Results 1 to 5 of 5

Thread: *nix Software Restriction

  1. #1

    *nix Software Restriction

    I'm looking for equivalent technologies to this on *nix, BSD, whatever... for the sake of comparison.

    http://www.microsoft.com/technet/sec.../xpsgch06.mspx

    Software Restriction Policy for Windows XP Clients
    Software restriction policy provides administrators with a way to identify software and control its ability to run on local computers. This tool can help protect computers that run Microsoft� Windows� XP Professional against known conflicts and safeguard them against malicious software such as viruses and Trojan horse programs. Software restriction policy integrates fully with the Active Directory� directory service and Group Policy. You can also use it on stand-alone computers.
    Anyone know of examples that compares to this on other OS's?

  2. #2
    Senior Member
    Join Date
    Feb 2002
    Posts
    855
    I really don't know anything much about it, but doesn't SELinux give you the ability to control what programs are allowed to do?

    AppArmor on SUSE might be something else to look at.
    For the wages of sin is death, but the free gift of God is eternal life in Christ Jesus our Lord.
    (Romans 6:23, WEB)

  3. #3
    Junior Member
    Join Date
    May 2006
    Posts
    3

    Re: *nix Software Restriction

    Originally posted here by Soda_Popinsky
    I'm looking for equivalent technologies to this on *nix, BSD, whatever... for the sake of comparison.

    http://www.microsoft.com/technet/sec.../xpsgch06.mspx

    Software Restriction Policy for Windows XP Clients


    Anyone know of examples that compares to this on other OS's?
    There is no 'frontend' that I have heard of, per se, but you can always modify permissions/ACLs on the filesystem. One thing that you may want to look at is the KDE kiosk mode:

    http://www.kde.org/areas/sysadmin/

    and

    http://extragear.kde.org/apps/kiosktool/

  4. #4
    This depends on exactly what you mean by "software restriction". Basically you can enforce a security policy and restrict software two different ways on a *nix system. Of course the methods you choose to implement are going to depend on your individual circumstances. The simplest is just securing your file permissions correctly. Users are always given only the necassary priviliges to do their jobs, and no more. Generally speaking, something like this is used to enforce a policy over a group of users...

    And the second method; which is what i feel your asking about anyways, is to filter kernel calls. This allows a system administrator to have a great deal of control over what a particular peice of software is allowed to do on the system. You see; the software (Should be) running in userland, this type of policy enforcement prevents communication with the kernel unless allowed by policy. Just like the first type, this can be used to restrict access, but is also a very a good method to run untrusted code on (what should be) a trusted box. Most *nix's have a program called SYSTRACE that does just this...
    We are a generation without a middle. We have no great war or depression. Our war is a spiritual one, our depression is our lives. We were all raised to believe that we\'ll all be millionaires and rockstars - But we won\'t.
    And we are slowly learning this fact...And we are VERY pissed off about it!

  5. #5
    Senior Member
    Join Date
    Jan 2002
    Posts
    1,207
    The simplest way to achieve this is to mount the users' home directories, plus anything else writeable with noexec option, and only allow trusted software on the machine.

    Of course the users can still run scripts, but what can you do against that? (I suspect that win32 software policies don't apply to scripts either)

    Mark

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •