Boston Linux & UNIX was originally founded in 1994 as part of The Boston Computer Society. We meet on the third Wednesday of each month at the Massachusetts Institute of Technology, in Building E51.

BLU Discuss list archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Discuss] apache problem

On Wed, Jan 09, 2019 at 01:55:25PM -0600, Derek Martin wrote:
> On Wed, Jan 09, 2019 at 07:20:29PM +0000, Anderson, Charles R wrote:
> > It can harden a system against attack from without for example by
> > preventing sockets from being bound, similar to iptables.
> It can not do this on a system that is running public services--the
> sockets for such are necessarily bound.  If a machine is not running
> services, then, barring kernel bugs in the network stack itself, it
> will not have vectors of attack that are vulnerable to attack from
> without to begin with.

It can prevent specific applications (process security contexts) from
binding to specific sockets/ports, either for inbound or outbound
connections.  External firewalls cannot do that to my knowledge.

> In most cases, careful privilege separation and file permissions get
> you the bulk of what you need; staying patched gets you the rest.  If
> you can't manage that much, how will you ever figure out what SELinux
> policies you need?

Well, SELinux can be part of a privilege separation strategy.  If for
example, someone managed to break in through Apache and then get a
root shell somehow, their root shell won't have privileges to do
anything beyond what the Apache policy allows.  They won't be able to
add users, make SSH connections, start a new sshd on a different port,
modify binaries, install software packages, run the compiler, turn off
SELinux, erase logs, etc.

> I'm not saying SELinux has no value. I AM saying that I believe for
> the average home user trying to provide some basic services for their
> home network, or even to run a small Internet site, what it provides
> is much more trouble than it's actually worth, and the needed levels
> of security are more easily provided other ways, most of which you
> were probably already doing anyway.

Okay, I guess.  I just think people overstate the "SELinux trouble"
part, especially with the current distro SELinux configuration.  I
wasn't meaning to use "fear" or "FUD" as an argument tactic--I was
just trying to point out the parallels between newbies' or home users'
acceptance of DAC and past arguments that DAC is "too much trouble to
deal with" vs. current arguments that SELinux MAC is too much trouble.

BLU is a member of BostonUserGroups
BLU is a member of BostonUserGroups
We also thank MIT for the use of their facilities.

Valid HTML 4.01! Valid CSS!

Boston Linux & Unix /