[Discuss] apache problem
Derek Martin
invalid at pizzashack.org
Wed Jan 9 14:55:25 EST 2019
On Wed, Jan 09, 2019 at 07:20:29PM +0000, Anderson, Charles R wrote:
> It can harden a system against attack from without for example by
> preventing sockets from being bound, similar to iptables.
It can not do this on a system that is running public services--the
sockets for such are necessarily bound. If a machine is not running
services, then, barring kernel bugs in the network stack itself, it
will not have vectors of attack that are vulnerable to attack from
without to begin with.
> But most of what it does is limit the scope or capabilities of an
> attack once outer defenses are penetrated, and also can provide
> alerting to an attack. Defense-in-depth.
> There is already a rich set of access controls defined for the SELinux
> targeted policy that most people use, and is the default
> out-of-the-box config on Fedora and Red Hat. So you get to benefit
> from all that work with very little effort.
One aspect of defense in depth is to avoid running services using
default configurations at well known ports (if possible for your
application) and with data at well-established locations. SANS, for
one, preached this in their GSEC program. If you do this, your
default SELinux policies become useless, and you will have to
re-craft them (at least partly) by hand. Due to the complexity of it,
if you do not have considerable experience, and rigorous testing of
your policies, I expect you will most probably fail to do this
correctly. It took the major distros YEARS to get theirs right, and
they have a lot more resources to spend on it than the average home
user.
In most cases, careful privilege separation and file permissions get
you the bulk of what you need; staying patched gets you the rest. If
you can't manage that much, how will you ever figure out what SELinux
policies you need?
I'm not saying SELinux has no value. I AM saying that I believe for
the average home user trying to provide some basic services for their
home network, or even to run a small Internet site, what it provides
is much more trouble than it's actually worth, and the needed levels
of security are more easily provided other ways, most of which you
were probably already doing anyway.
--
Derek D. Martin http://www.pizzashack.org/ GPG Key ID: 0xDFBEAD02
-=-=-=-=-
This message is posted from an invalid address. Replying to it will result in
undeliverable mail due to spam prevention. Sorry for the inconvenience.
More information about the Discuss
mailing list