Results 1 to 10 of 10

Thread: SELinux and Trusted BSD

  1. #1
    Senior Member gore's Avatar
    Join Date
    Oct 2002

    SELinux and Trusted BSD

    So, I'm sitting here looking over some Docs I found talking about this stuff again, and though I do admit, I've not used much of this in some time now (Mostly because my little Network here at home is locked down by first having a Router stand in the way, then another Router and Hardware Firewall, then a Switch, and then a "Hardware Security Device" and on top of that, having my machines set where you have to comply with MY password policy... To make it short; I don't worry a whole lot as I don't think of myself as an easy target) and, anyway, I do remember wayyyyy back, I was trying out a new version of Fedora Core, and I noticed that a lot of SELinux stuff had been added to a base install.

    Being someone interested in Unix Security, I started looking at it. I was pretty much new to it, as I hadn't ever used it before, but the ease of which to set it up, and the incredibly easy to understand GUI tools... It made me wonder just how the heck anyone would not use it, and got me thinking about other "Trusted" **** I've come across before.

    I know SELinux isn't new or anything, I mean when I first saw it, it was years ago, and as far as I know, a lot of Linux distros like Fedora Core, still come with it pre-installed, and, now, I'm looking at the Trusted BSD stuff.

    It's almost embarrassing to say this, but, given that I've been a fairly Honest person, and I've admitted when I was in over my head on discussions (Which I think is quite a quality in this type of Industry, where people will lie and pretend they know exactly what they are talking about even when they don't) I don't mind saying that I haven't ever actually LOOKED into Trusted BSD anything.

    So, right now, I went on and started looking into it, and I'm finding quite a bit of info about it. I think it's cool really; I mean I know whenever you buy a book that talks about Linux VS BSD, they'll tell you, for the most part, that the differences are more Philosophical than technical.

    That's crap to be Honest; Linux is a great OS to run on any Computer; Be it Desktop, Server, Embedded, anything! BSD, same thing; You can run BSD on your desktop, your Laptop, your Server, your embedded stuff, just as Linux does, and when it comes down to it, you'd have to look pretty hard to find someone who'd actually have the balls AND ignorance to say that BSD, in general, is a lot more stable.

    I know I'm sticking my neck out here just a little, as Linux only people tend to be almost militant, but I don't care. BSD is more Stable when it comes to REAL Production environments. Period. And now that I'm looking into this whole Trusted BSD thing, I'm REALLY interested.

    I'm kind of wondering how many BSD users we have here. I know there's myself, and SirDice, who uses FreeBSD quite often, and, I admit, SirDice is WAY more experienced in BSD than I am, I'm wondering if anyone would be willing to chime in about what they're using:

    If you use Linux, and you don't mind taking part in what could very well become a nice interesting thread, please reply with the following information -

    How long have you been using Linux?

    Which Distros of Linux have you tried?

    Which Distros of Linux do you stick with the most? (Most of us who use Linux don't exactly use just one; I myself will give the info about me in a little bit here)

    If you DO only use one Distro of Linux, which one is it, and, why do you ONLY use that one?

    What makes you stick with it?

    Have you considered anything else?

    Have you yourself used SELinux?

    How did you set it up?

    What else have you done to lock the machine down?
    For the BSD users -

    How long have you been using BSD?

    Which BSD stuff have you tried?

    Which BSD do you use?

    If you use Multiple versions, what are they?

    What makes you REALLY stick with that particular one?

    How many have you tried out?

    If you use more than one BSD on a regular basis; Which BSD stuff do you have and use, and why do you prefer them?

    Have you ever used Trusted BSD stuff at all?

    What methods do you personally use for locking down your BSD OSs?

    For those of us using both Linux AND BSD -

    Which do you prefer?

    How do you use each one differently?

    If you don't use them differently, what do you do with them?


    More or less, I'd like to sort of get a roll call of sorts of our user base, and which OSs they use, and how they lock them down. I think it would be interesting if everyone who used Linux and BSD here chimed in, gave a little info about what makes them use one Distro / Version over another, and, of course, for the Security Aspects of this, what you all do to insure that it's safe from intrusion, or, at the very least, what steps you take to make sure it's not some big cluster of holes that lets everyone in.


    Another thing I'd like to go into, is for Servers -

    What Servers do you use? How do you lock them down? Which works best for you?

    The Trusted BSD stuff I'm looking at right now looks really cool. And, again, I don't have much in the way of experience, as I haven't ever really looked into it. I knew Trusted BSD existed obviously, but I didn't really ever look into it. I mean I've got a lot of stuff in place to keep my machines at least somewhat safe, and I'll be chiming in as well, and, also, any extra info is welcome too! By that, I mean this:

    If you use ANY other version of Unix, what it is? How long have you been using it? Why do you use that VS something else? I mean, obviously, there are a LOT of OSs based on Unix, and I'm curious about who does what with it.

    And yes, I'm going to say Mac OS X is Unix as well. It's the easiest to use BSD on the Market really lol.

    Also, what about non PC or Consumer aimed stuff?

    Anyone using an SGI Workstation or Server?

    An Alpha?


    I personally use BOTH Linux and BSD. I've been using BSD on and off since 2000 / 2001. I don't really remember if it was 2000 or 2001, so I can't say for sure, and for Linux, it's about the same.

    I use FreeBSD and PC-BSD for my BSD based stuff. I LOVE FreeBSD, and PC-BSD is basically FreeBSD but with a lot of tools to make it easier to set up. It's also got a nice look to it. I currently use it on my Laptop.

    In Linux, I use Debian, SUSE (OpenSUSE, paid SUSE, and so on) Slackware, and, once in a while, I like to install Mandriva. The reason I don't use Mandriva all the time, is that even though it's VERY nice, and has impressed me on more than one occasion, I just can't stick with it. A lot of the time, the reason is in how they handle things. Sometimes I've seen stuff break that just shouldn't. So, I stick with the main distros I listed, and then once in a while, I'll check in on Mandriva. I still like it enough to try it out.

    I don't own any non-PC based stuff, though I'd LOVE to, so nothing to say there.

    Anyway, I'll stop here for now; I'll wait until we have some replies, and then we can get this thing rolling.

    If we can get some people to reply, and get a good discussion going, I think it may turn out well.

  2. #2
    Junior Member
    Join Date
    May 2004
    I mostly multiboot at work, my desktop has Ubuntu,Slackware,Fedora,OpenBSD. The desktop at home does the same thing. Been doing this for the last 4 years, though the ubuntu install is only 3 months old in both machines. Unfortunately I don't manage any servers. Yeah, am an extremely ugly duckling in the windows environment at work.

  3. #3
    Senior Member gore's Avatar
    Join Date
    Oct 2002
    OpenBSD huh? I haven't met many people who use OpenBSD, but we have a few members here who do use it. I myself haven't ever installed it, and don't intend on doing it any time soon, because it's not for me. But it's neat to find someone who does use it.

    Any particular reason OpenBSD grabbed your attention over the others you can get? What do you do once you've installed it? Anything you'd like to share about your experiences with it? Anything you do once the install has completed that you always do?

    Id' like to have at least one thread here that has details on everything, and being that I'm a moderator here, I can actually take all the good info we get, and compile it into a nice looking info center for any person on here.

    If this thread goes as I intended it to, AntiOnline will finally have a proper thread about Unix for all. I want to, eventually, have this turned into a complete "HOWTO / FAQ / Intro" that will work for anyone.

  4. #4
    Just Another Geek
    Join Date
    Jul 2002
    Rotterdam, Netherlands
    >For the BSD users -
    >How long have you been using BSD?

    A little over 10 years

    >Which BSD stuff have you tried?

    Pretty much everything that comes with it.

    >Which BSD do you use?


    >If you use Multiple versions, what are they?

    >What makes you REALLY stick with that particular one?

    The ports tree and it's overall structure. The API/ABI is very stable and thought out.

    >How many have you tried out?

    Every version between 3.0 and -CURRENT (which is now 9.0).

    >If you use more than one BSD on a regular basis; Which BSD stuff do you have and use, and why do you prefer them?

    As a firewall with PF, as a generic server with Apache, MySQL, NFS, Samba, etc. and as a workstation with XFCE.

    >Have you ever used Trusted BSD stuff at all?

    I looked at it but that's about it.

    >What methods do you personally use for locking down your BSD OSs?
    Common sense

    As for other OSs, at work we have Solaris 8, 9 and 10. We're currently working on migrating all our, in-house developed, software to Red Hat Enterprise Linux. I'm not too happy about that but there's nothing I can do about it.
    Last edited by SirDice; September 22nd, 2011 at 10:18 AM.
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  5. #5
    Senior Member gore's Avatar
    Join Date
    Oct 2002
    I was wondering when you'd get in on this

    One thing I'd still love to see about BSD, and in particular; FreeBSD, would be a patch method similar to Debian; I know some people WANT to have Ports updated separate so the can get more performance and all that, but for Desktop, after the last few weeks of having PC-BSD on my Laptop, I've seen how they could probably VERY easily set up the same thing, or just use the one PC-BSD has, where you download patches not just for the base system, but Ports too.

    The PC-BSD method works really well, and it's a lot like Linux, where you can just check for updates, and grab them, and it doesn't seem to matter if it's base system or ports.

    That would make FreeBSD SO much easier on the Desktop end.

    Also, again, I feel for you having to put up with Red Hat. Can't even imagine having to go to that.

  6. #6
    Junior Member
    Join Date
    May 2004
    Well like I said I multiboot, that means I have little hardware to play with. OpenBSD among the other BSDs install fast and well on my hardware(I cant' say its better, it just does). When I know my way well enough around it I intend to use it to wall off our office data team from the rest ( the data we work with is very important to our projects), may be later when we are authorised, put it after or in between the 2 office routers or toss the routers entirely.

  7. #7
    AO Antique pwaring's Avatar
    Join Date
    Aug 2001
    Quote Originally Posted by gore View Post
    How long have you been using Linux?
    10+ years.

    Which Distros of Linux have you tried?
    Most of the major ones - Debian, Mandrake, SUSE, RedHat (before it became RHEL/Fedora), Fedora, Ubuntu, Gentoo, Slackware and probably some others.

    Which Distros of Linux do you stick with the most? (Most of us who use Linux don't exactly use just one; I myself will give the info about me in a little bit here)
    Debian (servers), Ubuntu (desktop)

    If you DO only use one Distro of Linux, which one is it, and, why do you ONLY use that one?
    apt blasts all other package management systems out of the water, plus it's easy to find a solution when searching for '(debian|ubuntu) (some problem)' than with any other distro.

    What makes you stick with it?
    Ubuntu is updated enough to have the latest shiny desktop features, Debian changes infrequently enough to run on a server.

    Have you considered anything else?
    No, but I've considered learning RedHat for employability reasons (i.e. lots of companies use it).

    Have you yourself used SELinux?
    No, too much faff and it breaks too many things (or has the potential to).

    How did you set it up?

    What else have you done to lock the machine down?
    Depends on the machine. For desktops, I set up the firewall to block all incoming connections. For servers, I tend to move ssh to a different port (stops most scanners which assume port 22), disable root logins over ssh, block any login attempts outside a given IP list and insist on key-based authentication (combination of those, depending on the server).
    Paul Waring - Web site design and development.

  8. #8
    Senior Member gore's Avatar
    Join Date
    Oct 2002
    WOW! PWaring! Where the ... Where have you been man? I haven't seen you in a LONG time, and haven't seen you on AIM or anything either. I haven't been on AIM much either but still lol..

    Here is what I personally use:

    First off, Linux -

    I LOVE SUSE Linux, and it's probably the best Distro ever done. They have the best tools (Yast, and YAST2) and make it VERY easy to set up anything you'd like. OpenSUSE is good too, but I still like the real one best.

    I've used RedHat and Fedora Core, and I hate both.

    I've used Mandrake and Mandriva a bunch, and I do like that one. I don't know why, but the default look Emacs has on Mandrake Linux and Mandriva from a few years ago, looked nice lol. It's green and nice.

    I've used Ubuntu, and I didn't like it personally. It just seemed like a whimpy version of Debian to me.

    Debian I Love. I've used it as a Desktop, as a Server, and, as my main desktop, and liked it quite a bit. The ease of which APT makes things, is great. It's a lot like FreeBSD in that respect, and I like it.

    Gentoo... I hate.

    TurboLinux I've used a few times as well, and I still have my copy of Turbo Linux Workstation 4.0, but I never stuck with it.

    Open Linux - This was the first distro of Linux I ever had. I got it with a book called "Teach yourself Linux in 24 hours" back in I think 2000. I'd just gotten my first Computer, and after a few months, I learned about Linux, and so I bought a book with a CD to try it. I didn't install it for a while though, as I was to scared to screw up my Computer. So I waited for a while and installed it at school one day because the teacher and IT people were kinda... Well I'll be nice lol.

    I do think it was a nice distro, even if the bastards who made it are now trying to say Linux ripped off Unix. lol.

    PHLAK - I've got 0.2.1 onwards on CD, and I've used it before too. Just not that much.

    Pentoo - Again, used it, it's OK

    Backtrack - Started using version 2, liked it, but never installed it.

    Trustix - Found this one one day, read about it, liked what I saw, and grabbed it. I wrote an installation tutorial on here for it, and it seemed to get a decent response from the people who read it. A few members of AO who have me on their AIM buddy list were messaging me about it, and one of you installed it and didn't realize it didn't come with a GUI, not even as an option

    It's a great distro though; Or WAS anyway. It's no longer worked on at all from what I can tell. Or at least the last I looked it wasn't. Which sucks because it was really awesome for Servers. Basically Trustix was a made to be secure version of Linux that had no GUI, and X wasn't even on the installation media. You installed it, set it up, and it had some REALLY cool tools on it, but I think the whole "No GUI" thing kinda made it more for people who were looking for it specifically.

    I used it as a Server and CLI only desktop for a few months though, and didn't ever have a problem with it. It was VERY stable. You could chuck bricks at it and it wouldn't crack. I tried breaking into it a few times, but no luck. Well; No luck depending on how you look at it lol; I either did a REALLY good job locking it down, or I just suck at breaking it.

    Linux Mint - Used this a few times, liked it... I have 4.0 here on CD and it's still nice. It's a lot more popular now though.

    Libranet - I miss this one. It was based on Debian, and the guy who did it ended up dying, and his Son apparently tried to keep it going, but it's no longer active. And hasn't been in a VERY long time.

    I was sad to see that, because it was VERY nice. The Configuration tool it came with was.... It was one of the very best ever. You could configure the Kernel with a GUI! It was made so well, and made configuring the Kernel so easy that I even saw people writing about it saying they did it just because of how simple it was on this distro.

    I miss it, and it was awesome.

    Lunar Linux - Source based. Enough said lol.

    WHAX - Security based distro. It's actually pretty cool, but I don't think it's active anymore either. I have 3.0 on CD, and I liked it.

    Knoppix STD - The name seems like a term for Genital Warts, but actually, it's Knoppix made to be like PHLAK, and it's pretty good. I liked it, but I didn't ever install it, just used the Live CD.

    Open Mamba - Another Live CD, and though I usually don't like Live Distros, this one is actually pretty.

    MoonOS - I have MoonOS 3 - Makara Desktop here on CD, and to say pretty is an understatement.... It's got Enlightenment E-17 by Default, and they actually hired artists to make the default theme apparently. It looks great, and works really well.

    ZevenOS - Grabbed this because it looks a little like BeOS, which I also miss lol. (I have Zeta here too) and I like it.

    By the way; The main reason I'm doing such a small introduction on each of these, is that I have so many, that if I tried doing a write up of them all it would take a long time, and be almost unreadable by anyone planning on planting their "seed" lol.

    Bodhi Linux - Again, haven't installed it, but it does look really cool. Seems more general purpose to me.

    Slackware - I've been using Slackware on and off for a long time now. The first version I downloaded was 8.1 or 8.0, I'd have to check, since I still have all my discs for it, and I actually have 3.6 on CD that I traded with from a friend. I didn't have that version and I thought it was cool that it was an older one, so I traded him a Windows NT Workstation CD for it. (I got tired of using it as a Coffee Coaster, and my AOL discs were starting to pile up, and so I was gluing those and taping them to my wall, which was actually pretty cool, because I put some on the Ceiling on my room, and then I'd shoot a laser beam at the ones on the wall, and it would bounce to the ones on the ceiling and back and forth, it was awesome lol) so anyway, I've been using Slackware for a long time.

    I liked it but it took a little getting used to. When I first downloaded and installed it, I grabbed it, and then grabbed 9.0, and after the install was done, I was sitting there like "OK, now what?" I didn't read the installation guide, I just saw you used either Fdisk or CFDisk, and then typed Setup, and the rest I just figured out myself.

    I don't like that it doesn't do dependency checking, but other than that, I've used and liked it for a long time. I have used Slackware for everything from my Laptop, my Desktop, main desktop, and, my main FTP Server for quite some time now.

    My FTP Server is basically the very first PC I ever bought, with a dying video card, which makes using a GUI on it pretty much impossible, because it looks bad, but with text only it's not so bad. Though the last time I turned on the Monitor I think it died, so I just log in over SSH to install updates and do admin stuff. It's got two HDs, and has been up and running Slackware 12.0 for.... Well, every since 12.0 came out.

    I don't plan on upgrading any time soon because I can't really get a video card for that machine.

    I generally have all my Linux distros set up in a manner to which they're used. If I'm using it for a Server, I'll set up a Firewall so that only IPs I allow can get in there, and since I have 3 Hardware based firewalls, and one "hardware security device" I don't worry much about it.

    Making sure /etc/secretty is set to only physical TTYs pretty much takes care of some issues, and some of the stuff Pwaring said as well.

    On my Server, I don't use X, and I don't have much installed except for the base packages, and a few other things, like the VSFTPd software, which minimizes the risk that I have a package with a flaw in it.

    My Passwords are all basically almost pronounceable line noise in form, so I don't worry about someone guessing it, and I run crackers on them from time to time, and so far none have been compromised.

    I'm also strict about what can actually be done on them; My FTP Server runs SSH, and VerySecureFTPd, and nothing else. You can't reach it from the outside unless I pop it in the DMZ, which, I only do under certain circumstances, like a friend wanting something from it, and then I'll in general ask them for their IP, poke a hole in the Firewalls, allow that IP, and then end them the log in info, and once they have what they want, I plug the hole, and take the machine away from the DMZ so it can't be touched from the outside anymore, and then delete the account.

    BSD -

    NetBSD - Don't use it, though I have two versions here. After the install, I didn't really care much for it.

    DesktopBSD - I like it, but I don't have it installed right now as I'm out of machines.

    OpenBSD - I hate theo.

    PC-BSD - This is what I have on my Laptop right now, and I LOVE it. It's easy to set up, sees my Nvidia card out of the box, and works great. It's FreeBSD with a nice paint job and some custom stuff to make it better suited for the Desktop. It also has access to the Ports Collection, making it easy to install whatever you want.

    FreeBSD - I use it all the time. I first used FreeBSD when I was walking around Best Buy one day, and saw "BSD PowerPak" which had FreeBSD 4.0, the FreeBSD Toolkit on 6 CDs, and "The Complete FreeBSD" 3rd Edition. I grabbed it, and bought it.

    When I first opened the box, I was amazed at the Book. It was VERY well written, and actually easy to read.

    My first install, was a little rocky at first because at the time, I'd only really installed Linux once, and Windows maybe twice, and I was still learning about Computers in General. Mind you, this was in 2000, and I had gotten my first PC, in September of 1999. So it's not like I was into this for long at the time.

    I did see one thing though; The Power! I know every Linux user on Earth will say that Linux and FreeBSD can do the same basic stuff about the same basic way, but that's bullshit.

    I'm a Linux user too, and I don't have any issue saying that if my life depended on an OS, and I had to pick one (Like, for example, that time I called out a certain member who was going on and on about how Windows could be just as good as Unix, and I asked if a Computer had to run Kidney Dialysis on THEM, which OS would they pick) Well, if I was going to be hooked up to a Machine running something like that, I'd want that thing running FreeBSD.

    I've yet to actually see it crash. And Believe me, I've thrown some crap at it. I've crashed every OS I've ever used (sometimes it wasn't in purpose mind you) but, for some reason, I couldn't get this one to.

    I've crashed Windows 95 a million times...Who hasn't? Windows 98, yup... Windows 2000, XP, and so on... No big deal, make it do something important, and that usually does the trick. Specially if you have a couple TBs of traffic coming at it lol.

    Linux, crashed a bunch of those distros; Same basic ideal; Set up something that takes a bunch of resources, give it a huge load, and send over a few TBs of packets of all types and sizes, and it goes down like a cheap hooker who sees you have a 50 on you.

    It's harder to make Linux crash than it was Windows, but it still can happen if you try.

    But, BSD on the other hand, I've yet to make it go down.

    Using FreeBSD, is like being Married for about 30+ years; It's just NOT going to go down on you.

  9. #9
    Junior Member snowshell's Avatar
    Join Date
    Oct 2011


    How long have you been using Linux?

    10+ years.

    Which Distros of Linux have you tried?

    Most of the major ones - Slackware, Ubuntu , Debian, Fedora, Ubuntu and probably some others.

    Which Distros of Linux do you stick with the most?

    Debian (servers), Debian (desktop)

    If you DO only use one Distro of Linux, which one is it, and, why do you ONLY use that one?

    Have to side with pwaring
    apt blasts all other package management systems out of the water, plus it's easy to find a solution when searching for '(debian|ubuntu) (same problems)'

    What makes you stick with it?
    Debian changes infrequently enough to run on a server and as a desktop it supports Kernels that support SELinux and other Kernels like the Liquorix Kernel.

    Have you considered anything else?

    Yes, I've tried other's... But this is the one!

    Have you yourself used SELinux?

    Yes, frequently, it just works out of the Box on Debian Squeeze 6.0.2

    How did you set it up?

    I opened the Manual and started reading from page one @

    What else have you done to lock the machine down?

    I ran Lynis and followed the sagely advice it gave me.

    Lynis is an auditing tool for specialists. It scans the system and available software, to detect security issues. Beside security related information it will also scan for general system information and configuration mistakes.

    Once finished with that I then disabled all running services and setup the IP Tables firewall and tweaked all the various bits and pieces and then setup my own PKI and preloaded LvM2 Full Disk Encryption and password protected GRUB.

  10. #10
    Junior Member
    Join Date
    Apr 2004
    How long have you been using Linux?

    Since about 2004.

    Which Distros of Linux have you tried? / If you DO only use one Distro of Linux, which one is it, and, why do you ONLY use that one?

    I started off with Slackware and eventually started distro hopping. I tried everything I could. For a while, I would settle on something like Ubuntu, Arch or Debian. I did begin using RHEL/Centos exclusively this year. I did it mainly because of SELinux.

    What makes you stick with it?

    The stability mainly. I also like how SELinux will prevent a program from doing something it shouldn't.

    Have you yourself used SELinux? / How did you set it up?

    I do use SELInux. For the most part, it just works. The policy is developed by the vendor and, if it limits something, it is usually as simple as changing a setting for a particular boolean. If the software is available in the repos, it is supposed to work with SELinux. If it doesn't, it is classified as a bug. SElinux comes with several tools for diagnosing issues and applying fixes.

    That being said, I recently spent a few hours banging my head against the wall while trying to set up an ssh tunnel as a systemd service. It was all SELinux related. That was the only time I have ever had to modify the default policy. Usually, it is just modifying file contexts or changing a boolean setting to get something to work with SELinux.

    What else have you done to lock the machine down?

    The nice thing about RHEL/Centos is the ability to apply a security profile during the installation process. I prefer the security profiles because they are based on standards and can even be applied after the installation using openscap.
    Every man has his price. Mine is $3.95.

Similar Threads

  1. What is Linux security?
    By catch in forum *nix Security Discussions
    Replies: 4
    Last Post: April 4th, 2005, 12:02 PM
  2. OS Security (Tutorial)
    By catch in forum The Security Tutorials Forum
    Replies: 43
    Last Post: October 12th, 2004, 10:46 PM
  3. Trusted Operating Systems
    By catch in forum Site Feedback/Questions/Suggestions
    Replies: 0
    Last Post: May 11th, 2003, 12:10 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts