[tibbar]

Here's a link to it:

http://www.nsa.gov/selinux/

I was wondering if anyone runs this here, and what your thoughts are on it.

I also am curious if NSA really use this on their systems...

[withdraw]

Heres a post that has a little info on nsa and selinux. BlackNet offered ssh root on a demo box, but that was back in March and it was the only post he made on this forum.

http://www.governmen...?showtopic=5196

[KuerbY]

hyndla root # uname -a
Linux freyja 2.6.10-hardened-r3 #2 Wed Feb 2 15:01:51 GMT 2005 i686 Pentium III (Coppermine) GenuineIntel GNU/Linux

h1356 root # uname -a
Linux h1456 2.6.10-hardened-r3 #3 Thu Feb 3 20:03:27 CET 2005 i686 Intel® Celeron® CPU 2.40GHz GenuineIntel GNU/Linux

freyja root # uname -a
Linux freyja 2.6.7-hardened-r17 #1 Sat Dec 25 21:08:10 GMT 2004 i686

hardened kernel on all my servers... just a small example ;)

+SELinux confs for apache2,mysqld,openssh etc etc...

+Chroot User shell on my systems where i run public software like shoutcast,teamspeak ,psybnc etc

[nuorder]

Fedora Core 3 has it build in. Seems to integrate a fair bit into the OS, can't remember how secure it actually though because FC3 wouldnt be my distro of choice anyway.

[tibbar]

interesting stuff, i wonder just how secure it is compared to vanilla linux.

i'll give it a try on a spare pc.

i suppose if you find a hole in SELinux you could potentially hack into some serious systems...

[dAggressor]

tibbar, on Feb 9 2005, 11:22 AM, said:

i suppose if you find a hole in SELinux you could potentially hack into some serious systems...

<{POST_SNAPBACK}>

I wouldn't bet the farm that NSA is using it on their systems. As a matter of fact, I'd feel pretty confident in saying I'm sure they don't use it. Might there be some Linux weenie (yes I am one too) sitting at his desk with it running? Sure. But I wouldn't suspect anything of much import to have it loaded.

The first page reads:

Quote

This work is not intended as a complete security solution for Linux. Security-enhanced Linux is not an attempt to correct any flaws that may currently exist in Linux. Instead, it is simply an example of how mandatory access controls that can confine the actions of any process, including a superuser process, can be added into Linux.

That's not to say it won't be used sometime down the road, but I highly doubt it's being used in production on important systems now.

Just my 2 cents.

dAggressor

[Spookie]

I would say that it would all depend on what side of the network there runing it at.

With something as large, and as techy as No Such Agency

You can be pretty sure they have a test room with multiple OS's and Distros running

Like Chinese 2000, Turbo Linux, etc etc

And if you recall the Microsoft issue with the Duel Keys that caused an uproar in Germany which I belive was one of the factors causing Germany to switch to SuSE in the big brother side of the house, how much of the SELinux distro would you really trust?

JMO

[myth]

It isnt the distro i would question trusting

its my own skill in hardening it. IMHO theres too much for me to learn about how to harden a kernel, atleast SELinux gets me halfway there...

Oh, and duel keyes with M$ and Germany ????

[Spookie]

Quote

Oh, and duel keyes with M$ and Germany ????

Microsoft 'Windows' Security Under Heavy Fire

[Stephen]

Quote

TrustedBSD is developing a variety of trusted operating system features for FreeBSD, including mandatory access controls, while SELinux has specifically focused on developing flexible mandatory access controls for Linux. The TrustedBSD mandatory access controls are currently limited to hardcoded policies such as multi-level security and Biba integrity, but they plan on migrating to a more flexible MAC architecture in the future. The TrustedBSD project has the ability to directly commit their features (as they mature) into the FreeBSD kernel, since their lead developer is also a FreeBSD core team member, whereas we lack such a direct path into the Linux kernel.

--
Stephen D. Smalley, NAI Labs
ssmalley@nai.com

[cduke250]

Wow great discussion!

Could someone post a little about the most secure (production ready) distros out there?

I just assumed openbsd was secure enough, but I am curious about the different linux hardened distros.

[KuerbY]

there are many linux distros out there and hardened from beginning (depends from installation)

gentoo/fedora(=>3)/debian/hlfs

hell i lost view over all the different distros...
i use only one distro its perfect for me
find yours and be happy

[Stephen]

cduke250, on Jun 19 2005, 08:52 PM, said:

Wow great discussion!

Could someone post a little about the most secure (production ready) distros out there? 

I just assumed openbsd was secure enough, but I am curious about the different linux hardened distros.

<{POST_SNAPBACK}>

It is said that OpenBSD lost their government funding so I dont know how quickly their technology will be advancing compared to say FreeBSD or Linux

[.ZEr0]

.great

[edit] tibbar - what a GREAT first post. Read the rules. + 1 warning + 15 day holiday.

[TheSmokingMan]

openbsd's progress is actually quite good. its not intended to be bleeding edge but its default install security model is most effective. I find it makes an excellent shellbox or network fileserver. I don't really recall openbsd being government funded though