[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Raw sockets (Re: Security Concern)

>>>>> "Matt" == Matt Zimmerman <mdz@debian.org> writes:

    Matt> Restriction of raw sockets to processes with root privileges
    Matt> is the only meaningful security measure that can be applied,
    Matt> short of running the OS out of ROM.

This is not strictly true.  Mandentory access controls could provide
reasonable added security to reduce the chances that a security policy
preventing raw sockets could be violated.  A paper was presented at
last week's Usenix conference on Lomac, a open-source module from NAI
Labs that actually seemed reasonable for moderately paranoid
installations.  Unlike previous MAC proposals I had seen, I could
believe that I could get real work done with the module installed
while still seeing a security improvement.

Unfortunately, I couldn't find a website for the module.  Google
indicated several potential candidates but the ftp site on tislabs.com
and the home page on opensourcedirectory were both down at the time.  

Reply to: