I am trying to provide a security solution for FC4 in a office desktop environment. Here are issues. 1) I need to provide access to certain directories and the contents only from selected process running on the machine. Other than these selected process no other processes should be allowed access. For example my secured directory is /home/user/documents. I want all OO process to have read write access. While protect it from gaim which has no business in there. I want to be able to give read access to evolution but no write access. No other process without explicit permissions should be doing anything in there. The DAC security model is not good enough. Because the user should be able to run trusted processes (OO) and lowly trusted process (gaim/yahoomessenger)(or a downloaded executable) at the same time. No offense to gaim developers, I use it all the time. The reason behind this is to protect users from linux malware. A simple example of malware is script that does "rm -rf ~". Hypothetically if a user gets an email with attached malware, and instructions on how to see a compromising picture of an attractive tennis star. Some users could be dumb enough to do it. Does anyone know of a framework/solution that can prevent a user from doing such a thing. I am advocating linux as a business desktop and need some sort of safeguard from situations like this. 2) I have a cron job that periodically checks the binaries in a system. It calculates hash and matches it from a previously stored value. If the values have changed, I get a page that a file is changed. This is for verification of integrity of binaries. There is a window of opportunity where a hacked binary can go unnoticed. Is there a way to verify the hash of a file before it is executed, every time. Please point me to any solutions out there. Thank You in advance Arun
