Ubuntu Desktop Security Defaults
Null Ack
nullack at gmail.com
Wed Mar 18 04:46:16 UTC 2009
Gday John,
Good to see another Aussie on the list and contributing some top info :)
I've looked into Plash and I think your suggestion is excellent.
I was thinking of a two pronged approach:
1. AppArmor / SELInux or whatever static like central policy to
contain deamons, as these services typically have fixed functions and
can be locked down in a static way. I note here that Microsoft did
this locking down for Vista services, where they went through all the
services and implemented a least privileged model. We could exceed
Windows by doing least privileged but also protecting it through
mandatory access control policies as well.
2. A longer term secondary phase of securing X. Again we find
ourselves behind Windows where for Vista the security of their system
was made more resilient against shatter attacks with a number of
changes to make it far more difficult. Depending on the specifics of
how X is secured, sandboxes like Plash could be considered too.
I do disagree with you on enabling a firewall by default. What you say
is well informed - yes, you can use injection attacks to bypass
firewalls. A firewall is a basic level of protection that Windows and
OSX use by default. Attacks have to be more sophisticated to
circumvent a firewall using injection attacks for example.
Regards,
Nullack
More information about the Ubuntu-devel-discuss
mailing list