SE Linux systems not vulnerable

Posted Nov 9, 2005 12:45 UTC (Wed) by copsewood (subscriber, #199)
In reply to: SE Linux systems not vulnerable by treed
Parent article: A Linux worm on the loose?

>SE Linux is the most important security technology for Linux
>these days. It is important that more people learn to use it.

Maybe and maybe not. In my view this one is too early to call. The complexity of setting up a security system can either prevent the average administrator from understanding and carrying out the task fully and correctly, or prevent an overworked administrator (who isn't ?) being willing to consider the learning curve behind a security technology in the first place until the technology is more mature and therefore more easy to implement. The more complex the configuration demand, the greater the chance of mistakes amongst those who do attempt to get it right. This problem is likely to change with SE Linux if and only if the packages that people want to run on it (e.g. Apache, Sendmail etc.) are adequately packaged for it so that these install and run correctly on it "out of the box" and are supported at least as well as packages intended for simpler versions of Linux. My take on the chicken and egg nature of the problem in achieving critical mass to make a technology with network effects take off is that you have to have a specialist interest in security tech for it to be worth your while working on SE Linux right now.

It currently seems more probable from my perspective that an easier and no-less effective solution to the requirement SE Linux addresses might arise from use of virtualisation technology e.g. User-Mode Linux or Xen, combined with chips which support virtualisation (e.g. Pacifica) to run all of the seperate applications needed in their own virtual-machine sandboxes. I think critical mass could be achieved sooner in this area due to the other very significant benefits of being able to partition a host system into multiple VMs which are secure against each other.

SE Linux systems not vulnerable

Posted Nov 10, 2005 15:40 UTC (Thu) by drag (guest, #31333) [Link]

If you were running your server in a Xen domain it still would of been taken over. It just would of only taken over that paticular host.

How is that so much better then running a dedicated box for webhosting?

Xen and such is nice because you can acheive the same effect as hosting in a dedicated box on a box that can do lots of different things.

You see Xen and virtualization doesn't realy improve security, it just makes it easier to reduce the effect of having your security comprimised. And still with a machine rooted in your network, even if it's running in a virtual box, it's going to make it just that much easier for the attacker to take over any other boxes on that network.

Now on the other hand if you were running SELinux it would of just stopped it from doing anything, including taking over your Xen host.

Now of course the smartest thing would of been just to stay the hell away from PHP. This isn't the first worm out there in the wild exploiting vunerabilities in PHP, and it won't be the last. If your going to use it then at least keep it up to date religiously.

In fact it's kinda irritating. Linux had it's only viruses and only worm problems previously back when we had Redhat doing insane stuff like enabling all services in Redhat 6-7.x by default. Since then there hasn't been any problems like this even with vastly increased popularity in Linux/Redhat stuff.

Hell even Microsoft figured this crap out!

So if they, and most everybody else, has learned their lessons.. then why are people still running around with unpatched web-facing servers? Anybody running a webserver in a unpatched state realy realy needs to be hit by a big-ol' clue stick.

The term 'Complete Morons' come to mind as well as numerious other phrases best left unsaid. It's just making life harder for everybody else.

Oh, and if your server has been rooted. Format and reinstall. That's the only solution. Otherwise your going to be running a comprimised server and there isn't anything you can do about it.