> ---
> It's hard for even superuser to erase a Write-Once RO Media.
> Imagine even in the most primitive case writing to a line-printer.
> I don't think we've come up w/ re-writable DVD's yet. That could
> store at least a few Gig. Very hard to cover tracks if they are
> audited at the point of entry to the system.
Secure logging with auditing is a decent solution.
A WORM media is a nice thing, but almost no one has such a thing, so it's
not an option for everyone..
> > Nothing is safe agains an editor and someone who has root and know about
> > /dev/kmem
> ---
> On a conventional 'superuser' based system. On systems with
> least privilege/capabilities and MAC, the results less predictable.
Why not deny root certain operations when the system is in multi-user mode
?
> > Keeping the guy outside is a better start to focus on.
> ---
> That's the perimeter defense.
> Now what about internal containment?
> Internal cams & IR sensors (monitoring/audit). Suppose the cracker breaks
> into a 'safe'. Then they still have to crack the code to the safe door, or
> suppose different parts of the building (OS/computer) are separated by walls.
> and levels. Breaking into such a system/building is far more difficult than
> if you just have 1 really good perimeter defense on the outside.
Agree on that one.
> Of course can't always assume that users are always 'on the outside'.
> Sometimes they may be people who have authorized access to the system/building,
> but you don't want them able to go in all areas. Security sensors
> (ala auditing) can record who did what when -- the recording machines
> may be in a small room surrounded by guards within the NSA. No matter
> whatcha did...the steps leading up to it can be recorded. We can
> tell 'whose badge' or handprint or password authenticated them. We can
> watch them come in the front, back or side doors. We can watch them
> walking over to the security room and breaking down the door. We can
> watch them pulling the plug on the security cams. Oops -- that just
> called security. Etc.
The system can't smell what is good and what is bad. These issue above are
company policy...
Keeping userland thing secure is an important issue, restraining root
power is a second..
> Well-designed security isn't just 1 'thing'. It's like a
> bank safe-deposit box, You have secure-cams taping everything, you
> have guards on duty. You have the boxes require 2 keys - owner and
> banker. At night guards are put 'on call' and replaced with the
> safe-deposit boxes being in a large foot-thick steel vault. And
> perhaps more than one motion detector. A good OS has at least as many
> redundant features. Perhaps none is perfect but each has a probability
> of failure. Failure pr breaking of one security component should not
> lead to failure of another. Then the chances of getting in are
> reduced by multiplying chances of failure (fractions) resulting in lower
> and lower odds of a complete compromise.
Ugh.. Had to read that 4 times..
But yes, the physical security is also of importance...
> -l
>
>
Igmar
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/
This archive was generated by hypermail 2b29 : Mon May 15 2000 - 21:00:11 EST