Re: State of Audit Proposal ?

• Previous message: Greg KH: "Re: Audit patch split into 5 parts"
• In reply to: Crispin Cowan: "Re: State of Audit Proposal ?"
• Next in thread: Casey Schaufler: "Re: State of Audit Proposal ?"
• Next in thread: Crispin Cowan: "Re: State of Audit Proposal ?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

* frm crispinat_private "07/24/01 23:37:30 -0700" | sed '1,$s/^/* /'
*
* Casey Schaufler wrote:
* 
*> Crispin Cowan wrote:
*> 
*> > Are you really losing valuable audit information if an access is
*> > deined because of DAC, whne it also would have been denied because of
*> > MAC?
*> 
*> Some of the people who want to buy our Big boxes for
*> purposes better unknown think so. They care ALOT more
*> about MAC than DAC.
* 
* One does not follow from the other.  I care a lot more about MAC, too,
* but that doesn't mean that I care a lot about access requests that get
* denied by DAC that would have also been denied by MAC.
* 
* I'm trying and failing to contrive a scenario in which it is a Big Deal
* that an attacker:
* 
*    * has a shell on a critical system
*    * is probing the security configuration looking for weakness
*    * would be blocked by both DAC and MAC
*    * auditing/host IDS is configured to raise alarms if MAC violations
*      are attempted    
*    * auditing/host IDS is NOT configured to raise alarms if
*      DAC violations are attempted
* 
* Individually many of these items are plausible, but the combination is
* weird. If the system is so critical, then why is IDS configured to only
* bitch about MAC violations? If it is because alarming at DAC violations
* is too noisy, then why do so many people do so much work on a system that
* is so critical?  It just doesn't make sense.

Because the only way they could buy the machine was for distinct groups to
join together and get it. Say its split between classified and unclassified
sites, or its acting as a chinese wall in a financial institution.

Replace "critical" with "huge big server", optionally remove the second
item, and you've got our customers.

You really don't want to be sending the Marines in just because a random
user tried to cat > /etc/fstab when they really meant cat /etc/fstab.

* 
* Crispin

richard.

-----------------------------------------------------------------------
Richard Offer                     Technical Lead, Trust Technology, SGI
"Specialization is for insects"
_______________________________________________________________________


_______________________________________________
linux-security-module mailing list
linux-security-moduleat_private
http://mail.wirex.com/mailman/listinfo/linux-security-module

• Next message: KRAMER,STEVEN (HP-USA,ex1): "RE: State of Audit Proposal ?"
• Previous message: Greg KH: "Re: Audit patch split into 5 parts"
• In reply to: Crispin Cowan: "Re: State of Audit Proposal ?"
• Next in thread: Casey Schaufler: "Re: State of Audit Proposal ?"
• Next in thread: Crispin Cowan: "Re: State of Audit Proposal ?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Jul 25 2001 - 07:58:28 PDT