Tom Rivers wrote:
Mike McCarty wrote:
After a machine has been compromised, IMO it must be restored
to a pre-compromise state. Trying to mitigate damage on a
compromised machine is wrong-headed.
Mike,
I agree that compromised systems should be "fixed" so they aren't
compromised anymore. However, I don't agree that it is "wrong-headed"
to attempt to mitigate the damage done to such a system. Things like
fire doors that close automatically when a fire is detected mitigate the
damage a fire can do to a building. Traction control and anti-lock
I don't see the analogy. With a building, it makes sense to try to
salvage a room and/or its content. In the case of a computer, it
doesn't make much sense to do that. IOW, the building must be completely
torn down and rebuilt. There is no point in trying to rescue
some rooms from smoke damage.[*]
brakes on vehicles attempt to keep the car from crashing once stability
is compromised. The firewall that contains a car's engine compartment
I believe that ABS attempts to prevent compromise of stability.
and the airbag that deploys if the vehicle crashes both attempt to
mitigate the damage done to the driver if something goes wrong. Even
Again, one hopes to salvage some or all of the human being. I don't
want to salvage a compromised system.
[snip]
None of the mechanisms I have just described work as expected 100% of
the time but that is hardly reason to do away with any of them
entirely. As I'm sure you're aware, any good security posture has
Of course not. The only truly secure machine is one which is physically
secure. Anything else leaves the realm of security, and enters the
realm of relative security, which is entirely different, and has
cost/benefit considerations.
"defense in depth" as part of its scheme because it is historically a
bad idea to rely on a single mechanism for overall security. SELinux
may not the best solution out there but it does serve a very important
purpose - it mitigates system damage in order to preserve as much of the
remaining system as possible. I don't think anyone would argue that it
makes sense to let someone who hacks a web server also get control of
the credit card numbers stored in a database on the same machine.
Again, inappropriate, for more than one reason.
(1) I don't run a web server.
(2) Anyone who saves credit card info onto a web server and then gets
compromised is at best negligent, and possibly criminally negligent.
(3) Anyone who lives in the relative security realm, as do most
of us at least some of the time (I do have absolutely secure machines),
must assess the cost/benefit of each security measure he implements.
I have decided that SELinux is clearly on the cost outweighs benefit
side of the ledger for me, and I don't want to install it on my
machines. If you chose to do so, then fine. I don't care what you
install and run on your machine. If you asked me for my advice,
you probably know what I would say.
I think it is unfortunate that RH has made a decision not to support
a version of their distro which does not incorporate SELinux into it.
I'm not trying to make anyone not use SELinux. I do wish RH would
be more responsive to those who don't want it. Since they are not,
I shall use other distros, I suppose. I'm not trying to convince
you not to use RH products or their derivatives.
Likewise, with all due respect, it doesn't make sense to assert that
trying to stop bad guys from doing all the damage they could is the
wrong philosophy. That would be like watching your entire home burn
down from a fire on the stove because you feel the fire extinguisher,
something that would minimize the fire damage, is somehow
philosophically wrong.
Wrong analogy, I think. You might feel differently if you installed
an enormous machine drawing electricity from your house wiring,
intended to operate a sprinkler system, and the additional load was
the cause of the fire. SELinux has its own exploits.
[*] I'd be willing to look into such things as stored mail
and other pure data files in the user areas, but even then, I keep
regular backups. A compromise may not be discovered for some
time. The system must be restored to a non-compromised state.
Then, and only then, may one try to reintroduce user's data
files and so on from the compromised backups. IMO, trying to
mitigate damage is not the proper response. The proper
response is to keep backups of important data. The system
itself must not be reintroduced.
Mike
--
p="p=%c%s%c;main(){printf(p,34,p,34);}";main(){printf(p,34,p,34);}
Oppose globalization and One World Governments like the UN.
This message made from 100% recycled bits.
You have found the bank of Larn.
I can explain it for you, but I can't understand it for you.
I speak only for myself, and I am unanimous in that!