Results 1 to 5 of 5

Thread: What is Linux security?

  1. #1
    Banned
    Join Date
    May 2003
    Posts
    1,004

    What is Linux security?

    I see many threads on here discussing Linux security, (heck, I've been involved in a few) and one thing is very clear... no one seems to know exactly what Linux security is.

    Yeah, MAC ACLs have been added... but no major commercial distributions utilize them... should they be considered?
    What about security levels? Removing the root account? Sticky bits? A trusted facilities manual? More finely grained DAC?

    Some say anything Linux can do to be consider as part of its security model.
    Some say everything specifically included in the kernel.org source to be considered part of Linux.
    And still some say only things included with commercial distros should really be considered.

    The problem is, all of these arguments have merit, but make a productive discussion about Linux security very difficult.

    My personal beliefs are a combination of the above. It must be included in kernel.org and (this is important, because kernel.org is getting more and more comprehensive all the time) must at least be documented in a major commercial distro. Otherwise the assurances and consequently all potential security advantages are lost. (at least in a corporate setting)

    Anyhow, curious about your thoughts.

    cheers,

    catch

  2. #2
    Senior Member IKnowNot's Avatar
    Join Date
    Jan 2003
    Posts
    792
    I think I will start the ball rolling here by saying,
    catch , I couldn’t agree with you more.

    Although I haven’t played with some of the “ secure OSs “ you have mentioned, I have played with Linux for several years.

    The problem I have found is that each commercial distro handles things differently, and each new major revision also handles things differently, but some aspects which were problems get corrected in the newer releases ( just as M$ ).

    I found this by trying to set up boxes, secure them as best I could with the knowledge I have.
    Most of my time has been spent with RedHat, and only “ custom” installs to choose what packages are installed. I don’t think I have ever done a “ stock “ install of any linux distro.

    What was needed to secure ( and set up ) a relatively secure RH5.x box was extensive to say the least. Back then, custom kernels built from kernel.org were a must! Even through the 7.x series ( I skipped the 8.x series, they didn’t provide any useful security updates, IMHO. ) Even with RH 9.0, I still build custom kernels for from kernel.org, and for firewalls, install from source at netfilter.org before building the kernel.

    I am not sure yet how much benefit I will get from building a custom kernel for Fedora ( I am still learning, still playing, still building kernels ... maybe I will eventually just use a custom kerenl from Fedora source but the jury is still out so to speak. )

    But what I learned was that with each new release many of the modifications I did by hand were now done with the install ( file permissions, services running, etc., even though I chose what services to run during the install, some were still running which need to be shut down! ) But also, with each new revision came problems in that the distros attempt to make installs easier by providing “ generic “ versions of both the kernel and the installed programs to accommodate the vast possible number of architectures they can be installed on, thus the necessity of customs kernels, recompiling programs, etc.

    I’ve also played with free versions of UNIX. My impression, not enough people working on them to keep the necessary programs current for something like workstations, and suffer the same security problems as linux distros. ( I think I am in love with “ pf “, but it won’t replace my wife. )

    Now specifically to your post:
    Yeah, MAC ACLs have been added... but no major commercial distributions utilize them... should they be considered?
    Linux is a general term, much as Unix. I don’t know about SUSE, or Debian, both reportedly have enabled Selinux, but to what extent I do not know. ( SUSE 9.2, as I have said, has no ISO other then DVD ... none of the boxes I would download it on never mind install it on have DVD. ) But because of Fedora Core 3 ( FC3 ) RedHat has released a beta of RedHat Enterprise 4. As I understand it ( I may be wrong ) is be based on FC3, which includes Selinux.

    ... Sticky bits?
    This confuses me. I was under the impression that linux did not handle these the same way as Unix does. And I believe the impression of most is that it does. Am I wrong?
    " And maddest of all, to see life as it is and not as it should be" --Miguel Cervantes

  3. #3
    Banned
    Join Date
    May 2003
    Posts
    1,004
    I don’t know about SUSE, or Debian, both reportedly have enabled Selinux, but to what extent I do not know.
    I worded that badly... by "utilize them" I mean included in their ISO15408 evaluations.

    This raises other questions...
    - Is SELinux a trusted system? Clearly it fails to meet many of the requirements and is merely a research project, but it does make deep architectural changes in line with trusted systems philosophy.
    - Is a trusted version of a system, the same system? Clearly Trusted Solaris is not Solaris and HP's Virtual Vault is not HP-UX, is SELinux Linux?

    Clearly these questions are interdependent, and many more questions can spring from their answers.

    Linux, being an OS jam packed with maintenance hooks breaks traditional rules about what an OS is. Unfortunately I think most people find this appealing and consequently I don't see a clarity on the horizon. I am just really curious what security functionality most people consider Linux to have.

    cheers,

    catch

  4. #4
    Senior Member
    Join Date
    Dec 2004
    Posts
    137
    Originally posted here by catch
    I am just really curious what security functionality most people consider Linux to have.
    Easy. Linux & *nix on the network perifery because of stablility & security. Windows on the internal clients because of popularity & familiarity. We are entertaining the idea of ISA on the perifery - but it's a little daunting.

    btw - i prefer to use FreeBSD , (OpenBSD for added security!). I hate Linux distros because there is always a search and find game to figure out where what has been moved from distro to distro. With FreeBSD, it's all in the same bloody place!

    btw2 - what's all this linux vs winodws security stuff i am seeing on the geek media lately. is there a new FUD campaign?

  5. #5
    Banned
    Join Date
    May 2003
    Posts
    1,004
    Interesting... though you didn't really address the thread.

    All the Win v Linux stuff is a response to SUSE's EAL4 ISO15408 evaluation.

    cheers,

    catch

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •