On Mon, Jun 18, 2001 at 03:03:06AM +0200, Christian Jaeger wrote: > Hello > > Do you know about LIDS (www.lids.org)? It also gives the ability to > play with CAP's, but seems much more sophisticated. > > I've just subscribed to this list. Has LIDS been discussed here before? a bit. lids makes system adminsitration utterly impossible. unless you leave enough holes open which an attacker can use to bypass it all. > correct), rather than effectively inhibiting a breakin. But even for > this purpose it seems you have to secure almost every file in your > system with ACL's (which is not very comfortable). Maybe this idea > from mine is working well: install some special binaries to which you > grant many permissions. One is an 'apt-get update/upgrade' wrapper > (so automatic security updates work), another one might be a shell > wrapper allowing system administrators to work on /etc, and so on. I > think I'll ask this on the lids list later if that's the better place > for such discussions. the thing is once you make exceptions for the system adminsistrator to use to maintain the you open the holes the attacker needs to trojan your system and to remove the additional obsticales you installed. system adminsitrator == root cracker == root you can't trust one without trusting the other. -- Ethan Benson http://www.alaska.net/~erbenson/
Attachment:
pgp8tsqLHcvsT.pgp
Description: PGP signature