RE: What server hardening are you doing these days?

On Thu, 2005-11-10 at 14:28 -0800, Kurt Dillard wrote:
> If you're looking for mandatory access control, no general purpose
> commercial software supports that out of the box. MACs is, in my
> opinion, not viable for the vast majority of users and businesses. As
> for localsystem having full access to the file system, your comment
> suggests that you don't realize localsystem has full access to virtually
> everything. Its analogous to root on *nix. If you have data you want to
> protect from even localsystem you'll have to encrypt it and store the
> key separate from the computer. 

Out of interest (and don't get me wrong, it is out of friendly interest,
I don't want to start a fight!), is your "no general purpose" statement
solely directed towards windows as a platform and software which adds
functionality to it, or towards operating systems for midrange systems
in general?

If the latter (ie. if you're referring to Operating Systems in general),
how would apply that statement to the (several) distributions of linux
(redhat being a prime example - for instance
https://www.redhat.com/en_us/USA/rhel/details/features/, about half-way
down) which include Mandatory Access Control as part of their default
kernel and enable/bundle support for it? 

Although redhat swings towards 'targeted' MAC by default, it will
support 'full' MAC, and the 'targeted' access control which wraps system
services is fairly powerful.

 - James.




---------------------------------------------------------------------------
---------------------------------------------------------------------------