On Sat, 2008-12-06 at 13:16 -0500, Steve Grubb wrote: > On Saturday 06 December 2008 13:02:39 Callum Lerwick wrote: > > > No, it has more to do with the fact that we have to audit all attempts to > > > modify trusted databases - in this case, shadow. No one can use these > > > tools since they do not have the permissions required to be successful. > > > So, we remove the ability to use these tools so that we don't have to > > > audit it. > > > > So "cat >> /etc/shadow" is audited? > > Of course. So we *are* auditing low level filesystem calls? So then what, other than security theater, does auditing execution of usermod gain us? > > > IOW, if we open the permissions, we need to make these become setuid root > > > so that we send audit events saying they failed. > > > > > > > I'm just curious what added security you really get. > > > > > > Its not so much a security thing as much as its a certification thing. An > > > ordinary user cannot possibly use these tools since they do not have the > > > requisite permissions. > > > > Yet "vi /etc/shadow" is okay? Is that audited? > > Yep. > > > Its sounding like the certification board's idea of "attempting to modify > > trusted databases" is far detached from reality. > > No its actually quite good. By the way, we also get yelled at for not having > Fedora locked down enough at install time. Its a constant tug-of-war between > loosen it up and tighten it down. If you consider "no internet" quite good. That may work for NSA spooks but I'm going to go out on a limb and say it has absolutely no value for the vast, vast majority of Fedora users. > > Unix security happens at the syscall layer and given the focus on the > > filesystem, at the filesystem layer. If you're not auditing *every* > > attempt to open() /etc/shadow at the syscall layer it sounds to me like > > you are doing it wrong. > > Nope. We are doing it right or we wouldn't have achieved LSPP. I would note that my "doing it wrong" is then ultimately directed at the LSPP. Rightly following a wrong authority doesn't make things right unless you're a suit with checkboxes to tick.
Attachment:
signature.asc
Description: This is a digitally signed message part
-- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list
