> > I'm not sure I follow what you're saying, so let me try a different way of > > asking my question. Suppose I'm an admin and I want to lock down the > > system such that it send or receive DHCP, period. Now suppose something > > on the system (e.g., NWAM) decides to start up DHCP, and I'm unaware of > > this. Will my wishes be honored or not? > > You might as well ask if a system administered by two people who never > talk to each other will be secure. (It won't be). We cannot produce > psychic software which reads the mind of a system administrator. > > Software which runs as a privileged user must be properly configured. > Positing that an administrator would intend to use DHCP to configure an > interface *and* intend to block all DHCP traffic is nonsensical.
But that's just it -- the admin isn't explicitly misconfiguring the system, he's just not familiar with the internal policy decisions that NWAM will make -- and I think it's unrealistic to expect that he can be. Further, of course, DHCP is just an example of this class of problem. I agree that the problem is inherent to some degree, but minimally the admin should have a way to observe overrides to the their security policy, lest they think the system is more locked down than it really is. -- meem
