On 6/18/07, Stephen Harris <lists@xxxxxxxxxx> wrote:
On Mon, Jun 18, 2007 at 12:18:40PM -0600, Stephen John Smoogen wrote: > On 6/18/07, Stephen Harris <lists@xxxxxxxxxx> wrote: > >I've never said there are _no_ cases for SELinux. I was questioning it > >as a general rule for all machines. > Several of the problems were machines that were not connected to the > internet or were deep behind firewalls. The problems were that all it > takes is one user who doesnt think well to make all those > firewalls/issues useless. E.G the person who coming in from work finds > a nice shiney USB fob and plugs it into a work computer to see who it > belonged to so they could return it. The guy who downloads an [ etc ] This is why I mentioned "risk profile" in another message. You evaluate the perceived risk, the likely-hood of the event happening, the cost of the event, the "cost" of a potential solution and perform an analysis. So one might rank the items this: external facing servers: high risk! Automated attacks possible Desktop work stations: moderate. User stupidity highest attack vector General compute server: low risk. Only "trained" staff have access.
I was really grumpy yesterday.. so I just wanted to say that I believe that in most cases where you are in a low risk.. you might be better off with selinux in permissive mode versus off. Permissive at least will give you a finger print of what might have gone wrong when the PFY plugged in that nice shiney USB fob he found next to his car at lunch. -- Stephen J Smoogen. -- CSIRT/Linux System Administrator How far that little candle throws his beams! So shines a good deed in a naughty world. = Shakespeare. "The Merchant of Venice" _______________________________________________ CentOS mailing list CentOS@xxxxxxxxxx http://lists.centos.org/mailman/listinfo/centos
