SELinux last straw

Les Mikesell lesmikesell at gmail.com
Thu Oct 18 13:48:22 UTC 2007


Jacques B. wrote:

> I had a look at rsync and it is a very handy tool no doubt. I had some
> idea what it was about but had never played with it.
> 
> Further to my previous posting on md5deep, I had a momentary brain
> hiccup.  You don't need a full backup to compare with.  Rather you
> generate a file containing all the hashes of your trusted system.

Yes, that can be a quicker check, but I start with the premise that you 
need the backup anyway, since other things can go wrong.  I happen to 
like backuppc for this when another system is available to run it 
because it is completely automatic and has an efficient storage format 
that can keep a long history on line in less space than you would 
expect.  It also has a history view where you can see what files changed 
and when over the interval that you keep backups.

 > You
> could later on run md5deep in check mode using the hash file you
> generated and md5deep would report back which files do not match
> anymore.  Of course you'd have to restore that file from a backup or
> re-install from a trusted online repository.  The advantage of this
> for a home user is that it doesn't require a full backup of your
> system (hence doesn't require all that disk space).  md5deep much like
> md5sum simply generates a checksum file.  So that is the extent of
> your additional footprint on your system for using such a system.
> It's actually pretty much how Tripwire and such tools work.

A rootkit will typically replace your md5sum, ps, ls, netstat and 
similar programs with ones that lie about the programs that were 
replaced, so you need to be running from a bootable CD to trust the 
results.  It might be possible to make rsync do the same, but I doubt if 
it has been done since it has to match block-checksums through the file 
with a real copy - and I'd start by restoring an old copy of rsync anyway.

> Having said all that when you get right down to it all a home user
> needs to do to be safe is keep the system updated, exercise good
> judgement (vis-a-vis email attachments, downloading from untrusted
> sources, phishing attacks), use very good passwords, and put in a
> cheap home router/gateway (of course dial-up not applicable for home
> router).  With that and the fact that they are running Linux does an
> excellent job of keeping them safe in their single user environment.
> Even a home user that runs a web server with a static site, or has ssh
> enabled but not for root will be pretty safe if they follow the above.

The updates are the real key here.  There have been a huge number of 
exploitable vulnerabilities fixed over the last several years and 
keeping up with those should be your first line of defense. This is a 
particular problem for distributions like fedora that have a fast life 
cycle and don't ensure an easy upgrade path from one version to the 
next.  If it is difficult to stay up to date, some number of people will 
keep running old versions.

>  SELinux is an additional layer of security that certainly can't hurt.

The place it can hurt is if it causes enough problems that some number 
of users don't don't upgrade to the versions that use it or don't do 
timely updates because they have a history of introducing new problems. 
  This drops your first and best line of defense.

> In a corporate environment it's obviously very different.  Using
> different means of access control, using other layers of security such
> as SELinux, implementing physical security measures, are all things
> that need to be done, and properly.

If you are introducing Linux as something new you can do that. 
Otherwise you have to be very careful not to break existing programs and 
infrastructure with changes and updates.

> I read somewhere online a while back where they hooked up various
> unpatched Windows systems (different generations of it) and unpatched
> Linux systems (don't remember the distros) to the web totally
> unprotected.  The various Windows versions were all compromised within
> minutes to hours.  None of the Linux ones were.  However when all the
> updates were applied to these boxes none of them were compromised (no
> Windows boxes and no Linux boxes).

Exactly, but the thing they should have compared is the life-span over 
which you can do this without a re-install from scratch or the user time 
involved over the life of a computer.  If you had installed windows 2000 
or XP  around their SP2 time (or whenever MS introduced on-line updates) 
and a RH9 or fedora box, how much user time/effort would it have taken 
to keep those boxes within a few days of available updates.  With 
windows there would have been a lot of reboots, but nothing with more 
effort than clicking the update link.  With fedora, you'd have gone 
though perhaps 7 re-installs and in my case at least 5 or 6 updates that 
  required selecting an older kernel to even reboot.

If you want a distribution to be more secure in actual use, you have to 
make it painless to update and never break anything that previously 
worked - otherwise some number of people just won't do it.

-- 
    Les Mikesell
     lesmikesell at gmail.com





More information about the users mailing list