[clug] My windows box got rooted last week... how at risk is Linux?

[Paul Wayper]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Daniel Pittman wrote:
|> While linux in general is less insecure than windows, I believe it is
|> entirely possible to configure a linux box so it is secure, really
|> really secure, using SELinux or App Armour etc.  Mind you, I've never
|> known anyone who actually did it successfully though ;-)
|
| What, Mandatory Access Control systems being hard?  Say it ain't so. ;)
|
| Seriously, those MAC modules don't actually add /that/ much security in
| many cases; the issues they protect against are bypassed by the
| exploits.

Well, that's certainly not my experience of SELinux, for example.  I've seen a
number of attempts to subvert my web server when I was at ANU, and each time
they would have fallen afoul of the system's SELinux Apache policy of not
allowing execution of a binary from the /tmp directory.  And there were no
intersections of the set of places that Apache could write to and the set of
places that got the httpd_sys_script_exec_t type automatically.  Even then,
they would have hit the rule not allowing outgoing network connections.  Of
course, inbound connections were handled by my iptables policy.  So short of
me doing something stupid with my access policies or someone finding a flaw in
SELinux, it was secure.

Which does mean that you have to understand SELinux policies in order to get
that security.  But then the same goes for any security system.

Chris, do you think I should give a talk on a beginner's guide to working with
SELinux?

|> Unless you have a really good reason, put a firewall between the
|> machine and the internet.  That goes quadruple for windows boxes.
|
| This makes very little security difference if your exposure is due to a
| kernel IP level bug, or to a service that you expose to the Internet.
|
| It also leads to a much more significant risk that your "crunchy on the
| outside, soft in the middle" infrastructure will be compromised the
| moment someone walks an infected laptop into the building.

Well, I'd agree with that.  Some people look at me funny when I say that I
still have SELinux enabled on all my home machines, including my MythTV
machine.  But then I have MythWeb installed and occasionally allow friends
onto my WiFi network, so it makes good sense to me.  And why disable something
that's going to protect you if it's not getting in your way - or if you can
make what you want to do fit within its protection?

However, I'd point out that the risk of a "kernel IP level bug" or similar
Linux system-wide vulnerability is vanishingly small, both in terms of the
numbers of physical attacks seen on the Internet and in terms of the scrutiny
of the code.  The last kernel exploit required the attacker to take advantage
of a very specific set of circumstances that was vanishingly hard to reproduce
without physical access to the machine.  In these terms you are more likely to
have your machine hacked by someone physically being on it and doing something
stupid than you are to get a remote attack that succeeds.  So while it's good
to be honest - that no security system is foolproof or totally secure - it's
also important to not engage in "Security Theatre" and blow the risks out of
proportion.

Overall, there's a lot of evidence that, while not totally secure, Linux in
the hands of an average person is much more secure than a Windows machine in
the same user's hands.  In the hands of someone who knows what they're doing,
both OSes are pretty resilient, but that's hardly the most common scenario.

Have fun,

Paul
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iD8DBQFIUM3ru7W0U8VsXYIRAsSWAJ47e9okistfLmnZFbfHsWhBPuChsgCggh5w
yMMPkREze7kUYkF2r+GuF68=
=cR66
-----END PGP SIGNATURE-----