SELinux last straw
Les Mikesell
lesmikesell at gmail.com
Thu Oct 18 13:48:22 UTC 2007
Jacques B. wrote:
> I had a look at rsync and it is a very handy tool no doubt. I had some
> idea what it was about but had never played with it.
>
> Further to my previous posting on md5deep, I had a momentary brain
> hiccup. You don't need a full backup to compare with. Rather you
> generate a file containing all the hashes of your trusted system.
Yes, that can be a quicker check, but I start with the premise that you
need the backup anyway, since other things can go wrong. I happen to
like backuppc for this when another system is available to run it
because it is completely automatic and has an efficient storage format
that can keep a long history on line in less space than you would
expect. It also has a history view where you can see what files changed
and when over the interval that you keep backups.
> You
> could later on run md5deep in check mode using the hash file you
> generated and md5deep would report back which files do not match
> anymore. Of course you'd have to restore that file from a backup or
> re-install from a trusted online repository. The advantage of this
> for a home user is that it doesn't require a full backup of your
> system (hence doesn't require all that disk space). md5deep much like
> md5sum simply generates a checksum file. So that is the extent of
> your additional footprint on your system for using such a system.
> It's actually pretty much how Tripwire and such tools work.
A rootkit will typically replace your md5sum, ps, ls, netstat and
similar programs with ones that lie about the programs that were
replaced, so you need to be running from a bootable CD to trust the
results. It might be possible to make rsync do the same, but I doubt if
it has been done since it has to match block-checksums through the file
with a real copy - and I'd start by restoring an old copy of rsync anyway.
> Having said all that when you get right down to it all a home user
> needs to do to be safe is keep the system updated, exercise good
> judgement (vis-a-vis email attachments, downloading from untrusted
> sources, phishing attacks), use very good passwords, and put in a
> cheap home router/gateway (of course dial-up not applicable for home
> router). With that and the fact that they are running Linux does an
> excellent job of keeping them safe in their single user environment.
> Even a home user that runs a web server with a static site, or has ssh
> enabled but not for root will be pretty safe if they follow the above.
The updates are the real key here. There have been a huge number of
exploitable vulnerabilities fixed over the last several years and
keeping up with those should be your first line of defense. This is a
particular problem for distributions like fedora that have a fast life
cycle and don't ensure an easy upgrade path from one version to the
next. If it is difficult to stay up to date, some number of people will
keep running old versions.
> SELinux is an additional layer of security that certainly can't hurt.
The place it can hurt is if it causes enough problems that some number
of users don't don't upgrade to the versions that use it or don't do
timely updates because they have a history of introducing new problems.
This drops your first and best line of defense.
> In a corporate environment it's obviously very different. Using
> different means of access control, using other layers of security such
> as SELinux, implementing physical security measures, are all things
> that need to be done, and properly.
If you are introducing Linux as something new you can do that.
Otherwise you have to be very careful not to break existing programs and
infrastructure with changes and updates.
> I read somewhere online a while back where they hooked up various
> unpatched Windows systems (different generations of it) and unpatched
> Linux systems (don't remember the distros) to the web totally
> unprotected. The various Windows versions were all compromised within
> minutes to hours. None of the Linux ones were. However when all the
> updates were applied to these boxes none of them were compromised (no
> Windows boxes and no Linux boxes).
Exactly, but the thing they should have compared is the life-span over
which you can do this without a re-install from scratch or the user time
involved over the life of a computer. If you had installed windows 2000
or XP around their SP2 time (or whenever MS introduced on-line updates)
and a RH9 or fedora box, how much user time/effort would it have taken
to keep those boxes within a few days of available updates. With
windows there would have been a lot of reboots, but nothing with more
effort than clicking the update link. With fedora, you'd have gone
though perhaps 7 re-installs and in my case at least 5 or 6 updates that
required selecting an older kernel to even reboot.
If you want a distribution to be more secure in actual use, you have to
make it painless to update and never break anything that previously
worked - otherwise some number of people just won't do it.
--
Les Mikesell
lesmikesell at gmail.com
More information about the users
mailing list