I was wondering if anyone runs this here, and what your thoughts are on it.
I also am curious if NSA really use this on their systems...
withdraw
Feb 3 2005, 09:20 PM
Heres a post that has a little info on nsa and selinux. BlackNet offered ssh root on a demo box, but that was back in March and it was the only post he made on this forum.
hyndla root # uname -a Linux freyja 2.6.10-hardened-r3 #2 Wed Feb 2 15:01:51 GMT 2005 i686 Pentium III (Coppermine) GenuineIntel GNU/Linux
h1356 root # uname -a Linux h1456 2.6.10-hardened-r3 #3 Thu Feb 3 20:03:27 CET 2005 i686 Intel® Celeron® CPU 2.40GHz GenuineIntel GNU/Linux
freyja root # uname -a Linux freyja 2.6.7-hardened-r17 #1 Sat Dec 25 21:08:10 GMT 2004 i686
hardened kernel on all my servers... just a small example
+SELinux confs for apache2,mysqld,openssh etc etc...
+Chroot User shell on my systems where i run public software like shoutcast,teamspeak ,psybnc etc
nuorder
Feb 5 2005, 03:18 AM
Fedora Core 3 has it build in. Seems to integrate a fair bit into the OS, can't remember how secure it actually though because FC3 wouldnt be my distro of choice anyway.
tibbar
Feb 9 2005, 07:22 PM
interesting stuff, i wonder just how secure it is compared to vanilla linux.
i'll give it a try on a spare pc.
i suppose if you find a hole in SELinux you could potentially hack into some serious systems...
dAggressor
Feb 15 2005, 09:45 PM
QUOTE(tibbar @ Feb 9 2005, 11:22 AM)
i suppose if you find a hole in SELinux you could potentially hack into some serious systems...
I wouldn't bet the farm that NSA is using it on their systems. As a matter of fact, I'd feel pretty confident in saying I'm sure they don't use it. Might there be some Linux weenie (yes I am one too) sitting at his desk with it running? Sure. But I wouldn't suspect anything of much import to have it loaded.
The first page reads:
QUOTE
This work is not intended as a complete security solution for Linux. Security-enhanced Linux is not an attempt to correct any flaws that may currently exist in Linux. Instead, it is simply an example of how mandatory access controls that can confine the actions of any process, including a superuser process, can be added into Linux.
That's not to say it won't be used sometime down the road, but I highly doubt it's being used in production on important systems now.
Just my 2 cents.
dAggressor
Spookie
Feb 16 2005, 08:19 PM
I would say that it would all depend on what side of the network there runing it at.
With something as large, and as techy as No Such Agency
You can be pretty sure they have a test room with multiple OS's and Distros running
Like Chinese 2000, Turbo Linux, etc etc
And if you recall the Microsoft issue with the Duel Keys that caused an uproar in Germany which I belive was one of the factors causing Germany to switch to SuSE in the big brother side of the house, how much of the SELinux distro would you really trust?
JMO
myth
Feb 17 2005, 01:33 AM
It isnt the distro i would question trusting
its my own skill in hardening it. IMHO theres too much for me to learn about how to harden a kernel, atleast SELinux gets me halfway there...
TrustedBSD is developing a variety of trusted operating system features for FreeBSD, including mandatory access controls, while SELinux has specifically focused on developing flexible mandatory access controls for Linux. The TrustedBSD mandatory access controls are currently limited to hardcoded policies such as multi-level security and Biba integrity, but they plan on migrating to a more flexible MAC architecture in the future. The TrustedBSD project has the ability to directly commit their features (as they mature) into the FreeBSD kernel, since their lead developer is also a FreeBSD core team member, whereas we lack such a direct path into the Linux kernel.
-- Stephen D. Smalley, NAI Labs ssmalley@nai.com
cduke250
Jun 19 2005, 08:52 PM
Wow great discussion!
Could someone post a little about the most secure (production ready) distros out there?
I just assumed openbsd was secure enough, but I am curious about the different linux hardened distros.
KuerbY
Jun 19 2005, 09:33 PM
there are many linux distros out there and hardened from beginning (depends from installation)
gentoo/fedora(=>3)/debian/hlfs
hell i lost view over all the different distros... i use only one distro its perfect for me find yours and be happy
Salvia
Jun 29 2005, 09:18 AM
QUOTE(cduke250 @ Jun 19 2005, 08:52 PM)
Wow great discussion!
Could someone post a little about the most secure (production ready) distros out there?
I just assumed openbsd was secure enough, but I am curious about the different linux hardened distros.
It is said that OpenBSD lost their government funding so I dont know how quickly their technology will be advancing compared to say FreeBSD or Linux
.ZEr0
Jul 4 2005, 08:47 PM
.great
[edit] tibbar - what a GREAT first post. Read the rules. + 1 warning + 15 day holiday.
TheSmokingMan
Jul 4 2005, 10:59 PM
openbsd's progress is actually quite good. its not intended to be bleeding edge but its default install security model is most effective. I find it makes an excellent shellbox or network fileserver. I don't really recall openbsd being government funded though
cduke250
Jul 5 2005, 05:04 AM
I love FreeBSD, but my opinion is that it is not in the same category security-wise as OpenBSD.
I think everyone needs a secure OS like openBSD to manage gpg, encryption, etc..
I love linux also, but it is my opinion that the kernel is far from being as secure as the BSDs... So a secure linux distro better have a major overhauled kernel.
Check out the distro IpCop www.ipcop.org -- it uses a heavily modified openBSD kernel.
cyberdog
Jul 5 2005, 04:55 PM
QUOTE(cduke250 @ Jun 19 2005, 08:52 PM)
Wow great discussion!
Could someone post a little about the most secure (production ready) distros out there?
I just assumed openbsd was secure enough, but I am curious about the different linux hardened distros.
I havent yet tried it myself but a friend of mine swears by adamantix
Salvia
Jul 5 2005, 10:58 PM
QUOTE(TheSmokingMan @ Jul 4 2005, 10:59 PM)
openbsd's progress is actually quite good. its not intended to be bleeding edge but its default install security model is most effective. I find it makes an excellent shellbox or network fileserver. I don't really recall openbsd being government funded though
Yes it was government funded via grants just like most of the others
but the man in charge of receiving the grants mouthed off about the same people he was getting the grants from... (don't bite the hand that feeds you).
TheSmokingMan
Jul 6 2005, 09:02 PM
QUOTE(cduke250 @ Jul 5 2005, 01:04 AM)
Check out the distro IpCop www.ipcop.org -- it uses a heavily modified openBSD kernel.
ipcop is great(longtime user) but its not openbsd, its linux
I should lose points for nitpicking but since its a product I use and love I couldn't help myself
as for the grants, I can see how that seems like government funding in a way ... I guess.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
