On 4 July 2013 07:47, Douglas Brown <d46.brown(a)student.qut.edu.au> wrote:
The only use case I can think of to justify the vast additional complexity
of MLS is when you need to confine access to resources based on a very
specific organisational information flow policy. The MLS policy isn't
necessarily more 'secure' than MCS, it's just enforces a different
information flow policy (domain separation rather than Bell-LaPadula).
If you'd like to harden the machine and restrict access to splunk
resources, I would:
- Write policy for Splunk then remove all unconfined domains (see
section in:
http://danwalsh.livejournal.com/42394.html)
- Run splunk in its own category
- Change default user/login clearances as appropriate to restrict
access to splunk
- Depending on whether or not your network is labelled or not you
might consider using SECMARK or netlabel to restrict network access to
splunk
Hypothetically, you could run multiple instances of splunk in different
categories on the same machine for each index if required.
Thank you, this is great advice, appreciate it.