Quotes of the week
Posted Apr 22, 2006 0:48 UTC (Sat) by erich
In reply to: Quotes of the week
Parent article: Quotes of the week
You're getting it wrong.
He's monitoring the *correct* behaviour of his system to obtain a whitelist, not monitoring *attackers* to filtert them via a firewall-like *blacklist*.
When you're talking iptables this would be using the LOG target with a rate limit, then adding approriate iptables rules for the good traffic - then setting OUTPUT to DROP by default...
Any whitelist based (read: reject by default, the only reliable approach to system security) system will need to learn what acceptable behaviour is.
AppArmor needs this kind of "training", too. Except that AFAIK they have a tool do that mostly automatically, whereas the SELinux reference policy is hand-written to make sure that only needed permissions are granted.
SELinux policy files are already very complete, they contain information for hundreds (literally, I just counted 197 policy modules) different services. And no, "ls" is not a service, it doesn't have a policy of it's own... we're talking large, mostly networking applications here.
However, not all features in all services have already been whitelisted. I guess you might not even want to whitelist all of them (thats why there are tuneables/booleans in SELinux). And every now and then you'll be using a local extension.
For example, my OpenVPN server does update the DNS server and it has a status file, which is then read by munin for statistics.
For obvious reasons, OpenVPN *by default* was not allowed to update my DNS or even write it's state file. Nor was munin allowed to read the status file (which has no common location, this is all my own scriptwork)
to post comments)