[Discuss] apache problem

[richard.pieri at gmail.com (Rich Pieri)]

On Wed, 9 Jan 2019 20:58:38 +0000
"Anderson, Charles R" <cra at wpi.edu> wrote:

> It can prevent specific applications (process security contexts) from
> binding to specific sockets/ports, either for inbound or outbound
> connections.  External firewalls cannot do that to my knowledge.

Not as such but it's not needed with secure infrastructure:

My web server machine is in a DMZ. The web server machine runs only
the web server. This DMZ permits connections to the web server machine
on port 443 from the public network and on port 22 from the secure
management network. This DMZ permits outgoing connections to the
application server DMZ on a designated port. Everything else is
implicitly denied. Whatever sockets an attacker binds, whatever daemons
he starts, whatever connections he tries to make, they are all
implicitly isolated by the box he is in, a box that is outside of his
ability to control from the compromised machine.

Any attempts to make network connections will be detected by my IDS
(unusual behavior). It will log the attempts and notify me of a
problem. The IDS can activate countermeasures such as continuous
snapshotting of the machine to track the intruder and redirecting the
app server connection to a honeypot, or simply cutting the power to
prevent further activity.

It makes no sense to have SELinux running on my web server machine. It
accomplishes nothing not already accomplished innately by the
infrastructure. It increases complexity which means more opportunity
for mistakes or bugs to cause other problems.

SELinux makes sense in a mainframe environment where many different
services and users need access to many different resources. But then,
that's the environment SELinux was made for.

-- 
Rich Pieri