[redhat-lspp] Re: Separation between secadm and sysadm problem????
Klaus Weidner
klaus at atsec.com
Tue Mar 14 22:35:16 UTC 2006
On Tue, Mar 14, 2006 at 04:49:07PM -0500, Daniel J Walsh wrote:
> Is it ok for sysadm_t to be able to run an RPM that will update the policy?
> I think this will need to be documented?
It's ok, LSPP and RBAC still assume trustworthy admins. There should be
some reasonable audit records about these actions though, and as you say
the documentation should point out the enforcement limitations.
RPMs can also replace the kernel, the newrole program, /etc/profile,
glibc, and all kinds of software that could indirectly affect audit and
policy and that could be leveraged by an untrustworthy sysadm, so I doubt
you'd get waterproof separation on anything resembling a standard Linux
system.
The best bet would be realtime audit log forwarding to a separate loghost
(which the sysadm doesn't have access rights for), that way you'd get a
robust audit trail about the sysadm actions.
-Klaus
More information about the redhat-lspp
mailing list