Security by default in Linux?!

Gullible Jones · 2005-08-25 15:29:43

Now I know a lot of people disagree with what Theo de Raadt said of Linux; I'm one of those people. Sure, Linux isn't as secure as OpenBSD (is anything?), but de Raadt did have a point. Linux is not as good an operating system as it could be.

Yes, I'm talking about security, and kernel patchsets in particular. Why is it that grSecurity and SELinux kernels are used by default by so few distributions? If you want security, then the first thing you want to do is defend yourself from common attacks, and those patches are designed for that purpose. Why is their use so damned uncommon? Do they compromise system functionality in ways I haven't heard of?

cactus · 2005-08-25 15:45:58

SELinux is more than a kernel hardener. It is a mandatory access control implementation that sets system policy via the kernel LSM (linux Security Module). There are other mandatory access control implementations that can be used, but I can only think of LIDS, and I have no idea how much work is being done on it.

The hard thing about SELinux, is setting policy. Installation of the required utilities is no longer terribly difficult (it once was a huge pain in the ass). Setting a good policy for a system *is* rather difficult. Add to this the fact that MACs (mandatory access controls) are very usage specific and not generally geared towards portability, you have a real problem coming up with reasonable defaults.
Just look at Fedora. Even after several version that include selinux support, still they are having apes trying to come up with a default policy that people can use in a more "general setup".

Selinux works very well. The policy definitions are hard to write, and the syntax is a a pain. But it works, and works very well. It is just that it is such a 'system personalized' thing, that it is hard to come up with an 'across the board' policy set.

It is akin to trying to get everyone to wear the same clothes. Some people are fat, some are skinny, some short, etc, etc. It is easier if you just try covering everyone with a white sheet, so they look like ghosts (discretionary policy is a blanket white sheet), than it is putting everyone in a size 34:32 pair of custom tailored trousers (MAC being custom trousers).

Gullible Jones · 2005-08-25 19:27:36

And grSecurity...? I see what you mean about access controls, but I think that most distros could, at least, use the PaX patchset for their default kernels, and perhaps ProPolice as well.

cactus · 2005-08-25 21:24:24

No idea about GR. I dont know anything about it, other than it is supposed to be some type of security patch..

Gullible Jones · 2005-08-26 12:05:32

http://www.grsecurity.net/

Appears to have MAC, though with some sort of autoconfig mechanism (might not be so great, not sure). It also includes PaX.

Arch Linux

#1 2005-08-25 15:29:43

Security by default in Linux?!

#2 2005-08-25 15:45:58

Re: Security by default in Linux?!

#3 2005-08-25 19:27:36

Re: Security by default in Linux?!

#4 2005-08-25 21:24:24

Re: Security by default in Linux?!

#5 2005-08-26 12:05:32

Re: Security by default in Linux?!

Board footer