Firewall Wizards mailing list archives
Re: Web server security?
From: "Paul D. Robertson" <paul () compuwar net>
Date: Tue, 22 Jun 2004 11:32:38 -0400 (EDT)
On Tue, 22 Jun 2004, Crispin Cowan wrote:
Previously available only as a feature of Immunix OS, SubDomain is now available as a stand-alone product for Linux 2.6 systems via the LSM interface for pluggable security modules. In the near term, since Immunix requires Linux 2.6, that means SuSE 9.1.
FWIW, I tend to share most of Amon Ott's worries about LSM: http://www.rsbac.org/lsm.htm The two most salient points, IMO are: And the whole hook design is broken, because all kernel data gets exposed to any module that likes to register - what an invitation to root kit authors. and: When in the year 2000 the first common access control framework for all important then existing Linux kernel access control extensions was designed, people from LIDS, Medusa, SGI and RSBAC, as well as some other people, already solved most of these and some other important issues. Unfortunately, our design did not get the important impetus to prosper and died. The LSM project, lead mostly by different people (who had also been invited to our previous discussion), felt itself bound to Linus' order that security must not cost anything in performance, focused on single modules and, sorry to say that, mostly ignored the work done by the first approach. "Security can't cost performance!" and ignoring folks who've done the real hard work before have never been good traits for a project... Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions paul () compuwar net which may have no basis whatsoever in fact." probertson () trusecure com Director of Risk Assessment TruSecure Corporation _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Web server security? Paul D. Robertson (Jun 21)
- Re: Web server security? Steffen Kluge (Jun 22)
- Re: Web server security? Paul D. Robertson (Jun 22)
- Re: Web server security? Mason (Jun 22)
- Re: Web server security? Crispin Cowan (Jun 22)
- Re: Web server security? Paul D. Robertson (Jun 22)
- Re: Web server security? Paul D. Robertson (Jun 22)
- Re: Web server security? Steffen Kluge (Jun 23)
- Re: Web server security? Paul D. Robertson (Jun 22)
- Re: Web server security? Steffen Kluge (Jun 22)