From: Bill Laut <wlsel@verizon.net>
To: SELinux@tycho.nsa.gov
Subject: SELinux, KDE, and honeypots
Date: Tue, 8 Jul 2003 23:03:22 -0400 [thread overview]
Message-ID: <200307082303.22083.wlsel@verizon.net> (raw)
(1) Once I finish cleaning up my gateway/router's policy, I would like to
migrate my workstation to SELinux so that I can allow Mozilla to run
Javascripting and/or plugins without the fear of my workstation being
compromised. In reading through the archive, it seems the only thing that
needs to be modified is kdm. Is this a correct assumption, or should I
expect it to be more involved than that?
(2) My earlier encounter with the avc network messages inspired an idea for a
possible Intrusion Detection System. For example, consider a typical server
running Apache, Sendmail, and Qpopper; to which the sysadmin wants to know if
the server is ever compromised, and if so how was it accomplished.
The idea I had was to create a pseudo-device driver that leverages NetFilter
to output all traffic from all TCP streams to a user-mode daemon that writes
the packets for each stream into their own separate disk files (and governing
the throughput if need be so that the transcribing daemon can keep up with
the traffic). If no security violations are reported during the lifetime of
the TCP stream, then when it is closed the transcript is moved to a directory
where it remains for some period of time (perhaps for auditing purposes)
before being routinely deleted.
If, however, any security violations are reported they are recorded into the
transcript file in sequence with the TCP packets, and then when the stream is
closed the completed file is moved into a permanent directory for later
analysis.
The general idea is that if some hitherto unknown weakness in a daemon is
exploited, that the transcript file would allow an analyst to speedily
determine the exploit vector and thereby facilitate patching the exploit.
Does this idea sound reasonable? Has someone already done it using SELinux?
If not, how would you improve it?
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
next reply other threads:[~2003-07-09 3:03 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2003-07-09 3:03 Bill Laut [this message]
2003-07-09 8:20 ` SELinux, KDE, and honeypots Tom
2003-07-09 9:48 ` Russell Coker
2003-07-09 9:26 ` Russell Coker
2003-07-09 18:08 ` Bill Laut
2003-07-10 2:20 ` Russell Coker
2003-07-10 8:09 ` Bill Laut
2003-07-09 22:41 ` Tracy R Reed
2003-07-10 7:25 ` Bill Laut
-- strict thread matches above, loose matches on Subject: below --
2003-07-09 14:30 Joshua Brindle
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=200307082303.22083.wlsel@verizon.net \
--to=wlsel@verizon.net \
--cc=SELinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.