Session recording
Ben Scott
dragonhawk at gmail.com
Mon Mar 31 14:43:47 EDT 2008
On Mon, Mar 31, 2008 at 1:16 PM, Tom Buskey <tom at buskey.name> wrote:
> I concluded it was lots of work to provide security that was not auditable.
Trying to achive a secure audit trail using the usual Unix shells is
(IMO) not a good idea. The shell isn't designed for it, and there's
too many ways around it. Implement security in the kernel, or in
processes outside user control. Again, process accounting, SELinux,
etc.
> I think some kind of chroot jail would be more secure.
"Security is a process, not a product." It sounds like the primary
goal in this discussion is not access control (although that always
plays a part), but audit/accounting. They don't want to keep people
from doing stuff, just have a record of what they did. A chroot
wouldn't provide a record of what was done in the jail, and the users
likely need access to the sensitive stuff anyway (otherwise they
wouldn't care so much about the audit trail).
-- Ben
More information about the gnhlug-discuss
mailing list