On 04/30/2012 09:45 AM, no-re...@cfengine.com wrote:
> No, not at all, because no matter what you do, the local cf-agent
> has to decrypt the policy, and that means it's vulnerable to a
> person with root access.  Even if cf-agent only gets the policy,
> decrypts it, applies it, and deletes it 30 milliseconds later,
> the hacker with root privileges can capture that data from memory.
> 
> If the client can know it at all, then someone with root access
> on the client can know it. The *only* way to prevent someone on
> a client who has the ability to modify the system itself from
> knowing something is to never send it to the client.

Well I think if we approach this with the expectation that we will stop
someone with root access from doing anything then we just performing an
exercise in futility.

You could argue that security is only the the inverse of convenience. We
take steps to make accessing something we don't want someone to access
less and less convenient. A determined person will take whatever
measures necessary to reach their goal if its that important to them. If
you don't want something to be accessed, its best to ensure it never exists.

Practically speaking not every person that has root access has the
skills to decipher the policy language itself, let alone circumvent even
rudimentary obfuscation.

Perhaps a better way to approach this discussion is about preventing a
person from "easily" deciphering the policy. Arguably thats the real
desire. I see value in the option to have an extra roadblock for peering
into policy that sits on the host.

-- 
Nick Anderson <n...@cmdln.org>
_______________________________________________
Help-cfengine mailing list
Help-cfengine@cfengine.org
https://cfengine.org/mailman/listinfo/help-cfengine

Reply via email to