Re: Correct xen domains path

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



On Mon, Jun 18, 2007 at 12:18:40PM -0600, Stephen John Smoogen wrote:
> On 6/18/07, Stephen Harris <lists@xxxxxxxxxx> wrote:
> >I've never said there are _no_ cases for SELinux.  I was questioning it
> >as a general rule for all machines.

> Several of the problems were machines that were not connected to the
> internet or were deep behind firewalls. The problems were that all it
> takes is one user who doesnt think well to make all those
> firewalls/issues useless. E.G the person who coming in from work finds
> a nice shiney USB fob and plugs it into a work computer to see who it
> belonged to so they could return it.  The guy who downloads an

[ etc ]

This is why I mentioned "risk profile" in another message.  You evaluate
the perceived risk, the likely-hood of the event happening, the cost of
the event, the "cost" of a potential solution and perform an analysis.

So one might rank the items this:
  external facing servers: high risk!  Automated attacks possible
  Desktop work stations: moderate.  User stupidity highest attack vector
  General compute server: low risk.  Only "trained" staff have access.

Each of those profiles have different uses and require different solutions.

On a DMZ machine you probably wouldn't use unauthenticated naming services
(eg LDAP with SSL certs is OK, NIS is bad!).  SELinux or SEOS is a very
good idea.  chroot'd daemons, maybe read-only filesystems, disable
unecessary setuid programs, minimal install.  Disable hotplug ports.

On a desktop you need GUIs.  Centralised naming services.  Roaming
profiles.  Maybe a netboot'd image (no local storage).  Disable hotplug
ports, or at least minimise scope so that only authorised devices
(Blackberry's, whatever) can sync.  In particular mass storage isn't
allowed.  End users don't have root access.

General compute server... well, now we have further ranking; prod/dev/uat
boxes have different risk profiles.  SOX scoped boxes even more.  

And so on.

(Umm, sorry for going on... I work in an area where these things are
every day considerations so...)

> up to you as the site administrator to determine what is safe enough

Actually, in large companies you have a whole risk organisational
structure whose job it is to evaluate these things and determine policy.
They straddle the line between technology (my side) and business (my
customer) needs and try to balance the two.

> for Your Site using appropriate risk management. If you believe your
> site has enough methods of protection or are that the cost of extra
> security (selinux) is not appropriate for your risk model.. you can
> turn it off.

I'd argue the opposite; if you feel you the risk exposure is such that
you need the protection then enable it.  I've listed cases where this
is the case.

That cases exist for SELinux does not mean it should be on by default,
and is definitely not deserving of a sheeplike response whenever anyone
proposes otherwise.

-- 

rgds
Stephen
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos

[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux