Project

General

Profile

Actions

User story #6248

open

Manage security attributes

Added by Florian Heigl almost 10 years ago. Updated almost 7 years ago.

Status:
Discussion
Priority:
N/A
Assignee:
-
Category:
Techniques
UX impact:
Suggestion strength:
User visibility:
Effort required:
Name check:
Fix check:
Regression:

Description

It would be nice[tm] to be able to also set other file permission details than the basic 1970's set.

This means:
  • SElinux Contexts
  • BSD-style security labels (sys immutable, user appendable) etc.
  • Unix extended filesystem ACLs (xfs, etc. I think by now even ext might have them)

Putting stuff like that in policy would allow people to considerably raise the security level of their systems without the major nightmares involved by manually maintaining this.

Personally I'd just use the SELinux one on folders, recursively and it might be crazy to do that from within cfengine. I.e. think a webserver with a few million files.

I have no idea how people maintain "trusted systems" from configuration management, but will try to get some extra input on that.
BSD labels are a different story and nicer to think about.

I.e. setting the right flags on the sshd binary so it's no longer possible for certain interested parties to embed a different ssh key for backdooring.
manually, upkeep of such a policy is extremely resource consuming.

Actions #1

Updated by François ARMAND almost 10 years ago

  • Category set to Techniques
  • Status changed from New to Discussion
  • Target version set to 3.1.0~beta1

This is an excellent idea and would go niccelly in a Technique repository labeled something alike "system hardening" (or well, we could also put big name in it with iso and soax and defense and the like ;).

It seems the exact case where having a clear use case for an user, implementing it in cooperation with him, and then iterating to other use cases is the most sure way to get somewhere.

Florian, perhaps we could try to work together in that direction (together here being you and NOT me, because well, you certainly want to have working techniques at the end)

Actions #2

Updated by Vincent MEMBRÉ over 9 years ago

  • Target version changed from 3.1.0~beta1 to 3.1.0~rc1
Actions #3

Updated by Vincent MEMBRÉ over 9 years ago

  • Target version changed from 3.1.0~rc1 to 3.1.0
Actions #4

Updated by Vincent MEMBRÉ over 9 years ago

  • Target version changed from 3.1.0 to 3.1.1
Actions #5

Updated by Vincent MEMBRÉ over 9 years ago

  • Target version changed from 3.1.1 to 3.1.2
Actions #6

Updated by Vincent MEMBRÉ about 9 years ago

  • Target version changed from 3.1.2 to 3.1.3
Actions #7

Updated by Vincent MEMBRÉ about 9 years ago

  • Target version changed from 3.1.3 to 3.1.4
Actions #8

Updated by Vincent MEMBRÉ about 9 years ago

  • Target version changed from 3.1.4 to 3.1.5
Actions #9

Updated by Vincent MEMBRÉ almost 9 years ago

  • Target version changed from 3.1.5 to 3.1.6
Actions #10

Updated by Vincent MEMBRÉ almost 9 years ago

  • Target version changed from 3.1.6 to 3.1.7
Actions #11

Updated by Vincent MEMBRÉ over 8 years ago

  • Target version changed from 3.1.7 to 3.1.8
Actions #12

Updated by Vincent MEMBRÉ over 8 years ago

  • Target version changed from 3.1.8 to 3.1.9
Actions #13

Updated by Vincent MEMBRÉ over 8 years ago

  • Target version changed from 3.1.9 to 3.1.10
Actions #14

Updated by Vincent MEMBRÉ over 8 years ago

  • Target version changed from 3.1.10 to 3.1.11
Actions #15

Updated by Vincent MEMBRÉ over 8 years ago

  • Target version changed from 3.1.11 to 3.1.12
Actions #16

Updated by Vincent MEMBRÉ over 8 years ago

  • Target version changed from 3.1.12 to 3.1.13
Actions #17

Updated by Vincent MEMBRÉ about 8 years ago

  • Target version changed from 3.1.13 to 3.1.14
Actions #18

Updated by Vincent MEMBRÉ about 8 years ago

  • Target version changed from 3.1.14 to 3.1.15
Actions #19

Updated by Vincent MEMBRÉ about 8 years ago

  • Target version changed from 3.1.15 to 3.1.16
Actions #20

Updated by Vincent MEMBRÉ about 8 years ago

  • Target version changed from 3.1.16 to 3.1.17
Actions #21

Updated by Vincent MEMBRÉ almost 8 years ago

  • Target version changed from 3.1.17 to 3.1.18
Actions #22

Updated by Vincent MEMBRÉ almost 8 years ago

  • Target version changed from 3.1.18 to 3.1.19
Actions #23

Updated by Vincent MEMBRÉ over 7 years ago

  • Target version changed from 3.1.19 to 3.1.20
Actions #24

Updated by Vincent MEMBRÉ over 7 years ago

  • Target version changed from 3.1.20 to 3.1.21
Actions #25

Updated by Vincent MEMBRÉ over 7 years ago

  • Target version changed from 3.1.21 to 3.1.22
Actions #26

Updated by Vincent MEMBRÉ over 7 years ago

  • Target version changed from 3.1.22 to 3.1.23
Actions #27

Updated by Vincent MEMBRÉ about 7 years ago

  • Target version changed from 3.1.23 to 3.1.24
Actions #28

Updated by Vincent MEMBRÉ about 7 years ago

  • Target version changed from 3.1.24 to 3.1.25
Actions #29

Updated by Benoît PECCATTE about 7 years ago

  • Target version changed from 3.1.25 to 4.1.9
Actions #30

Updated by Vincent MEMBRÉ almost 7 years ago

  • Target version changed from 4.1.9 to 4.1.10
Actions #31

Updated by Benoît PECCATTE almost 7 years ago

  • Target version changed from 4.1.10 to Ideas (not version specific)
Actions

Also available in: Atom PDF