Crispin Cowan wrote: > I'm trying and failing to contrive a scenario in which it is a Big Deal that an > attacker: > > * has a shell on a critical system > * is probing the security configuration looking for weakness > * would be blocked by both DAC and MAC > * auditing/host IDS is configured to raise alarms if MAC violations are attempted > * auditing/host IDS is NOT configured to raise alarms if DAC violations are > attempted Your scenario has a couple assumptions which constrain it unduly. You're assuming malace with "is probing ...", which is not required for the situation to be interesting. You're assuming that DAC is considered important at all when in many installations it's not, to the point that auditing is really disabled for DAC checks. The only situation they care about is a MAC violation, and they're not watching DAC so as to reduce the audit output to managable levels. -- Casey Schaufler Manager, Trust Technology, SGI caseyat_private voice: 650.933.1634 casey_pat_private Pager: 888.220.0607 _______________________________________________ linux-security-module mailing list linux-security-moduleat_private http://mail.wirex.com/mailman/listinfo/linux-security-module
This archive was generated by hypermail 2b30 : Wed Jul 25 2001 - 09:16:29 PDT