Re: MAC trivial question...


From: Amon Ott <ao@rsbac.org>
Subject: Re: MAC trivial question...
Date: Wed, 30 Aug 2000 09:54:01 +0200

Next Article (by Author): Re: medusa and others Amon Ott
Previous Article (by Author): Re: colorizer and MAC trivial question... Amon Ott
Top of Thread: Re: MAC trivial question... Fabrice MARIE
Articles sorted by: [Date] [Author] [Subject]


On Mit, 30 Aug 2000 Fabrice MARIE wrote:
> > BTW, Stanislav has some patches to make MAC work better under Linux.
> > Chris, where are your patches?
> 
> However, with some patches to make it more linux-friendly ... mmmh .. patches ??
> Stanislav, would you mind sending your patches ? I think there is an interesting peace of
> work to make MAC more usable in the linux world.
> I guess, if we do so though, it would be less secure .. at least in theory ? am I wrong ? Amon ?

No, it is mostly a matter of default settings which do not violate the model
itself. The point is that Chris originally meant to present a full bundle of
MAC changes, including patches, so these changes had been postponed.
   
> I had a look at the competition (medusa and lids for instance) and I still prefer rsbac,
> for it's design and usability. However .. I found a couple of nice stuff in them that (I think)
> are not integrated in rsbac. Volunteers ?

Yes, I also had a look at medusa and others. There are some good ideas in them.
 
> from medusa:  you can set-up some bobby-traps. Say for example the user runs ifconfig,
> you can configure medusa to run exit or logout instead of ifconfig only for some users.

Currently, the request function does not return anything but the result. You
could of course include a pointer in the request, where the new path could be
stored. The problem is the request dispatching - all models must be very
careful not to change what other models put in there.

How about a simple extra model "booby-trap"? Still, the extra request parameter
would have to be included into the kernel patches for all kernel versions.

> Very strict policies are one thing, having some fun with script-kiddies is
interesting as well. > Seriously, most of the script kiddies would stop
attacking you if you bother them a bit on your system. > 

Is this not just a bit of fun play? I would rather not run anything for them on
my secured system - they might find a hole in the other program as well. Nothing
against a playground on another system in the DMZ, but this is rather a network
and firewall issue.

> openwall:  they have a patch to have a non-executable stack, the patch does
other stuff as well... > does it work nicely with rsbac ? Have anyone used
those patches ? Is it configurable extensively (like rsbac is) ? > I'm thinking
that it would be nice to add those feature in rsbac .. not at all to replace
rsbac with these toys. >  > What do you think ?

non-exec stack should not interfere with RSBAC, but I never tested it.

Amon.
-
To unsubscribe from the rsbac list, send a mail to
majordomo@rsbac.org with
unsubscribe rsbac
as single line in the body.

Next Article (by Author): Re: medusa and others Amon Ott
Previous Article (by Author): Re: colorizer and MAC trivial question... Amon Ott
Top of Thread: Re: MAC trivial question... Fabrice MARIE
Articles sorted by: [Date] [Author] [Subject]


Go to Compuniverse LWGate Home Page.