More PATH fallout. Who decided this was a good idea?
Steve Grubb
sgrubb at redhat.com
Sun Dec 7 17:14:24 UTC 2008
On Sunday 07 December 2008 11:51:33 Jesse Keating wrote:
> I have yet to see anything in your definition of CAPP that adds real
> security to our system.
I didn't attempt to explain CAPP, that would be a book or at least a big
chapter in a book. What I attempted to explain is the parts of it that apply
to user account management.
> What I get out of it so far is "If all the admins play nice, we can track
> what they're doing". But if admins stop playing nice, all bets are off.
True. To track a hostile admin requires meeting yet another Security Target.
You need
1) Remote audit logging - we have that
2) Separation of roles such that a security officer and an admin role exist - we
have that.
3) keystroke logging - we have that
These are called out for in higher security standards. The higher standards
typically extend the lower standards.
> What value does that add to Fedora systems?
CAPP basically says you have a normal unix system. As the threat increases,
you have to take different steps to counter it. We have a layered security
approach that lets you tailor the counter-measures to the perceived threat.
-Steve
More information about the fedora-devel-list
mailing list