-
March 4th, 2008, 05:29 AM
#1
Junior Member
Noob questions about selinux
First a short introduction, then for the questions:
Hi I am fairly new to linux. I started with slackware 12 just after it came out. I have an understanding of basic bash commands. I just successfully compiled and installed the 2.6.24 kernel for the first time.
Why I am here, I like playing with computers. Ive always had windows until this last year. I thought I would try linux and started with knoppix. I found irongeek and he got me interested in security. I later set up a dual boot xp/slackware. Prior I knew nothing about security. I had windows firewall and av. I thought that was all I needed. Well, I downloaded and tried ettercap. One day I left ettercap running and walked away for some time. Hours later I discovered two other people's name and passwords. Two other people had been on my home network. I had no idea for how long or what they saw. I had file sharing on with sensitive info I had backed up on my wife's computer through our network. I was quite alarmed and immediately turned off the wireless part of the router. It was through that experience I decided I had better learn more about security. I started with installing shorewall firewall with all ingress turned off. I have done numerous tests to see what ports are open and how to close them.
Now that I have introduced myself, now for my questions.
I was considering recompiling my kernel with selinux. I thought that would be easier since I don't know how to patch my kernel with selinux. I wanted a little feed back from people who use selinux and weather it it right for me. I started reading the papers on selinux from nsa and redhad and it seem quite exhaustive and alot to learn including lots of acronyms and new terms.
ok ok enough rambling now for the questions,
1. I have a family network of three computes, should I be using selinux? Or Is it more geared towards the corporate structure?
2. I was a little fearful that if I recompile my kernel with selinux that it will mess up my system. There does not seem to be much support for installing it on slackware.
3. Is it very intrusive and inhibiting. Will I have to change selinux everytime I install from source?
4. What is pam? I read two forums where they want selinux but without pam.
5. Since selinux looks at every object (file) will I need to spend quite a bit of time setting it up to enable everything I am currently using as a user. In other words, will I run into lots of problems with lots of objects disabled?
The reason I am a little unsure about it and maybe my fears are for nothing, is because I don't want to mess up my system. I don't want to have to spend time reinstalling everything again.
Thanks
C
-
March 4th, 2008, 01:22 PM
#2
Hi, and welcome to AO,
I have moved your thread into the Linux/Unix forum as I think you might get a better response there
-
March 4th, 2008, 02:18 PM
#3
Hi
Well written post - it's a pleasure to try to answer your questions.
In short:
1) You don't need selinux. It's geared towards environments with the
the need for mandatory access controls[1].
2) If you really want to play with selinux, there is excellent support
with Fedora Core (and others, I guess).
3) I don't know, but probably.
4) PAM can be run with selinux, but needs a specific module (pam_selinux.so).
PAM and selinux are orthogonal (see below)!
5) Yes.
More lengthy answer:
Selinux provides mandatory access control to an operating system.
Windows and *nix usually come with discretionary access control[2],
which suits perfectly the requirements of most installations.
Supporting MAC in your environment is like breaking a butterfly on a wheel.
I did set up selinux on a bastion host[3] - compartmentalization of applications
makes perfectly sense, but really is work. Here, however, I recommend the
usual linux-hardening steps ("How to secure harden Slackware filetype:pdf")
I want to mention that the selinux-kernel extension does not provide a
reference monitor[4] to the operating system (I read that one somewhere).
selinux-enforcement can be disabled (setenforce 0) and thus
does not fulfill the definition of a reference monitor.
PAM[5] is a mechanism to integrate multiple authentication schemes
into some public interface that can be used by developers in order to
simplify the implementation of their authentication functionality.
In order to run PAM with selinux, you need an specific module (pam_selinux.so),
which comes with Fedora Core out-of-the-box. Actually, this is a good
opportunity to refer to triple-A[6].
I just found this tutorial[7]. Skimming through it, it makes a good
impression.
/edit:
Just a recommendation: If you like to play around with computers,
consider installing VMWare Server (works perfectly with Windows XP).
It's free and allows running virtual computers.
Cheers
[1] http://en.wikipedia.org/wiki/Mandatory_access_control
[2] http://en.wikipedia.org/wiki/Discret...access_control
[3] http://antionline.com/showthread.php?t=270999
[4] http://en.wikipedia.org/wiki/Reference_monitor
[5] http://en.wikipedia.org/wiki/Pluggab...cation_Modules
[6] http://en.wikipedia.org/wiki/AAA_protocol
[7] http://linux.0ms.eu/?p=13237
Last edited by sec_ware; March 4th, 2008 at 02:29 PM.
If the only tool you have is a hammer, you tend to see every problem as a nail.
(Abraham Maslow, Psychologist, 1908-70)
-
March 4th, 2008, 04:19 PM
#4
In response to your fears about what was found by ettercap, I would say you really just need to adjust your router settings. I assume you have wireless turned on with no encryption or key set. As you have discovered this is a mistake. I assume someone was just using your free wifi and it is probably unlikely that anyone actually got on your Slack system. I would check the services you have turned on to make sure nothing is on that shouldn't be. If it is, turn it off. Check the accounts have secure passwords.
On Pam, I would point out that Slack does not use it and Patrick Volkerding is not likely to add it until some security concerns are corrected. There are some tutorials on adding it, actually if you add dropline gnome, it will install pam (or it used to, I have not used it in a few years.)
Only trust Pipe-smoking Penguins.
-
March 5th, 2008, 06:22 AM
#5
Junior Member
sec_ware,
Thanks for the info. I bet you spent alot of time putting this together.
According to your last link [7] it seems that under selinux you have to set up a policy for every program. The example was the astrisk daemon in the blog. That would take an extensive amount of time.
Here, however, I recommend the
usual linux-hardening steps ("How to secure harden Slackware filetype")
Where can I download the pdf doc?
I googled ,"How to secure harden Slackware " but I don't think I found what you were specifically referring to. Could you link to it?
I assume you have wireless turned on with no encryption or key set. As you have discovered this is a mistake.
I turned off the wireless settings on my router. And yes I had no encription. That was before I knew better.
Thanks guys.
-
March 5th, 2008, 09:50 AM
#6
Hi
I bet you spent alot of time putting this together.
That's the way I write posts usually. There should be
some content, even if I do not exactly target the request
of the thread starter. I better spend 15 min on something
than 5 times 2 min on nothing...
Where can I download the pdf doc?
I was specifically refering to a document here[1], however
it does not seem to be available anymore. I am sure there
is someone here who can provide you with a good reference.
Check also the security tutorial here on this site.
You may start a new thread if your question about how to
harden a linux system has not been answered yet.
isildur mentioned a couple of good points. In order to
see what "the guys outside" see, you may scan your PC
from outside[2], and close open ports by stopping unnecessary
services[3] (netstat, ...).
Cheers
[1] http://www.infoanarchy.org/en/Slackware
[2] http://security.symantec.com, http://www.grc.com/intro.htm (shieldsup), http://nmap-online.com/
[3] http://www.slackware.com/config/
Last edited by sec_ware; March 5th, 2008 at 09:57 AM.
If the only tool you have is a hammer, you tend to see every problem as a nail.
(Abraham Maslow, Psychologist, 1908-70)
-
March 5th, 2008, 09:22 PM
#7
Here is another Slack specific site that has a section on security in addition to a lot of other good information.
http://www.slackbook.org/
Only trust Pipe-smoking Penguins.
-
March 6th, 2008, 02:56 AM
#8
Junior Member
I appreciate the help.
I will chew on this for a while and let you know what Ive done.
I started with [1] http://www.infoanarchy.org/en/Slackware
There are some links there on hardening slack
Thanks again
-
March 6th, 2008, 08:22 AM
#9
Junior Member
I found what seems to be a great link on hardening slackware 10.
Perhaps this is the link sec_ware was referring to:
http://transamrit.net/docs/sysHarden...ening-10.2.txt
-
March 7th, 2008, 04:47 AM
#10
Originally Posted by crusader100
Although SELinux does not provide a true reference monitor, it does give some advantages when used to compartmentalize the system. In some cases, it can remove path to root without removing root priveleges. Unforunately, as was mentioned, it is a module on a monolithic kernel, which certainly does not give the security of a reference monitor on a microkernel.
Real security doesn't come with an installer.
Similar Threads
-
By pwaring in forum Other Tutorials Forum
Replies: 60
Last Post: October 22nd, 2004, 09:15 PM
-
By Negative in forum The Security Tutorials Forum
Replies: 12
Last Post: June 2nd, 2004, 01:09 AM
-
By moonstar550 in forum AntiOnline's General Chit Chat
Replies: 10
Last Post: April 10th, 2004, 02:03 AM
-
By al1aprize in forum Spyware / Adware
Replies: 23
Last Post: March 15th, 2004, 01:24 AM
-
By valhallen in forum Newbie Security Questions
Replies: 7
Last Post: October 6th, 2003, 09:41 AM
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|