SELinux last straw
Jacques B.
jjrboucher at gmail.com
Thu Oct 18 12:20:15 UTC 2007
On 10/17/07, Les Mikesell <lesmikesell at gmail.com> wrote:
> Jacques B. wrote:
> >
> > You can't honestly suggest that there should be a tool that can check
> > your entire system for any evidence of intrusion and fix it?
>
> Well yes... Since there isn't a handier one, I usually do it by
> restoring a backup from a time when I trusted the machine into a
> subdirectory of some other machine, then running rsync -avn against the
> live one to see what has changed.
>
> --
> Les Mikesell
> lesmikesell at gmail.com
>
I had a look at rsync and it is a very handy tool no doubt. I had some
idea what it was about but had never played with it.
Further to my previous posting on md5deep, I had a momentary brain
hiccup. You don't need a full backup to compare with. Rather you
generate a file containing all the hashes of your trusted system. You
could later on run md5deep in check mode using the hash file you
generated and md5deep would report back which files do not match
anymore. Of course you'd have to restore that file from a backup or
re-install from a trusted online repository. The advantage of this
for a home user is that it doesn't require a full backup of your
system (hence doesn't require all that disk space). md5deep much like
md5sum simply generates a checksum file. So that is the extent of
your additional footprint on your system for using such a system.
It's actually pretty much how Tripwire and such tools work.
Having said all that when you get right down to it all a home user
needs to do to be safe is keep the system updated, exercise good
judgement (vis-a-vis email attachments, downloading from untrusted
sources, phishing attacks), use very good passwords, and put in a
cheap home router/gateway (of course dial-up not applicable for home
router). With that and the fact that they are running Linux does an
excellent job of keeping them safe in their single user environment.
Even a home user that runs a web server with a static site, or has ssh
enabled but not for root will be pretty safe if they follow the above.
SELinux is an additional layer of security that certainly can't hurt.
But it's not necessary. And if implemented without the necessary
skills to do it properly then it can provide a false sense of
security, perhaps even introduce a vulnerability into the system (at
minimum it can cause headaches as we've seen).
In a corporate environment it's obviously very different. Using
different means of access control, using other layers of security such
as SELinux, implementing physical security measures, are all things
that need to be done, and properly.
My advice to home users...if you want to put the time in to learn
SELinux and properly troubleshoot issues arising from it then kudos to
you. If you're the type who just wants things to work and don't want
to be bothered with becoming a security guru then stay away from such
additional layers that require an above average level of technical and
security aptitudes. If you are doing the simple things I mentioned
previously then you are ahead of the curve and are pretty safe.
I read somewhere online a while back where they hooked up various
unpatched Windows systems (different generations of it) and unpatched
Linux systems (don't remember the distros) to the web totally
unprotected. The various Windows versions were all compromised within
minutes to hours. None of the Linux ones were. However when all the
updates were applied to these boxes none of them were compromised (no
Windows boxes and no Linux boxes). Now throw in an end user into the
mix (I am not suggesting anybody here, I am using this in a very
generic way), especially one that does not exercise basic security and
who's common sense is not quite up to par and that changes things.
The moral of the story supports my suggestion earlier - very basic
security and common sense will properly protect the average user.
Jacques B.
More information about the fedora-list
mailing list