Tech Off Thread

5 posts

Forum Read Only

This forum has been made read only by the site admins. No new threads or comments can be added.

Linux Policy Enforcement Mechanisms... (OS Design)

Back to Forum: Tech Off
  • User profile image
    DoomBringer

    In my OS Design class, we discussed some of the security and protection mechanisms used in OSes (In general and in particular).  In Windows, policies are created with Access Control Lists, and enforced by the OS.  (ACLs)  [Capability lists were discussed, and dismissed for a variety of reasons].  Windows offers a relatively strong logging feature for what I know.  I've seen all the options, and I like it.
    Linux inherited Unix style security and priviledge policy behaviors.  Individual processes (programs on disk) are given things like SetUID bit (run the process in the context of the owner or not), and other things like the access modifiers (owner, global, etc...).

    I'm left wondering... is there any Linux distro out there that has a full fledged ACL system?  I rather like the ACL methodology, it seems more full featured (but maybe harder to fully implement all the policies one could want, seeing how many there could be from a IT POV).  Also, is there a Linux distro with logging?  I haven't had time to mess around with any distros for a while, and I've never heard talk of ACLs with Linux.  Logging is useful for many reasons, especially finding out who broke what.
    Do you agree with me, that ACLs are more powerful?  Am I wrong in thinking no Linux distro has these two things?

  • User profile image
    defstream

    This might be able to get you a better understanding..

    http://www.securityfocus.com/infocus/1400

  • User profile image
    DoomBringer

    Thanks.  I guess ACLs are still at a primitive implementation in Linux, and isn't included by default.  That is too bad, because ACLs seemed like the best way to manage policy.

  • User profile image
    agoossens

    You might want to check SELinux, a project handled by (of all people) the NSA (http://www.nsa.gov/selinux). I think (and I'm no expert) that SELinux adds ACL support (along with a host of other improvements).

  • User profile image
    DoomBringer

    agoossens wrote:
     You might want to check SELinux, a project handled by (of all people) the NSA ( http://www.nsa.gov/selinux). I think (and I'm no expert) that SELinux adds ACL support (along with a host of other improvements).

    Score!
    Is there any Linux with uber-logging in it?  Windows can log just about everying if you config it.

Conversation locked

This conversation has been locked by the site admins. No new comments can be made.