|| ||Callum Lerwick <seg-AT-haxxed.com>|
|| ||Steve Grubb <sgrubb-AT-redhat.com>|
|| ||Re: More PATH fallout. Who decided this was a good idea?|
|| ||Sat, 06 Dec 2008 12:36:50 -0600|
On Sat, 2008-12-06 at 13:16 -0500, Steve Grubb wrote:
> On Saturday 06 December 2008 13:02:39 Callum Lerwick wrote:
> > > No, it has more to do with the fact that we have to audit all attempts to
> > > modify trusted databases - in this case, shadow. No one can use these
> > > tools since they do not have the permissions required to be successful.
> > > So, we remove the ability to use these tools so that we don't have to
> > > audit it.
> > So "cat >> /etc/shadow" is audited?
> Of course.
So we *are* auditing low level filesystem calls? So then what, other
than security theater, does auditing execution of usermod gain us?
> > > IOW, if we open the permissions, we need to make these become setuid root
> > > so that we send audit events saying they failed.
> > >
> > > > I'm just curious what added security you really get.
> > >
> > > Its not so much a security thing as much as its a certification thing. An
> > > ordinary user cannot possibly use these tools since they do not have the
> > > requisite permissions.
> > Yet "vi /etc/shadow" is okay? Is that audited?
> > Its sounding like the certification board's idea of "attempting to modify
> > trusted databases" is far detached from reality.
> No its actually quite good. By the way, we also get yelled at for not having
> Fedora locked down enough at install time. Its a constant tug-of-war between
> loosen it up and tighten it down.
If you consider "no internet" quite good. That may work for NSA spooks
but I'm going to go out on a limb and say it has absolutely no value for
the vast, vast majority of Fedora users.
> > Unix security happens at the syscall layer and given the focus on the
> > filesystem, at the filesystem layer. If you're not auditing *every*
> > attempt to open() /etc/shadow at the syscall layer it sounds to me like
> > you are doing it wrong.
> Nope. We are doing it right or we wouldn't have achieved LSPP.
I would note that my "doing it wrong" is then ultimately directed at the
LSPP. Rightly following a wrong authority doesn't make things right
unless you're a suit with checkboxes to tick.
fedora-devel-list mailing list
to post comments)