From: Amon Ott <ao@rsbac.org>
Subject: Re: MAC trivial question...
Date: Wed, 30 Aug 2000 09:54:01 +0200
Next Article (by Author): Re: medusa and others Amon Ott
Previous Article (by Author): Re: colorizer and MAC trivial question... Amon Ott
Top of Thread: Re: MAC trivial question... Fabrice MARIE
Articles sorted by: [Date]
[Author]
[Subject]
On Mit, 30 Aug 2000 Fabrice MARIE wrote: > > BTW, Stanislav has some patches to make MAC work better under Linux. > > Chris, where are your patches? > > However, with some patches to make it more linux-friendly ... mmmh .. patches ?? > Stanislav, would you mind sending your patches ? I think there is an interesting peace of > work to make MAC more usable in the linux world. > I guess, if we do so though, it would be less secure .. at least in theory ? am I wrong ? Amon ? No, it is mostly a matter of default settings which do not violate the model itself. The point is that Chris originally meant to present a full bundle of MAC changes, including patches, so these changes had been postponed. > I had a look at the competition (medusa and lids for instance) and I still prefer rsbac, > for it's design and usability. However .. I found a couple of nice stuff in them that (I think) > are not integrated in rsbac. Volunteers ? Yes, I also had a look at medusa and others. There are some good ideas in them. > from medusa: you can set-up some bobby-traps. Say for example the user runs ifconfig, > you can configure medusa to run exit or logout instead of ifconfig only for some users. Currently, the request function does not return anything but the result. You could of course include a pointer in the request, where the new path could be stored. The problem is the request dispatching - all models must be very careful not to change what other models put in there. How about a simple extra model "booby-trap"? Still, the extra request parameter would have to be included into the kernel patches for all kernel versions. > Very strict policies are one thing, having some fun with script-kiddies is interesting as well. > Seriously, most of the script kiddies would stop attacking you if you bother them a bit on your system. > Is this not just a bit of fun play? I would rather not run anything for them on my secured system - they might find a hole in the other program as well. Nothing against a playground on another system in the DMZ, but this is rather a network and firewall issue. > openwall: they have a patch to have a non-executable stack, the patch does other stuff as well... > does it work nicely with rsbac ? Have anyone used those patches ? Is it configurable extensively (like rsbac is) ? > I'm thinking that it would be nice to add those feature in rsbac .. not at all to replace rsbac with these toys. > > What do you think ? non-exec stack should not interfere with RSBAC, but I never tested it. Amon. - To unsubscribe from the rsbac list, send a mail to majordomo@rsbac.org with unsubscribe rsbac as single line in the body.
Next Article (by Author): Re: medusa and others Amon Ott
Previous Article (by Author): Re: colorizer and MAC trivial question... Amon Ott
Top of Thread: Re: MAC trivial question... Fabrice MARIE
Articles sorted by: [Date]
[Author]
[Subject]