Re: Raw sockets (Re: Security Concern)
>>>>> "Matt" == Matt Zimmerman <firstname.lastname@example.org> writes:
Matt> Restriction of raw sockets to processes with root privileges
Matt> is the only meaningful security measure that can be applied,
Matt> short of running the OS out of ROM.
This is not strictly true. Mandentory access controls could provide
reasonable added security to reduce the chances that a security policy
preventing raw sockets could be violated. A paper was presented at
last week's Usenix conference on Lomac, a open-source module from NAI
Labs that actually seemed reasonable for moderately paranoid
installations. Unlike previous MAC proposals I had seen, I could
believe that I could get real work done with the module installed
while still seeing a security improvement.
Unfortunately, I couldn't find a website for the module. Google
indicated several potential candidates but the ftp site on tislabs.com
and the home page on opensourcedirectory were both down at the time.