| |||||||||||||
Quotes of the weekQuotes of the weekPosted Apr 20, 2006 8:39 UTC (Thu) by james (subscriber, #1325)In reply to: Quotes of the week by loening Parent article: Quotes of the week
Red Hat Bugzilla would be a good start...
(Log in to post comments)
Quotes of the week Posted Apr 20, 2006 12:15 UTC (Thu) by nix (subscriber, #2304) [Link] Sorry, but a security system which is too complex for anyone except distributors with dedicated security hackers to configure (and probably too complex for anyone to configure *safely*; how many bugs are there in that policy again?) is from any practical point of view nearly useless.
Quotes of the week Posted Apr 20, 2006 18:34 UTC (Thu) by smoogen (subscriber, #97) [Link] Wow.. I remember that exact argument about Unix chown/chmod/chgrp and stuff from a bunch of windows guys. DOS doesnt have them, why do we need them?
I remember having to go through a LOT of systems in the mid/late 1990's where almost everything had been chmod'd 666 or 777 because something hadnt worked and that was the fix to get whatever was broken working.
Not saying that selinux isnt too complicated.. but my feeling of deja-vu is strong.
Quotes of the week Posted Apr 22, 2006 22:00 UTC (Sat) by nix (subscriber, #2304) [Link] Indeed this is many people's argument against ACLs.
Complexity is the enemy of security, and having used it for a while I'm fairly sure that SELinux is way over there on the `too complex' axis.
Quotes of the week Posted Apr 20, 2006 20:58 UTC (Thu) by jeskritt (guest, #4092) [Link] I jsut put my boxes in permissive mode. Run them for a couple weeks like that, then dump the /var/log/audit/audit.log through the audit2allow program. This gives you the rules you need for your box to run. then:
1) Add them to your /etc/selinux/targeted/src/policy/domains/misc/local.te
you'll need the policy sources installed
Quotes of the week Posted Apr 21, 2006 9:37 UTC (Fri) by rwmj (subscriber, #5474) [Link] When I need to configure my firewall, I first run my box in "permissive"mode for a few weeks, connected to the internet without a firewall. Then I look at /var/log/messages to see who's been attacking me. Then I simply add those attackers to my firewall and go. It's so easy.
Rich.
Quotes of the week Posted Apr 22, 2006 0:48 UTC (Sat) by erich (subscriber, #7127) [Link] You're getting it wrong.He's monitoring the *correct* behaviour of his system to obtain a whitelist, not monitoring *attackers* to filtert them via a firewall-like *blacklist*.
When you're talking iptables this would be using the LOG target with a rate limit, then adding approriate iptables rules for the good traffic - then setting OUTPUT to DROP by default...
Any whitelist based (read: reject by default, the only reliable approach to system security) system will need to learn what acceptable behaviour is.
However, not all features in all services have already been whitelisted. I guess you might not even want to whitelist all of them (thats why there are tuneables/booleans in SELinux). And every now and then you'll be using a local extension.
For example, my OpenVPN server does update the DNS server and it has a status file, which is then read by munin for statistics.
For obvious reasons, OpenVPN *by default* was not allowed to update my DNS or even write it's state file. Nor was munin allowed to read the status file (which has no common location, this is all my own scriptwork)
Quotes of the week Posted May 14, 2006 5:50 UTC (Sun) by pimlott (guest, #1535) [Link] You missed the joke. (Nicely done, rwmj.) He's not monitoring the *correct* behavior, he's monitoring whatever behavior his system happens to exhibit during the training period. While running in "permissive mode". So for all he knows, he's hacked six ways from Tuesday. And then he makes that behavior law. Brilliant.
He should at least put a notice on his web page: "Please don't attack me for a couple weeks. Thanks."
|
|||||||||||||