb 2008, atoth@××××××××××.hu wrote: |
42 |
> On Sze, Február 13, 2008 13:08, Geoff Kassel wrote: |
43 |
> > I like the idea of the SELinux per-application policies. I've never used |
44 |
> > them |
45 |
> > or SELinux, though, so I don't know how effective or simple they are to |
46 |
> > use |
47 |
> > IRL. Anyone else care to comment on this? |
48 |
> |
49 |
> Chris PeBenito is the person who probably have the most detailed knowledge |
50 |
> of SELinux here. I think it's more complex to develop a policy for an |
51 |
> application using SELinux, but a well designed framework provides |
52 |
> guidance. Targeted mode offers a chance to create a balance between |
53 |
> security and usability giving the chance for the everyday user to make use |
54 |
> of the technique without having to spend time on the policy or facing with |
55 |
> failing applications. |
56 |
> |
57 |
> >> I think many of us could contribute to the |
58 |
> >> policy. The hardest task would be to agree on the differences regarding |
59 |
> >> the security requirements. But that could be made configurable also. |
60 |
> >> Configuration intelligence could investigate the contents of the conf |
61 |
> >> directory to tailor the policy to the specific settings... |
62 |
> > |
63 |
> > Hmm... configuration-wise, I'm envisioning a directory tree under |
64 |
> > /etc/grsec |
65 |
> > with per-user and per-application branches (because detailed grsec policy |
66 |
> > files get very big very quickly), so that differences or changes in |
67 |
> > requirements can be managed easily via comparing differences between flat |
68 |
> > files. |
69 |
> |
70 |
> We could have something similar to SELinux here. I mean: a policy |
71 |
> structure in directories, which could be used to generate the final policy |
72 |
> file. That would keep the effort in userland. |
73 |
> |
74 |
> >> I have to regularly revise my policy to keep the box running. I've also |
75 |
> >> ended up loosening the security in order to make the system usable. |
76 |
> > |
77 |
> > As much maligned as Vista's UAC system is, I feel there's one positive |
78 |
> > thing |
79 |
> > about it - it's handy to have a mechanism to notify the user about |
80 |
> > potential |
81 |
> |
82 |
> Udev-event based mechanism for eg. |
83 |
> |
84 |
> > How about a user-configurable UI (something that could be run on a bare |
85 |
> > TTY, |
86 |
> > like, say, tty11, or on any other command line, for that matter) for the |
87 |
> > management system - secured from physical intrusion by sudo-style logins |
88 |
> > for |
89 |
> |
90 |
> RSBAC have console type graphical UI for config editing. |
91 |
> I really like the idea of having a separate security officer in RSBAC as |
92 |
> well as the separate authentication system for grsecurity. It's a second |
93 |
> line defense mechanism makes it harder to bypass. But it also makes harder |
94 |
> to an everyday user to easily tamper with the security policy. I think |
95 |
> this second line should be kept. |
96 |
> |
97 |
> < snip > |
98 |
> |
99 |
> > Evasive procedures would have to be controlled and managed centrally by |
100 |
> > an administrator, of course, as the whole system could be compromised if |
101 |
> > the wrong decision is made by a user. But everything else could end up in |
102 |
> > a file |
103 |
> > stored for each user - say in ~/.grsec - which would be referenced by any |
104 |
> > (G)UI access control management clients. |
105 |
> |
106 |
> That's way to much for me for now... |
107 |
> |
108 |
> Regards, |
109 |
> Dw. |
110 |
> |
111 |
> |
112 |
> -- |
113 |
> dr Tóth Attila, Radiológus Szakorvos jelölt, 06-20-825-8057, |
114 |
> 06-30-5962-962 Attila Toth MD, Radiologist in Training, +36-20-825-8057, |
115 |
> +36-30-5962-962 |
116 |
-- |
117 |
gentoo-hardened@l.g.o mailing list |