On 04/30/2012 09:45 AM, no-re...@cfengine.com wrote: > No, not at all, because no matter what you do, the local cf-agent > has to decrypt the policy, and that means it's vulnerable to a > person with root access. Even if cf-agent only gets the policy, > decrypts it, applies it, and deletes it 30 milliseconds later, > the hacker with root privileges can capture that data from memory. > > If the client can know it at all, then someone with root access > on the client can know it. The *only* way to prevent someone on > a client who has the ability to modify the system itself from > knowing something is to never send it to the client.
Well I think if we approach this with the expectation that we will stop someone with root access from doing anything then we just performing an exercise in futility. You could argue that security is only the the inverse of convenience. We take steps to make accessing something we don't want someone to access less and less convenient. A determined person will take whatever measures necessary to reach their goal if its that important to them. If you don't want something to be accessed, its best to ensure it never exists. Practically speaking not every person that has root access has the skills to decipher the policy language itself, let alone circumvent even rudimentary obfuscation. Perhaps a better way to approach this discussion is about preventing a person from "easily" deciphering the policy. Arguably thats the real desire. I see value in the option to have an extra roadblock for peering into policy that sits on the host. -- Nick Anderson <n...@cmdln.org> _______________________________________________ Help-cfengine mailing list Help-cfengine@cfengine.org https://cfengine.org/mailman/listinfo/help-cfengine