| 1 |
> > Hmm... configuration-wise, I'm envisioning a directory tree under |
| 2 |
> > /etc/grsec |
| 3 |
> > with per-user and per-application branches (because detailed grsec policy |
| 4 |
> > files get very big very quickly), so that differences or changes in |
| 5 |
> > requirements can be managed easily via comparing differences between flat |
| 6 |
> > files. |
| 7 |
> |
| 8 |
> We could have something similar to SELinux here. I mean: a policy |
| 9 |
> structure in directories, which could be used to generate the final policy |
| 10 |
> file. That would keep the effort in userland. |
| 11 |
|
| 12 |
This is pretty much what I meant, yes :) |
| 13 |
|
| 14 |
> Udev-event based mechanism for eg. |
| 15 |
|
| 16 |
The idea of udev-style notification mechanism works for me. |
| 17 |
|
| 18 |
> RSBAC have console type graphical UI for config editing. |
| 19 |
> I really like the idea of having a separate security officer in RSBAC as |
| 20 |
> well as the separate authentication system for grsecurity. It's a second |
| 21 |
> line defense mechanism makes it harder to bypass. But it also makes harder |
| 22 |
> to an everyday user to easily tamper with the security policy. I think |
| 23 |
> this second line should be kept. |
| 24 |
|
| 25 |
Ah, I'd forgotten about this - it's been a while since I've dallied with |
| 26 |
RSBAC. I agree - the security officer is a good idea for systems where |
| 27 |
everything runs by default as root. I see it as another tactic in the whole |
| 28 |
privilege separation strategy of trying to maintain process security. |
| 29 |
|
| 30 |
I've forgotten why I'd abandoned RSBAC - perhaps it was the difficulty in |
| 31 |
getting a fully functional system running. (Maybe that's changed since I last |
| 32 |
tried it. I remember admiring the set-based ideas behind it - maybe I should |
| 33 |
give it another shot sometime.) |
| 34 |
|
| 35 |
I know I settled on the Hardened sources because it was easier to selectively |
| 36 |
turn on or off security systems where they interfered with processes I wanted |
| 37 |
to run - which brings me back to my rant about easily managed security |
| 38 |
systems. If you can't selectively disable parts of the system without a |
| 39 |
reboot or kernel recompile, it's going to be 'all too hard' for many users. |
| 40 |
|
| 41 |
On Thu, 14 Feb 2008, atoth@××××××××××.hu wrote: |
| 42 |
> On Sze, Február 13, 2008 13:08, Geoff Kassel wrote: |
| 43 |
> > I like the idea of the SELinux per-application policies. I've never used |
| 44 |
> > them |
| 45 |
> > or SELinux, though, so I don't know how effective or simple they are to |
| 46 |
> > use |
| 47 |
> > IRL. Anyone else care to comment on this? |
| 48 |
> |
| 49 |
> Chris PeBenito is the person who probably have the most detailed knowledge |
| 50 |
> of SELinux here. I think it's more complex to develop a policy for an |
| 51 |
> application using SELinux, but a well designed framework provides |
| 52 |
> guidance. Targeted mode offers a chance to create a balance between |
| 53 |
> security and usability giving the chance for the everyday user to make use |
| 54 |
> of the technique without having to spend time on the policy or facing with |
| 55 |
> failing applications. |
| 56 |
> |
| 57 |
> >> I think many of us could contribute to the |
| 58 |
> >> policy. The hardest task would be to agree on the differences regarding |
| 59 |
> >> the security requirements. But that could be made configurable also. |
| 60 |
> >> Configuration intelligence could investigate the contents of the conf |
| 61 |
> >> directory to tailor the policy to the specific settings... |
| 62 |
> > |
| 63 |
> > Hmm... configuration-wise, I'm envisioning a directory tree under |
| 64 |
> > /etc/grsec |
| 65 |
> > with per-user and per-application branches (because detailed grsec policy |
| 66 |
> > files get very big very quickly), so that differences or changes in |
| 67 |
> > requirements can be managed easily via comparing differences between flat |
| 68 |
> > files. |
| 69 |
> |
| 70 |
> We could have something similar to SELinux here. I mean: a policy |
| 71 |
> structure in directories, which could be used to generate the final policy |
| 72 |
> file. That would keep the effort in userland. |
| 73 |
> |
| 74 |
> >> I have to regularly revise my policy to keep the box running. I've also |
| 75 |
> >> ended up loosening the security in order to make the system usable. |
| 76 |
> > |
| 77 |
> > As much maligned as Vista's UAC system is, I feel there's one positive |
| 78 |
> > thing |
| 79 |
> > about it - it's handy to have a mechanism to notify the user about |
| 80 |
> > potential |
| 81 |
> |
| 82 |
> Udev-event based mechanism for eg. |
| 83 |
> |
| 84 |
> > How about a user-configurable UI (something that could be run on a bare |
| 85 |
> > TTY, |
| 86 |
> > like, say, tty11, or on any other command line, for that matter) for the |
| 87 |
> > management system - secured from physical intrusion by sudo-style logins |
| 88 |
> > for |
| 89 |
> |
| 90 |
> RSBAC have console type graphical UI for config editing. |
| 91 |
> I really like the idea of having a separate security officer in RSBAC as |
| 92 |
> well as the separate authentication system for grsecurity. It's a second |
| 93 |
> line defense mechanism makes it harder to bypass. But it also makes harder |
| 94 |
> to an everyday user to easily tamper with the security policy. I think |
| 95 |
> this second line should be kept. |
| 96 |
> |
| 97 |
> < snip > |
| 98 |
> |
| 99 |
> > Evasive procedures would have to be controlled and managed centrally by |
| 100 |
> > an administrator, of course, as the whole system could be compromised if |
| 101 |
> > the wrong decision is made by a user. But everything else could end up in |
| 102 |
> > a file |
| 103 |
> > stored for each user - say in ~/.grsec - which would be referenced by any |
| 104 |
> > (G)UI access control management clients. |
| 105 |
> |
| 106 |
> That's way to much for me for now... |
| 107 |
> |
| 108 |
> Regards, |
| 109 |
> Dw. |
| 110 |
> |
| 111 |
> |
| 112 |
> -- |
| 113 |
> dr Tóth Attila, Radiológus Szakorvos jelölt, 06-20-825-8057, |
| 114 |
> 06-30-5962-962 Attila Toth MD, Radiologist in Training, +36-20-825-8057, |
| 115 |
> +36-30-5962-962 |
| 116 |
-- |
| 117 |
gentoo-hardened@l.g.o mailing list |
Archives