Re: Linux Distribution Recomendation

From: Peter Busser (peter_at_devbox.adamantix.org)
Date: 03/04/04

  • Next message: AJ Butcher, Information Systems and Computing: "RE: Recommending an IDS system"
    Date: Thu, 4 Mar 2004 10:44:05 +0100
    To: security-basics@securityfocus.com
    
    

    Hi!

    > 4.) By Sacrifice security for functionality I mean you can run something
    > like SElinux, Gentoo hardened or Adamantix which is harder to crack than
    > just about anything but you will pay a price, things like PaX stack
    > protection will give you a significant performance hit and break many
    > applications. It should be noted that the 2.6 kernel will have SElinux
    > built in,

    I wonder how much of a performance hit you would call significant. Personally,
    I do not notice a performance difference between a PaX kernel and a non-PaX
    kernel. With the segmentation based protection, the performance impact is
    estimated at 2%.

    And then, even if you are right, and the performance impact is indeed
    significant (let's say 20%). Then you just wait 6 months, for the same price
    you will get a 20% faster CPU that will compensate for the impact. If you
    cannot wait 6 months, you simply pay a hundred bucks more now. A small
    investment that really pays off, once you realise how much a successful
    breakin and the resulting downtime costs.

    It should be noted that systems like RSBAC (which is used in Adamantix) and
    SELinux are as secure as the kernel is. The recent list of Linux kernel exploits
    show that this security is not exactly perfect. So don't expect miracles from
    systems like that, even though some people would like to make you believe
    otherwise.

    Groetjes,
    Peter Busser

    ---------------------------------------------------------------------------
    Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
    any course! All of our class sizes are guaranteed to be 10 students or less
    to facilitate one-on-one interaction with one of our expert instructors.
    Attend a course taught by an expert instructor with years of in-the-field
    pen testing experience in our state of the art hacking lab. Master the skills
    of an Ethical Hacker to better assess the security of your organization.
    Visit us at:
    http://www.infosecinstitute.com/courses/ethical_hacking_training.html
    ----------------------------------------------------------------------------


  • Next message: AJ Butcher, Information Systems and Computing: "RE: Recommending an IDS system"

    Relevant Pages

    • Re: [AppArmor 39/45] AppArmor: Profile loading and manipulation, pathname matching
      ... policy applied on the server as well as the client to ensure that the ... SELinux does depend on the correctness of the kernel. ... Then yours isn't mandatory access control, nor is it confinement. ...
      (Linux-Kernel)
    • Re: [AppArmor 39/45] AppArmor: Profile loading and manipulation, pathname matching
      ... policy applied on the server as well as the client to ensure that the ... SELinux does depend on the correctness of the kernel. ... inheritance, e.g. if you specify an ACL on a directory, then all files ...
      (Linux-Kernel)
    • Re: AppArmor or SELinux?
      ... time to tweak my custom AppArmor profiles to do what I want. ... from the Kernel version numbers, ... it make sense to switch from a running AppArmor system to a SELinux ... Security can never be reached by a run & go concept, ...
      (Debian-User)
    • Re: How NSA access was built into Windows
      ... Now my logs are clean again. ... It took me 27 minutes to build that selinux free kernel. ... As for 'system activity', fetchmail, procmail, spamassassin ...
      (Fedora)
    • Re: Kernel documentation and specification
      ... First of all i am dead serious about learning. ... start in src/sys/kern and study the kernel from scratch. ... code free software and contribute to the open source community, ... I never had to pay to contribute. ...
      (freebsd-hackers)