BLU Discuss list archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Discuss] apache problem
- Subject: [Discuss] apache problem
- From: invalid at pizzashack.org (Derek Martin)
- Date: Wed, 9 Jan 2019 13:55:25 -0600
- In-reply-to: <20190109192026.nk4avvppxfnrdqxr@angus.ind.wpi.edu>
- References: <20190108230616.GA17844@aldeberon-localdomain> <1546991099.782616.1629322016.75BE6566@webmail.messagingengine.com> <20190109164950.GD9285@bladeshadow.org> <20190109174553.h3d5b4aop2odflvf@angus.ind.wpi.edu> <5c364081.1c69fb81.1dbd8.4c68@mx.google.com> <20190109192026.nk4avvppxfnrdqxr@angus.ind.wpi.edu>
On Wed, Jan 09, 2019 at 07:20:29PM +0000, Anderson, Charles R wrote: > It can harden a system against attack from without for example by > preventing sockets from being bound, similar to iptables. It can not do this on a system that is running public services--the sockets for such are necessarily bound. If a machine is not running services, then, barring kernel bugs in the network stack itself, it will not have vectors of attack that are vulnerable to attack from without to begin with. > But most of what it does is limit the scope or capabilities of an > attack once outer defenses are penetrated, and also can provide > alerting to an attack. Defense-in-depth. > There is already a rich set of access controls defined for the SELinux > targeted policy that most people use, and is the default > out-of-the-box config on Fedora and Red Hat. So you get to benefit > from all that work with very little effort. One aspect of defense in depth is to avoid running services using default configurations at well known ports (if possible for your application) and with data at well-established locations. SANS, for one, preached this in their GSEC program. If you do this, your default SELinux policies become useless, and you will have to re-craft them (at least partly) by hand. Due to the complexity of it, if you do not have considerable experience, and rigorous testing of your policies, I expect you will most probably fail to do this correctly. It took the major distros YEARS to get theirs right, and they have a lot more resources to spend on it than the average home user. In most cases, careful privilege separation and file permissions get you the bulk of what you need; staying patched gets you the rest. If you can't manage that much, how will you ever figure out what SELinux policies you need? I'm not saying SELinux has no value. I AM saying that I believe for the average home user trying to provide some basic services for their home network, or even to run a small Internet site, what it provides is much more trouble than it's actually worth, and the needed levels of security are more easily provided other ways, most of which you were probably already doing anyway. -- Derek D. Martin http://www.pizzashack.org/ GPG Key ID: 0xDFBEAD02 -=-=-=-=- This message is posted from an invalid address. Replying to it will result in undeliverable mail due to spam prevention. Sorry for the inconvenience.
- Follow-Ups:
- [Discuss] apache problem
- From: cra at wpi.edu (Anderson, Charles R)
- [Discuss] apache problem
- From: blu at cyberpear.com (James Cassell)
- [Discuss] apache problem
- References:
- [Discuss] apache problem
- From: jdm at moylan.us (dan moylan)
- [Discuss] apache problem
- From: blu at cyberpear.com (James Cassell)
- [Discuss] apache problem
- From: invalid at pizzashack.org (Derek Martin)
- [Discuss] apache problem
- From: cra at wpi.edu (Anderson, Charles R)
- [Discuss] apache problem
- From: richard.pieri at gmail.com (Rich Pieri)
- [Discuss] apache problem
- From: cra at wpi.edu (Anderson, Charles R)
- [Discuss] apache problem
- Prev by Date: [Discuss] apache problem
- Next by Date: [Discuss] apache problem
- Previous by thread: [Discuss] apache problem
- Next by thread: [Discuss] apache problem
- Index(es):
