On Tuesday 24 May 2005 04:04, Peter Farrow wrote:
> Maybe so... and if it works for you then use it, but sometimes when
> people say "but we needed this or we needed that", they haven't
> allways sat down and thought "why do we need it" or "do we really 'need'
> this ?"
When all the buffer overflows and other exploits all go away, then we won't
need SELinux and its ilk. SELinux, on a workstation or on a server, is great
because it helps thwart the malware that will be written and will become more
common as Linux becomes more common. SELinux, properly implemented, can stop
a virus, worm, even a trojan that the user accidentally or ignorantly clicked
on (or the MUA's authors allowed through due to their bug in their code).
Anyone in security knows that layered security is best; from firewalling on
inward, multiple layers make machines more secure and less likely to be
turned into spamming zombies like so many Windoze machines.
Is it complex? Sure it is, but necessarily so, not arbitrarily. Malware is a
complex threat, and requires a complex solution. KISS applies; but the adage
'Make it as simple as possible; but no simpler' is more appropriate.
> Even having worked on government classified networks I have *never* seen
> an instance where the standard access controls offered by Linux/Unix
> didn't do what was required.
Harumph. Systems without MAC don't get anywhere near a SCIF, and you know it,
if you have ever worked in a real SCIF environment. I personally have never
worked inside an operating SCIF (thankfully), but I have read a defense
contractor's Unclassified procedures manual on dealing with SCI inside the
SCIF. And I am thankful that national security is taken that seriously.
With HIPAA implemented, the SCIF concept is going commercial, with one group
in particular claiming the only fully operational SCIF outside the
government. And if you need SCIF spelled out I know you never worked in
one. :-)
> Often DAC/MAC setups leads to inferior security because they can get
> very complex to setup, and the term "can't see the wood for the trees"
> springs to mind.
Simple is not always better. This is why a properly set up policy should be
the default; most users will simply not know how to make it work; in testing
it must be made work like the typical user would like.
> As is most often the case the best security is the simplest, and DAC/MAC
> bloat doesn't help in any way.
Best is a matter of opinion; MAC provides guaranteed compartmentalization in
those situations where compartmentalization is critical. Like HIPAA. In a
HIPAA environment, to fully comply, there can be no root user. That is, even
the sysadmin must be restricted; there must be multiple admins and none have
or can have unrestricted access.
SELinux finally brings Linux up to the level of mid-80's VAX/VMS security.
VMS (OpenVMS, that is) is still more secure than any Unix. But SELinux is a
step in the right direction. That's why many SCIF sites specified
VAXstations and Macintosh systems (again, I've seen unclassified documents
showing equipment lists for a former SCIF site (there were multiple SCIF's on
the site); VAXstations and old DEC's dominated, with only unclassified
material being stored on AT&T 3B15's and 3B2's.).
But even the common user can reap the benefits of MAC in that it doesn't
matter whether the intruder gains root or not; what the intruder can do
through its exploited conduit is limited by the MAC system and cannot be
overridden. If it's a BIND exploit, for example, the SELinux MAC limits what
BIND's named can do regardless of whether it gets root or not.
> If some document or requirement or spec says you need it, I would often
> question the theory behind the spec, and only if a demonstrable need
> arises (have yet to see that in 20+ years of consulting) then I would do
> it...
If the current rash of exploits and malware isn't a demonstrable need, I have
never seen a demonstrable need. Linux is not immune; there are just not that
many 'pathogens' out there yet. When the number of exploits goes up (and it
will) SELinux is going to save many people's hides.
> Of course I've also been in this game too long as well to "never say
> never" and there is always a first time.... :-)
Have you done HIPAA yet?
Regardless, SELinux helps or can help users protect their systems from
malicious intruders; for this alone it is worthwhile to at least learn it.
And it's not going to be learned by a busy admin unless it's forced. An
admin who is incapable of learning it shouldn't be an admin; it's not that
hard of material. And any workstation connected to the internet will be
scanned within half an hour and owned in an hour if protection is not there;
firewalls are good outer layers, but host security should never be ignored;
SELinux is a great addition to the stable of security tools; but like all
other layers in the security toolbox there are annoyances; things like
firewalls have their issues too, you know.
--
Lamar Owen
Director of Information Technology
Pisgah Astronomical Research Institute
1 PARI Drive
Rosman, NC 28772
(828)862-5554
www.pari.edu
