[lug] securing files

[Hugh Brown]

I was wondering what kind of solutions might be out there.  If it turned
out that there was a quick and easy tool that I was ignorant of, it made
it worth asking the question.  In any event, I have been educated about
some half solutions and can poke around at NSA Linux/SELinux.

Hugh


On Mon, 2002-04-22 at 22:28, Bear Giles wrote:
> > Right now they are on an NFS share.  I'd like to make it so that the
> > files can't be copied anywhere but can still be read by the appropriate
> > people.
> 
> This sounds like "mandatory access control (MAC)."  NSA Linux may have
> it now, but probably doesn't.  The way it works is the file system 
> maintains some extra bits (e.g., do-not-copy, do-not-print, 
> print-only-with-security-banner, etc. and all applications honor these
> bits).
> 
> But I don't think any COTS OS supports MAC.  The problem is the standard
> access control (including ACLs) and discretionary access control (DAC)
> can be implemented in the OS, while MAC requires that every application
> also be well behaved.  That's possible in a tightly constrained environment,
> but not COTS software.
> 
> This level of paranoia is appropriate if the data getting out could
> reasonably result in a few hundred million deaths.  Somehow I doubt
> you're dealing with equally sensitive material.
> 
> So what's the real story here?  Why are you looking for a technical 
> solution to the "no copy" policy, instead of relying on standard 
> management tools like NDAs, bad performance reviews and possibly even
> termination of people to don't follow policy?
> 
> Bear

Mainly privacy concerns, federal requirements, and agreements that we
have signed.


I was wondering what kind of solutions might be out there.  If it turned
out that there was a quick and easy tool that I was ignorant of, it made
it worth asking the question.  In any event, I have been educated about
some half solutions and can poke around at NSA Linux/SELinux.

Hugh