Dailydave mailing list archives
Re: Media Excitement!
From: robert () dyadsecurity com
Date: Sun, 24 Apr 2005 22:09:22 -0700
Cody Hatch(bytejump () gmail com)@Sun, Apr 24, 2005 at 01:31:45PM -0600:
It seems to me to be a better approach to use PaX, grsecurity, and systrace to make the kernel and applications behave appropriately
These steps may or may not prove useful in decreasing the success of certain attack vectors, but they do not represent the same goals of projects like SE Linux.
Don't get me wrong - I see the benefits or RBAC - but I view complexity as the law of averages working against you - the more complex something gets, the more likely it is that mistakes will be made.
I would argue that discretion in the hands of the novice is more complicated than using a MAC/DTE machine for pre-agreed usage. If you wanted to, you could set up an SE Linux box for a secretary that could use an Email program, Web Browser, Printer, and Word Processor. If she went to the wrong website that wanted to exploit her browser, it would only be able to do things from the security context you allowed for her browser. It wouldn't have access to her sensitive documents, or her gpg keys, or your internal network, etc. She would be able to open those dirty attachments from email and not get compromised with a DDoS zombie client. She would have these protections because what is and what is not allowed is clearly defined in the policy, and the policy is enforced. Policy weaknesses can expose you to vulnerability, but that's because computers do what you tell them to do, which isn't always what you want them to do. That's why you leave discretion in the capable hands of those qualified to make policies. Also, RBAC actually makes systems easier to manage in a DTE environment. We're working on an SE Linux policy set that we'll eventually share back that will show case the use of RBAC. But that won't be out until sometime after Black Hat. Robert -- Robert E. Lee CEO, Dyad Security, Inc. W - http://www.dyadsecurity.com E - robert () dyadsecurity com M - (949) 394-2033 _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com https://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- RE: ISEAGE Competetion, (continued)
- RE: ISEAGE Competetion Chris Eagle (Apr 22)
- RE: Media Excitement! Kohlenberg, Toby (Apr 21)
- RE: Media Excitement! Anton A. Chuvakin (Apr 21)
- Re: Media Excitement! robert (Apr 21)
- Re: Media Excitement! Cody Hatch (Apr 21)
- Re: Media Excitement! robert (Apr 21)
- Re: Media Excitement! pageexec (Apr 22)
- Re: Media Excitement! robert (Apr 22)
- Re: Media Excitement! pageexec (Apr 22)
- Re: Media Excitement! Cody Hatch (Apr 24)
- Re: Media Excitement! robert (Apr 24)
- Re: Media Excitement! Cody Hatch (Apr 25)
- Re: Media Excitement! Jack (Apr 25)
- Re: Media Excitement! Cody Hatch (Apr 26)
- Re: Media Excitement! pageexec (Apr 26)
- Re: Media Excitement! Jack (Apr 27)
- Re: Media Excitement! pageexec (May 09)
- Re: Media Excitement! robert (May 09)
- Laptop Abuse halvar (Apr 25)
- Re: Media Excitement! robert (Apr 24)
- Re: Media Excitement! pageexec (Apr 26)