Re: Proposal "LUID"

• Next message: Linda Walsh: "Re: Proposal "LUID": CAPP requirements"
• Previous message: yoann@mandrakesoft.com: "Re: Proposal "LUID""
• In reply to: law@sgi.com: "Re: Proposal "LUID""
• Next in thread: Alan Curry: "Re: Proposal "LUID""
• Reply: Alan Curry: "Re: Proposal "LUID""
• Reply: Linda Walsh: "Re: Proposal "LUID""
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Mon, Apr 17, 2000 at 05:13:34PM -0700, law@sgi.com wrote:
> Austin Schutz wrote:
> > > 1. The audit trail would show that you modified telnetd.
> >
> > No, because I didn't modify it. I found a buffer overrun and exploited
> > it (or I exploited BIND, or sendmail, etc...) and never modified anything.
> ---
> But let's say we configured init to set_luid(daemon). All of
> a sudden we see user 'daemon' starting a shell. *red flag*. In fact,
> if you had an event deamon monitoring the audit log, I could see it
> shutting down that process in under 1 second, for example.
>
        Go back and read my mail again. I explicitly _did not_ start a shell.
I merely dumped the contents of /etc/shadow. It would theoretically be possible
to monitor every file access by every daemon, but that's still just a
band-aid, since some daemons will have permission to access sensitive files
to begin with.

>
> > As long as the machine has not been compromised, I agree. But it
> > should not give one a false sense of being more secure.
> ---
> No it's only designed to measure that a security breach occurred
> and what the intruder did.

        And I still argue that if security has been compromised you may not
have the opportunity to log the breach.

  No *increase* of security -- that's why
> it is called "auditing". If you want a security increase, the wait
> until the Labeled Security Protection Profile (LSPP) is applied to
> a Linux target. That would provide serious ammo to defending a system.
> Adding MAC and least priviledge, file-based capabilities, and non
> executable stack and you have something a bit more tedious to break
> into. Considering 'root' access may mean nothing and there may be
> no user on the system that has all Capabilities. Root can be configured
> to only be able to access certain files, daemons could be configured
> to only be able to access the files they are supposed to, etc.
> Would really rain on a cracker's parade. Probably the best they could
> do would be to bring down the system (like the DoS attacks). Annoying,
> but not security defeating.
>
> Imagine the credit card database so that neither root nor http could access
> it except through a secured program that neither could write to, etc.
> Great fun...

        Sounds nice. Interesting to see how it gets implemented.

        Austin

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/

• Next message: Linda Walsh: "Re: Proposal "LUID": CAPP requirements"
• Previous message: yoann@mandrakesoft.com: "Re: Proposal "LUID""
• In reply to: law@sgi.com: "Re: Proposal "LUID""
• Next in thread: Alan Curry: "Re: Proposal "LUID""
• Reply: Alan Curry: "Re: Proposal "LUID""
• Reply: Linda Walsh: "Re: Proposal "LUID""
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b29 : Sun Apr 23 2000 - 21:00:12 EST