-
May 29th, 2006, 12:21 AM
#1
*nix Software Restriction
I'm looking for equivalent technologies to this on *nix, BSD, whatever... for the sake of comparison.
http://www.microsoft.com/technet/sec.../xpsgch06.mspx
Software Restriction Policy for Windows XP Clients
Software restriction policy provides administrators with a way to identify software and control its ability to run on local computers. This tool can help protect computers that run Microsoft� Windows� XP Professional against known conflicts and safeguard them against malicious software such as viruses and Trojan horse programs. Software restriction policy integrates fully with the Active Directory� directory service and Group Policy. You can also use it on stand-alone computers.
Anyone know of examples that compares to this on other OS's?
-
May 29th, 2006, 12:26 AM
#2
I really don't know anything much about it, but doesn't SELinux give you the ability to control what programs are allowed to do?
AppArmor on SUSE might be something else to look at.
For the wages of sin is death, but the free gift of God is eternal life in Christ Jesus our Lord.
(Romans 6:23, WEB)
-
May 30th, 2006, 07:25 PM
#3
Junior Member
Re: *nix Software Restriction
Originally posted here by Soda_Popinsky
I'm looking for equivalent technologies to this on *nix, BSD, whatever... for the sake of comparison.
http://www.microsoft.com/technet/sec.../xpsgch06.mspx
Software Restriction Policy for Windows XP Clients
Anyone know of examples that compares to this on other OS's?
There is no 'frontend' that I have heard of, per se, but you can always modify permissions/ACLs on the filesystem. One thing that you may want to look at is the KDE kiosk mode:
http://www.kde.org/areas/sysadmin/
and
http://extragear.kde.org/apps/kiosktool/
-
May 30th, 2006, 10:54 PM
#4
This depends on exactly what you mean by "software restriction". Basically you can enforce a security policy and restrict software two different ways on a *nix system. Of course the methods you choose to implement are going to depend on your individual circumstances. The simplest is just securing your file permissions correctly. Users are always given only the necassary priviliges to do their jobs, and no more. Generally speaking, something like this is used to enforce a policy over a group of users...
And the second method; which is what i feel your asking about anyways, is to filter kernel calls. This allows a system administrator to have a great deal of control over what a particular peice of software is allowed to do on the system. You see; the software (Should be) running in userland, this type of policy enforcement prevents communication with the kernel unless allowed by policy. Just like the first type, this can be used to restrict access, but is also a very a good method to run untrusted code on (what should be) a trusted box. Most *nix's have a program called SYSTRACE that does just this...
We are a generation without a middle. We have no great war or depression. Our war is a spiritual one, our depression is our lives. We were all raised to believe that we\'ll all be millionaires and rockstars - But we won\'t.
And we are slowly learning this fact...And we are VERY pissed off about it!
-
June 4th, 2006, 01:06 PM
#5
The simplest way to achieve this is to mount the users' home directories, plus anything else writeable with noexec option, and only allow trusted software on the machine.
Of course the users can still run scripts, but what can you do against that? (I suspect that win32 software policies don't apply to scripts either)
Mark
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|