[Wolves] Nsa using linux

Andy Smith andy at lug.org.uk
Sun Aug 27 03:55:16 BST 2006


On Sat, Aug 26, 2006 at 10:59:05AM +0100, Peter Cannon wrote:
> On Friday 25 August 2006 15:34, David Goodwin wrote:
> 
> > I think you'd change your tune if, for example, someone managed to
> > hack into your Linux box but because of SELinux couldn't read
> > $important_data - even though they had a root shell.
> 
> I did, I was, my boxes both at home and at work are locked down via the 
> firewall its simple enough just deny everything accept from specific IP's 
> however I accept that there is a possibility of a script opening something up 
> thats where monitoring the logs comes in.

You are completely missing the point.  In traditional unix when
something runs as root there is no barrier to what it can do. A
script or program running as root and being forced to do something
it should not is not going to log that it is doing something it
should not do.

If you want to say "well I'll lock it down" or "I'll only run
software that's well-coded" that's great, but it relies on human
beings (you, the authors) not making any errors and predicting in
advance every possible avenue of attack.  Once an unguarded avenue
of attack is found and exploited then the process running as root
can do ANYTHING.

SELinux and similar technologies are about breaking down the
capabilities of root such that specific programs can be given just
enough rights to do what they need to do, and this is enforced
externally so there is no way that the program can break out of it
even if it is exploited.

If you can't get your head around this then think about it this way:

If you run a web site with apache then you have apache as root
listening on port 80.  Now sure apache forks and drops privilege.
Sure every other port is firewalled.  Sure you've made sure that
every web script and application you are running is patched and
upgraded.  But you can't firewall port 80, and someday maybe there
is found an exploit in apache or in one of the web applications you
are running and no amount of logging is going to help you if some
script kiddie runs an exploit on your server and gets to execute
whatever he likes as apache user or even worse as root.  Maybe if
you are lucky then the next morning when you are mailed the
anomalies out of your logs (you do that, right?  Or do you make sure
to read every log file manually every day on every server you have?)
then you get to see some string of hundreds of garbage characters or
most likely you see nothing out of the ordinary.  Is that a big
comfort to you after the event?

Or would you rather that your apache had been prevented from doing
anything it normally does in the course of serving web content from
specific places and thus did not enable the attacker to do whatever
they wanted to do?

And that is the point of technologies like SELinux.  No amount of
"I'll firewall this and tighten down that and read logs for the
other" will make up for the fact that without it, root can do
anything.

Unfortunately in my opinion what makes SELinux currently unusable is
the complexity of the rules and keeping them up to date.  But that
does not mean there is a not a real need, and hopefully it will
become a lot easier to manage in the near future.

> However I bow to general opinion maybe SELinux has a place just not for me. :)

I guarantee that one day, maybe not for a few years (and maybe not
called SELinux or bearing any resemblance to SELinux today), but
soon, fine grained access control will be normal on Linux and almost
everyone will be using it -- even you!

Cheers,
Andy
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://mailman.lug.org.uk/pipermail/wolves/attachments/20060827/5437eb21/attachment.bin


More information about the Wolves mailing list