Re: Security Patches to the Linux Kernel

From: Serge Wroclawski (serge@tux.org)
Date: 09/02/01


Date: Sun, 2 Sep 2001 07:23:57 -0400 (EDT)
From: Serge Wroclawski <serge@tux.org>
To: Linux0wnz <admin@linux-lovers.net>
Subject: Re: Security Patches to the Linux Kernel
Message-ID: <Pine.LNX.4.30.0109020715380.17445-100000@gwyn.tux.org>

On Thu, 30 Aug 2001, Linux0wnz wrote:

> http://www.nsa.gov/selinux/

I've talked heard a talk and talked with the people who made this patch.

This is probably the most complex and most complete- but I'd say it's not
ready for prime time.

Furthermore, it's quite a complex peice of software and the way in which
the ruleset is built makes anything you've done with a packet filter seem
trivial in comparison.

The power of being able to control a process by role, by system call and
by call order is very nice, but the complexity which it takes t get that
level of security is IMHO beyond the means of the normal system group at
this time.

It's more probable that you can get that "almost sureness" now with far
less work than having to use such a system and tune it to such a fine
degree.

Packet filters, TCP wrappers, log collection, log analysis, file integrity
checks, process accounting, running your system from memory or CD (ie a
non-writable medium)... These and other things can be applied to your
system to provide a high degree of security and would not require heavy
patching or new funadmental frameworks or experimental code.

I would say that if your application is really in need of more than this,
then perhaps you need to rethink a lot more infrasturcture.

- Serge Wroclawski