User story #6248
open
Manage security attributes
Added by Florian Heigl about 9 years ago.
Updated about 6 years ago.
Description
It would be nice[tm] to be able to also set other file permission details than the basic 1970's set.
This means:
- SElinux Contexts
- BSD-style security labels (sys immutable, user appendable) etc.
- Unix extended filesystem ACLs (xfs, etc. I think by now even ext might have them)
Putting stuff like that in policy would allow people to considerably raise the security level of their systems without the major nightmares involved by manually maintaining this.
Personally I'd just use the SELinux one on folders, recursively and it might be crazy to do that from within cfengine. I.e. think a webserver with a few million files.
I have no idea how people maintain "trusted systems" from configuration management, but will try to get some extra input on that.
BSD labels are a different story and nicer to think about.
I.e. setting the right flags on the sshd binary so it's no longer possible for certain interested parties to embed a different ssh key for backdooring.
manually, upkeep of such a policy is extremely resource consuming.
- Category set to Techniques
- Status changed from New to Discussion
- Target version set to 3.1.0~beta1
This is an excellent idea and would go niccelly in a Technique repository labeled something alike "system hardening" (or well, we could also put big name in it with iso and soax and defense and the like ;).
It seems the exact case where having a clear use case for an user, implementing it in cooperation with him, and then iterating to other use cases is the most sure way to get somewhere.
Florian, perhaps we could try to work together in that direction (together here being you and NOT me, because well, you certainly want to have working techniques at the end)
- Target version changed from 3.1.0~beta1 to 3.1.0~rc1
- Target version changed from 3.1.0~rc1 to 3.1.0
- Target version changed from 3.1.0 to 3.1.1
- Target version changed from 3.1.1 to 3.1.2
- Target version changed from 3.1.2 to 3.1.3
- Target version changed from 3.1.3 to 3.1.4
- Target version changed from 3.1.4 to 3.1.5
- Target version changed from 3.1.5 to 3.1.6
- Target version changed from 3.1.6 to 3.1.7
- Target version changed from 3.1.7 to 3.1.8
- Target version changed from 3.1.8 to 3.1.9
- Target version changed from 3.1.9 to 3.1.10
- Target version changed from 3.1.10 to 3.1.11
- Target version changed from 3.1.11 to 3.1.12
- Target version changed from 3.1.12 to 3.1.13
- Target version changed from 3.1.13 to 3.1.14
- Target version changed from 3.1.14 to 3.1.15
- Target version changed from 3.1.15 to 3.1.16
- Target version changed from 3.1.16 to 3.1.17
- Target version changed from 3.1.17 to 3.1.18
- Target version changed from 3.1.18 to 3.1.19
- Target version changed from 3.1.19 to 3.1.20
- Target version changed from 3.1.20 to 3.1.21
- Target version changed from 3.1.21 to 3.1.22
- Target version changed from 3.1.22 to 3.1.23
- Target version changed from 3.1.23 to 3.1.24
- Target version changed from 3.1.24 to 3.1.25
- Target version changed from 3.1.25 to 4.1.9
- Target version changed from 4.1.9 to 4.1.10
- Target version changed from 4.1.10 to Ideas (not version specific)
Also available in: Atom
PDF
Updated by 
Updated by 
Updated by