Re: Security Patches to the Linux Kernel

From: Serge Wroclawski (serge@tux.org)
Date: 09/02/01


Date: Sun, 2 Sep 2001 07:23:57 -0400 (EDT)
From: Serge Wroclawski <serge@tux.org>
To: Linux0wnz <admin@linux-lovers.net>
Subject: Re: Security Patches to the Linux Kernel
Message-ID: <Pine.LNX.4.30.0109020715380.17445-100000@gwyn.tux.org>

On Thu, 30 Aug 2001, Linux0wnz wrote:

> http://www.nsa.gov/selinux/

I've talked heard a talk and talked with the people who made this patch.

This is probably the most complex and most complete- but I'd say it's not
ready for prime time.

Furthermore, it's quite a complex peice of software and the way in which
the ruleset is built makes anything you've done with a packet filter seem
trivial in comparison.

The power of being able to control a process by role, by system call and
by call order is very nice, but the complexity which it takes t get that
level of security is IMHO beyond the means of the normal system group at
this time.

It's more probable that you can get that "almost sureness" now with far
less work than having to use such a system and tune it to such a fine
degree.

Packet filters, TCP wrappers, log collection, log analysis, file integrity
checks, process accounting, running your system from memory or CD (ie a
non-writable medium)... These and other things can be applied to your
system to provide a high degree of security and would not require heavy
patching or new funadmental frameworks or experimental code.

I would say that if your application is really in need of more than this,
then perhaps you need to rethink a lot more infrasturcture.

- Serge Wroclawski



Relevant Pages

  • Re: Zone Alarm Disconnects Router from Internet
    ... Use the winXP built in packet filter if you feel you need to filter ... Don't run software that has has a bad history concerning security. ... Use Administrator access only for short periods when you really ... Get yourself some good books about computer security and ...
    (comp.security.firewalls)
  • Re: "connection timed out" problem
    ... concept has a bring problem that cannot be solved by that packet filter. ... Host security is important as well. ... these uninstallers fail too often. ... net stop DnsCache & net start DnsCache ...
    (comp.security.firewalls)
  • Re: Comodo Personal Firewall
    ... yes IDS is in our Roadmap;-). ... what people are really needing - they don't need ... neccessary to deliver an own packet filter, ... would not bring extra security at all. ...
    (comp.security.firewalls)
  • IPSEC through Ms ISA Server
    ... Is it possible to have a third party IPSEC client to go through a Microsoft ISA server. ... I can't see any default packet filter or rule to set. ... prospectus based upon the core principle concepts of security. ... This ALL INCLUSIVE curriculum utilizes lectures, case studies and true hands-on utilization ...
    (Focus-Microsoft)
  • Re: root shell auditing
    ... On 31 Jul 2008 at 10:24, Hari Sekhon wrote: ... I think that you could use Linux Process Accounting to audit ... revealed to whoever reviews the security logs. ... trust the security reviewers. ...
    (Focus-Linux)