[Wolves] Nsa using linux

Adam Sweet drinky76 at yahoo.com
Fri Aug 25 11:48:34 BST 2006


--- Peter Cannon <peter at cannon-linux.co.uk> wrote:
> I'm not convinced it has a place in the business
> world either as a good 
> sysadmin should be able to control what users are
> allowed to install/run.

I think the point is to restrict what the applications
themselves can do, rather than what users can do with
the applications. The primary point of this is to
secure internet facing services (httpd, FTP server,
mail server, DNS server and so on) which are common
points of attack for ne'er do wells.

For example you would specify that your DNS server can
only read it's own config files, nothing else, and
only write to it's own hints file when it updates it.
For httpd, you would say that it can see it's own
config files, read only and also can see the htdocs
read only, nothing else. It might also be able to
write to a Unix socket file or make a TCP connection
to a database server. It's basically means locking
down an Internet facing daemon on a per file or
resource basis.

I'm certainly no expert, but I would be particularly
interested in a talk on this. Specificly in the
training of SELinux. I'd like to deploy it, but it
seems a high mountain to climb when I have so many
other things to do.

Ad

-- 

http://www.drinky.org.uk

http://blog.adamsweet.org


		
____________________________________________________ 
 
Yahoo! Photos is now offering a quality print service from just 7p a photo. http://uk.photos.yahoo.com



More information about the Wolves mailing list