LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

PostgreSQL 9.3 beta: Federated databases and more

LWN.net Weekly Edition for May 9, 2013

(Nearly) full tickless operation in 3.10

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Quotes of the week

Quotes of the week

Posted Apr 22, 2006 0:48 UTC (Sat) by erich (subscriber, #7127)
In reply to: Quotes of the week by rwmj
Parent article: Quotes of the week

You're getting it wrong.
He's monitoring the *correct* behaviour of his system to obtain a whitelist, not monitoring *attackers* to filtert them via a firewall-like *blacklist*.

When you're talking iptables this would be using the LOG target with a rate limit, then adding approriate iptables rules for the good traffic - then setting OUTPUT to DROP by default...

Any whitelist based (read: reject by default, the only reliable approach to system security) system will need to learn what acceptable behaviour is.
AppArmor needs this kind of "training", too. Except that AFAIK they have a tool do that mostly automatically, whereas the SELinux reference policy is hand-written to make sure that only needed permissions are granted.
SELinux policy files are already very complete, they contain information for hundreds (literally, I just counted 197 policy modules) different services. And no, "ls" is not a service, it doesn't have a policy of it's own... we're talking large, mostly networking applications here.

However, not all features in all services have already been whitelisted. I guess you might not even want to whitelist all of them (thats why there are tuneables/booleans in SELinux). And every now and then you'll be using a local extension.

For example, my OpenVPN server does update the DNS server and it has a status file, which is then read by munin for statistics.

For obvious reasons, OpenVPN *by default* was not allowed to update my DNS or even write it's state file. Nor was munin allowed to read the status file (which has no common location, this is all my own scriptwork)

(Log in to post comments)

Quotes of the week

Posted May 14, 2006 5:50 UTC (Sun) by pimlott (guest, #1535) [Link]

You missed the joke. (Nicely done, rwmj.) He's not monitoring the *correct* behavior, he's monitoring whatever behavior his system happens to exhibit during the training period. While running in "permissive mode". So for all he knows, he's hacked six ways from Tuesday. And then he makes that behavior law. Brilliant.

He should at least put a notice on his web page: "Please don't attack me for a couple weeks. Thanks."

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds