Ok I understand what you are saying. My point is that SELinux gets in the way of what I would consider good security practices.
Think about it this way. If you configure SELinux to be permissive, then there is effectively no difference between that and not having it run at all. If someone breaks into ring 0 (uid 0 or whatever), then your system is hosed and it doesn't matter if SELinux is in place or not. Yes SELinux makes it harder to crack, but come on, we all know it doesn't make it impossible. In my mind it's like that little chain people put on their doors. Most of the time it's a pain and doesn't really serve the purpose it's touted to serve. In todays instance, no real damage occured (other than an IP black list for spamming), because there was true security in place. That is to say, nothing of value was stored on a box which had connections to the wider world. The valuable information is locked up behind physical hardware firewalls and the servers holding this information require VPN tunneling with certificate based authentication to get at. Furthermore, they are seperated by function and there is no direct link between them, except as nessecary to allow them facilitate their individual bits of business logic. Similar to Water Tight Doors in the Navy. Thus if any single box is compromised or even a handful of them, even a physical compromise where someone goes down to the noc and boots into runlevel 1, the wider purpose remains secure. I believe that true security comes from a certain sense of paranoia. i.e. "What happens when this box falls into the hands of an attacker?" Not just "How do I secure this against attacks?". Note the difference in mindset. I go forward with assuredity in my mind that the box will eventually fall into someone elses hands. I never even question it. And while I would like to configure central auth because certificate managment is getting unwieldy, the fact is I don't because I assume at some point the auth server will get compromised. I guess the difference in mindset is summed up by the two narratives told by Levi and myself. He believes that a lock is there to secure valuables. I believe it's there to deter wouldbe attackers. That's a HUGE difference in thinking! I was raised with an old saying, "Locks are there to keep honest folks honest". Thus I don't even bother to lock my front door when I'm away. For exactly the reason he states, it's a pain to come in with a load of groceries and fumble for a key. Instead I secure anything of reasonable value in a safe that's bolted to the floor and stashed in the basement. Can they come in and steal my TV? Sure! But that's why I buy insurance and choose to live in a low crime neighborhood. Could the possibly break the concrete floor up with a jack hammer and dolly the safe out? Yes, but that's what I have insurance for. At some point you have to say enough is enough, I need usability. The best security I can offer for my valuables is a bank vault, but then again a court order (or even someone flashing a badge legitimate or not) can cause the bank to cough that up, so is it really any more secure? I do lock my door at night. That's because anyone trying to come in while I'm home will likely make enough noise that I can come down and confront them. But while I'm away? Sure come on in! Just realize I have a camera on the front and back doors to record who's coming and going. :) On Thu, Feb 6, 2014 at 1:30 PM, Joshua Marsh <jos...@themarshians.com>wrote: > On Thu, Feb 6, 2014 at 1:08 PM, Levi Pearson <levipear...@gmail.com> > wrote: > > > I know security is not easy, but if you're going to have a > > public-facing server, you really ought to take the time to figure it > > out. You'll spend less time doing that than you will cleaning up > > after you get hacked. And, as you just experienced, you *will* get > > hacked if you continue to rely on the Unix security model. > > > > > It's too bad that most people don't think about becoming security conscious > themselves. The business models I've seen in the past are: who cares, > contract it out, or rely on a 3rd party systems (e.g. App Engine). None of > these help engineers and architects become more security conscious. It's > pushing the accountability somewhere else (in the first case, on the > floor). > > I agree that learning about it is important. We've had PLUG meetings about > SELinux and there are a bunch of introductions/tutorials on youtube. I'm > personally not a fan of SELinux, but knowing about any LSM will at least > give you a leg up on the average engineer. Putting that on a resume will > look good. I can only imagine it will become more important in the future. > > /* > PLUG: http://plug.org, #utah on irc.freenode.net > Unsubscribe: http://plug.org/mailman/options/plug > Don't fear the penguin. > */ > /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
