[Info-vax] VMS Privileges Versus Linux Capabilities

[Stephen Hoffman]

On 2016-06-22 05:57:24 +0000, lawrencedo99 at gmail.com said:

> On Wednesday, June 22, 2016 at 3:20:09 AM UTC+12, Stephen Hoffman wrote:
> 
>> As implemented, nobody in their right mind would want to use SEVMS, or 
>> any other traditional mandatory access control system for that matter. 
>> Some folks — certainly of their right mind — do have to use mandatory 
>> access controls, because of their environment and the sorts of data 
>> they have stored on their servers.  Mandatory access control security 
>> is not easy to manage, nor to use.
> 
> The Linux ones have a logging mode, I understand, where they just 
> generate reports about what would have been blocked, instead of 
> actually blocking it. That may be of some help in figuring it out.

And if not, it's a simple matter of writing a few shell scripts and a 
trip or two through awk, I'm sure.

On OpenVMS:
$ HELP SHOW AUDIT /ENABLE
Been around for decades.

But the reason for the denial is only a small part of why folks would 
prefer to avoid using mandatory access controls, unnecessarily.  The 
difficulty involved in managing and using these systems goes far past 
the auditing and figuring out what failed, and right to operations that 
users of non-mandatory access control systems have become accustomed 
to.  Like sending around mail.  On SEVMS and some other systems, mail 
and other forms of information transfer only works on the same or 
higher direction.  Toward more and higher security users, or among 
users of equal security.  Using mandatory access control only gets more 
interesting from there.  You're managing information flows, which is 
something that just isn't considered on discretionary access control 
systems.

Sandboxing / jails avoids the information levels and information labels 
and information sensitivity settings and information flow 
considerations that arise with SEVMS and similar, and uses mechanisms 
very much akin to mandatory access controls to block everything — file 
access and transfers, various system calls, networking, etc — not 
expressly authorized for the application.   In OpenVMS, this'd have to 
block system-wide logical names — or give each app its own 
copy-on-write local copy of the system tables? — and would have to 
figure out how to deal with WSAu: workstation devices, and a whole host 
of other gnarly details.   This is how you keep apps — innocent, 
buggy/compromised or simply malicious — from getting tangled, when you 
go to implement app stacking.

Almost nobody that has used and has managed mandatory access controls 
is going to want to use it again, unnecessarily.  Not without a very 
good reason.  Sandboxes and entitlements and app stacking are also a 
pain in the arse, but more isolated and aren't trying to manage the 
flow of sensitive information within the system.  Sandboxing in a 
mandatory access controls environment would be a whole new realm of 
hurt, but at least that'd include the system developers and the local 
system administrator and not (just) the sandbox app developers.


-- 
Pure Personal Opinion | HoffmanLabs LLC