More PATH fallout. Who decided this was a good idea?

[Steve Grubb]

On Saturday 06 December 2008 13:02:39 Callum Lerwick wrote:
> > No, it has more to do with the fact that we have to audit all attempts to
> > modify trusted databases - in this case, shadow. No one can use these
> > tools since they do not have the permissions required to be successful.
> > So, we remove the ability to use these tools so that we don't have to
> > audit it.
>
> So "cat >> /etc/shadow" is audited?

Of course.


> > IOW, if we open the permissions, we need to make these become setuid root
> > so that we send audit events saying they failed.
> >
> > > I'm just curious what added security you really get.
> >
> > Its not so much a security thing as much as its a certification thing. An
> > ordinary user cannot possibly use these tools since they do not have the
> > requisite permissions.
>
> Yet "vi /etc/shadow" is okay? Is that audited?

Yep.

> Its sounding like the certification board's idea of "attempting to modify
> trusted databases" is far detached from reality.

No its actually quite good. By the way, we also get yelled at for not having 
Fedora locked down enough at install time. Its a constant tug-of-war between 
loosen it up and tighten it down.


> Unix security happens at the syscall layer and given the focus on the
> filesystem, at the filesystem layer. If you're not auditing *every*
> attempt to open() /etc/shadow at the syscall layer it sounds to me like
> you are doing it wrong.

Nope. We are doing it right or we wouldn't have achieved LSPP.

-Steve