Richard_D_Levine@raytheon.com wrote:
>You could look at what SELinux extensions now available in at least the Red
>Hat (and Fedora) distro offer. I have never done anything with SELinux,
>and a quick review of the archives indicates it is not a slam dunk to use.
>It is designed to create the kind of restrictive environment you describe.
i'm not sure it's the answer. SELinux is focused on suppressing privilege
escallation problems. root is still root, it has to be. you can constrain
root, but in order to be able to administer the system, root still needs to
be able to modify security policy, otherwise it'd be trivially easy for
a less-than-skilled sysadmin to render his machines unmanageable. even
skilled sysadmins from time to time commit the good old fashioned oops,
after all.
the general problem of an environment where you do not choose to trust
your sysadmins is a very hard one. i've spent some time thinking about
how to handle it, and there are no easy solutions. building a secure,
reliable audit trail system struck me as the way to go, but you literally
need to get the audit logs off site into another facility with
completely independent administration.
richard