> It's hard for even superuser to erase a Write-Once RO Media.
> Imagine even in the most primitive case writing to a line-printer.
> I don't think we've come up w/ re-writable DVD's yet. That could
> store at least a few Gig. Very hard to cover tracks if they are
> audited at the point of entry to the system.
Secure logging with auditing is a decent solution.
A WORM media is a nice thing, but almost no one has such a thing, so it's
not an option for everyone..
> > Nothing is safe agains an editor and someone who has root and know about
> > /dev/kmem
> On a conventional 'superuser' based system. On systems with
> least privilege/capabilities and MAC, the results less predictable.
Why not deny root certain operations when the system is in multi-user mode
> > Keeping the guy outside is a better start to focus on.
> That's the perimeter defense.
> Now what about internal containment?
> Internal cams & IR sensors (monitoring/audit). Suppose the cracker breaks
> into a 'safe'. Then they still have to crack the code to the safe door, or
> suppose different parts of the building (OS/computer) are separated by walls.
> and levels. Breaking into such a system/building is far more difficult than
> if you just have 1 really good perimeter defense on the outside.
Agree on that one.
> Of course can't always assume that users are always 'on the outside'.
> Sometimes they may be people who have authorized access to the system/building,
> but you don't want them able to go in all areas. Security sensors
> (ala auditing) can record who did what when -- the recording machines
> may be in a small room surrounded by guards within the NSA. No matter
> whatcha did...the steps leading up to it can be recorded. We can
> tell 'whose badge' or handprint or password authenticated them. We can
> watch them come in the front, back or side doors. We can watch them
> walking over to the security room and breaking down the door. We can
> watch them pulling the plug on the security cams. Oops -- that just
> called security. Etc.
The system can't smell what is good and what is bad. These issue above are
Keeping userland thing secure is an important issue, restraining root
power is a second..
> Well-designed security isn't just 1 'thing'. It's like a
> bank safe-deposit box, You have secure-cams taping everything, you
> have guards on duty. You have the boxes require 2 keys - owner and
> banker. At night guards are put 'on call' and replaced with the
> safe-deposit boxes being in a large foot-thick steel vault. And
> perhaps more than one motion detector. A good OS has at least as many
> redundant features. Perhaps none is perfect but each has a probability
> of failure. Failure pr breaking of one security component should not
> lead to failure of another. Then the chances of getting in are
> reduced by multiplying chances of failure (fractions) resulting in lower
> and lower odds of a complete compromise.
Ugh.. Had to read that 4 times..
But yes, the physical security is also of importance...
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to email@example.com
Please read the FAQ at http://www.tux.org/lkml/
This archive was generated by hypermail 2b29 : Mon May 15 2000 - 21:00:11 EST