similar to: Trusted Path Execution

Hello, I've been looking at the different MAC modules available and how they cold help to implement a less insecure than usual shared hosting web server. I've not been able to come up with a suitable configuration, looking at mac_bsdextended, mac_biba and mac_mls, but I think that a MAC module with the following policies could be very useful for such an environment. Have I

Hey everyone, I'm hoping someone can point me in the right direction. I'm running a 6.1 box with mac_bsdextended compiled. I've created my ugidfw rules, and all seems well in the universe. I've got rules set up so the web process uid 80 and gid 80 can only read uid 1010 and gid 1010 owned files. When the web server tries to do something else, it throws an error such as:

Hi, is there any chance (if yes, how to do this?) to use the xf86 driver which "provides access to the memory and I/O ports of a VGA board and to the PCI configuration registers for use by the X servers when running with a kernel security level greater than 0" in FreeBSD*? Then it will be possible to start X environment with a kernel secure level > 0, right? Normally it is impossible

Hello, Are there many people actually using the MAC subsystem in the real world? I have been working to set up a shared hosting webserver and I've stumbled against some limitations with the BIBA policy. In short, it's an excellent model, and can be used succesfully if applications are aware of its existance, but I find it incompatible with the real-world needs in Unix, and,

Can someone clear something up for me? [[[ # For apache to read user files, the ruleadd must give # it permissions by default. #### ${CMD} add subject uid 80 object not uid 80 mode rxws; ${CMD} add subject gid 80 object not gid 80 mode rxws; ]]] Doesn't the above mean that an apache user (eg, user-supplied CGI process, PHP script, etc) has the ability to read (and write!) anything in the

FYI for those attending BSDCan and interested in some of the security feature development going on for FreeBSD right now... Robert N M Watson ---------- Forwarded message ---------- Date: Thu, 28 Apr 2005 21:39:31 +0100 (BST) From: Robert Watson <rwatson@FreeBSD.org> To: trustedbsd-discuss@TrustedBSD.org Subject: FYI: TrustedBSD at BSDCan Mentioned in an earlier e-mail, but here it is

On Wed, 2 Jan 2002, John Hay wrote: > Well I can accept your argument for -stable, although bigger changes has > gone in -stable in the past, but what about -current? My -current boxes > also still claim: "sshd version OpenSSH_2.9 FreeBSD localisations > 20011202" And this is the problem, if we don't have -current upgraded > we have little chance in getting wrinkles

I am attempting to fit a full zero-inflated Poisson model then use backward elimination to arrive at the best-fitting model. When I try to fit the model with zeroinfl() I get this error: Error in while (abs((ll_old - ll_new)/ll_old) > control$reltol) { : missing value where TRUE/FALSE needed Any suggestions? Thanks for your help! Paige Barlow MS Student Virginia Tech Dept Fish

FreeBSD version: 5.1-RELEASE Hi, I'm quite new to FreeBSD. I've check list archives and read a handbook, but I didn't find solution to my problem and I hope this is not off-topic. I've installed 5.1-RELEASE, enabled ACLs on the filesystems and I wanted to test MAC features. I'm also new to MAC, so perhaps this is some my mistake. When I enable mac_biba or mac_lomac (in

Hello, What do you recommend for keeping track of user activities? For preserving bash histories I followed these recommendations: http://www.defcon1.org/secure-command.html They include using 'chflags sappnd .bash_history', enabling process accounting, and the like. My goal is to "watch the watchers," i.e. watch for abuse of power by SOC people with the ability to view

FYI for those working with audit and intrusion detection on FreeBSD. Robert N M Watson ---------- Forwarded message ---------- Date: Mon, 5 Jun 2006 17:01:04 +0100 (BST) From: Robert Watson <rwatson@FreeBSD.org> To: current@FreeBSD.org Cc: trustedbsd-audit@TrustedBSD.org Subject: Heads up: OpenBSM 1.0a6, per-auditpipe preselection imported to CVS This is a heads up to current@ users

Dear 6-STABLE users, In the next 2-3 weeks, I plan to MFC support for CAPP security eventing auditing from 7-CURRENT to 6-STABLE. The implementation has been running quite nicely in -CURRENT for several months. Right now, I'm just waiting on a confirmation from Sun regarding formal allocation of a BSM header version number so as to avoid accidental version number conflicts in the

Dear 6-STABLE users, In the next 2-3 weeks, I plan to MFC support for CAPP security eventing auditing from 7-CURRENT to 6-STABLE. The implementation has been running quite nicely in -CURRENT for several months. Right now, I'm just waiting on a confirmation from Sun regarding formal allocation of a BSM header version number so as to avoid accidental version number conflicts in the

FYI, since this is probably of interest to subscribers of this mailing list also. Robert N M Watson ---------- Forwarded message ---------- Date: Wed, 1 Feb 2006 22:55:40 +0000 (GMT) From: Robert Watson <rwatson@FreeBSD.org> To: Julian Elischer <julian@elischer.org> Cc: trustedbsd-audit@TrustedBSD.org, K?vesd?n G?bor <gabor.kovesdan@t-hosting.hu>, current@freebsd.org

Just a quick question, My system is quite heavily customised with regard to permissions and MAC labels on system binaries. Is there any way to stop make installworld resetting all my customisation? At the moment I have a set of scripts to set permissions on everything but that's not exactly ideal. Mark -- PGP: http://www.darklogik.org/pub/pgp/pgp.txt B776 43DC 8A5D EAF9 2126 9A67 A7DA 390F

----- Mensagem encaminhada ---- De: Ricardo A. Reis <ricardo_bsd@yahoo.com.br> Para: security@freebsd.org Enviadas: Sexta-feira, 3 de Novembro de 2006 10:54:14 Assunto: FreeBSD and the new virtual machine-based rootkits Hi All, Recently i participated in Brazil on October 2006 The FIRST/TRANSITS and II Latin American Incident Response Conference (COLARIS). In the II COLARIS - Joanna

Okay folks, I give up and - frankly - I'm fed up! I thought I'd sorted all this last week, but clearly not. I've tried using mirrors from here in the UK, Ireland, France and the USA and whichever mirror I use, all I get is this: clive at climate ~ $ sudo apt-get update Hit:1 http://ubuntu.mirrors.uk2.net/ubuntu xenial InRelease Ign:2 http://dl.google.com/linux/chrome/deb stable

Hi all, I am looking at securing a web server using the FreeBSD MAC Framework. To make things clear I will call the hosted users "web users". Those are the issues I am dealing with: ** Network Security ** - Web users shouldn't be able to connect to reserved local ports apart from 25(smtp); 80(http); 443(https) and 3306(MySQL) Solution: run the web server and web users shell in

Hello I have some issues with OpenBSM which i cannot resolve, so i decided to ask there. 1) I found some bugs in the auditreduce utility and created patch for it - http://www.freebsd.org/cgi/query-pr.cgi?pr=114534. Please, someone from freebsd team - take it, i think its better to fix this before next release. 2) I found that when i`m using XDM as login manager with OpenBSM, all my audit

Hi. This is mostly hypothetical, just because I want to see how knowledgeable people would go about achieving it: I want to sandbox Mozilla Firefox. For the sake of example, I'm running it under my own user account. The idea is that it should be allowed to connect to the X server, it should be allowed to write to ~/.mozilla and /tmp. I expect some configurations would want access to audio