[Security_sig] DCL protection assumptions

slav at vogon.net slav at vogon.net
Thu Oct 7 14:49:37 PDT 2004


>
> SeOS?  How are they privs parcelled out?  What are examples of the
> differing layers?  Agreed, least privileges is preferred method for
> containment.
>

SeOS is a commercial (by CA, I believe) security product that intercepts
syscalls and compares them to its policy.  Instead of taking away privs
from root, privs are added to user accounts instead.  SeOS is configured
to give an admin a "sandbox to play in", and it'll restrict access to
files and processes according to the policy.  SeOS is also available for
all major UNIX platforms including Linux, which is a plus in heterogeneous
environment.

We've also evaluated LIDS and SELinux.  LIDS was impressive but lacked
some important features.  We were less than impressed with SELinux due to
its instability and complexity.





More information about the security_sig mailing list