Casey Schaufler wrote:
> Crispin Cowan wrote:
>
> > Are you really losing valuable audit information if an access is deined because of
> > DAC, whne it also would have been denied because of MAC?
>
> Some of the people who want to buy our Big boxes for
> purposes better unknown think so. They care ALOT more
> about MAC than DAC.
One does not follow from the other. I care a lot more about MAC, too, but that doesn't
mean that I care a lot about access requests that get denied by DAC that would have
also been denied by MAC.
I'm trying and failing to contrive a scenario in which it is a Big Deal that an
attacker:
* has a shell on a critical system
* is probing the security configuration looking for weakness
* would be blocked by both DAC and MAC
* auditing/host IDS is configured to raise alarms if MAC violations are attempted
* auditing/host IDS is NOT configured to raise alarms if DAC violations are
attempted
Individually many of these items are plausible, but the combination is weird. If the
system is so critical, then why is IDS configured to only bitch about MAC violations?
If it is because alarming at DAC violations is too noisy, then why do so many people do
so much work on a system that is so critical? It just doesn't make sense.
Crispin
--
Crispin Cowan, Ph.D.
Chief Scientist, WireX Communications, Inc. http://wirex.com
Security Hardened Linux Distribution: http://immunix.org
Available for purchase: http://wirex.com/Products/Immunix/purchase.html
_______________________________________________
linux-security-module mailing list
linux-security-moduleat_private
http://mail.wirex.com/mailman/listinfo/linux-security-module
This archive was generated by hypermail 2b30 : Wed Jul 25 2001 - 00:56:31 PDT