Re: OpenBSD Gets Harder to Crack

[InfoSec News <isn () c4i org>]

Forwarded from: Russell Coker <russell () coker com au>
Cc: timothy_dyck () ziffdavis com

Timothy Dyck wrote in a review of OpenBSD:
> However, while mandatory access controls do make systems harder to
> administer, we've found the approach a very powerful defense in
> tests and would welcome the option to use these techniques with
> OpenBSD.

One point you may use to strengthen your arguements for MAC in
discussions with BSD people is their use in testing software.

When you write MAC policy for an application using a system such as SE
Linux that has fine grained controls you get a good knowledge of the
details of it's operation.  I have discovered many bugs in Linux
programs through writing SE Linux policy and observing which programs
try to violate the policy.

One of the most common bugs I find is applications and libraries which
fail to close file handles before executing other programs.  I have
found this in LDAP library code, the PCMCIA cardmgr process, many
other programs, and even in the kernel itself!  Some of these bugs
have been fixed because of my work alone, and might otherwise still be
present and unknown in Linux systems.

My work on SE Linux is providing benefits for people who will never
use it though getting some of these bugs fixed.

Another thing to note is that although administering a system with MAC
involves more work (and more skill) than a regular Unix system, you
are not compelled to use it.  Having a MAC system as an option for
those who want it does not seem to offer any cost.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.