Ridding myself of root passwords?

S. Dale Morrey sdalemorrey at gmail.com
Thu Feb 6 14:22:32 MST 2014


Ok I understand what you are saying.
My point is that SELinux gets in the way of what I would consider good
security practices.

Think about it this way.
If you configure SELinux to be permissive, then there is effectively no
difference between that and not having it run at all.

If someone breaks into ring 0 (uid 0 or whatever), then your system is
hosed and it doesn't matter if SELinux is in place or not.  Yes SELinux
makes it harder to crack, but come on, we all know it doesn't make it
impossible.  In my mind it's like that little chain people put on their
doors.  Most of the time it's a pain and doesn't really serve the purpose
it's touted to serve.

In todays instance, no real damage occured (other than an IP black list for
spamming), because there was true security in place.
That is to say, nothing of value was stored on a box which had connections
to the wider world.

The valuable information is locked up behind physical hardware firewalls
and the servers holding this information require VPN tunneling with
certificate based authentication to get at.  Furthermore, they are
seperated by function and there is no direct link between them, except as
nessecary to allow them facilitate their individual bits of business logic.

Similar to Water Tight Doors in the Navy.
Thus if any single box is compromised or even a handful of them, even a
physical compromise where someone goes down to the noc and boots into
runlevel 1, the wider purpose remains secure.

I believe that true security comes from a certain sense of paranoia.  i.e.
"What happens when this box falls into the hands of an attacker?"  Not just
"How do I secure this against attacks?".  Note the difference in mindset.
I go forward with assuredity in my mind that the box will eventually fall
into someone elses hands.  I never even question it.  And while I would
like to configure central auth because certificate managment is getting
unwieldy, the fact is I don't because I assume at some point the auth
server will get compromised.

I guess the difference in mindset is summed up by the two narratives told
by Levi and myself.  He believes that a lock is there to secure valuables.
I believe it's there to deter wouldbe attackers.  That's a HUGE difference
in thinking!

I was raised with an old saying, "Locks are there to keep honest folks
honest".  Thus I don't even bother to lock my front door when I'm away.
For exactly the reason he states, it's a pain to come in with a load of
groceries and fumble for a key.  Instead I secure anything of reasonable
value in a safe that's bolted to the floor and stashed in the basement.
Can they come in and steal my TV?  Sure!  But that's why I buy insurance
and choose to live in a low crime neighborhood.  Could the possibly break
the concrete floor up with a jack hammer and dolly the safe out?  Yes, but
that's what I have insurance for.  At some point you have to say enough is
enough, I need usability.  The best security I can offer for my valuables
is a bank vault, but then again a court order (or even someone flashing a
badge legitimate or not) can cause the bank to cough that up, so is it
really any more secure?

I do lock my door at night.  That's because anyone trying to come in while
I'm home will likely make enough noise that I can come down and confront
them.  But while I'm away?  Sure come on in!  Just realize I have a camera
on the front and back doors to record who's coming and going.  :)


On Thu, Feb 6, 2014 at 1:30 PM, Joshua Marsh <joshua at themarshians.com>wrote:

> On Thu, Feb 6, 2014 at 1:08 PM, Levi Pearson <levipearson at gmail.com>
> wrote:
>
> > I know security is not easy, but if you're going to have a
> > public-facing server, you really ought to take the time to figure it
> > out.  You'll spend less time doing that than you will cleaning up
> > after you get hacked.  And, as you just experienced, you *will* get
> > hacked if you continue to rely on the Unix security model.
> >
> >
> It's too bad that most people don't think about becoming security conscious
> themselves. The business models I've seen in the past are: who cares,
> contract it out, or rely on a 3rd party systems (e.g. App Engine). None of
> these help engineers and architects become more security conscious. It's
> pushing the accountability somewhere else (in the first case, on the
> floor).
>
> I agree that learning about it is important. We've had PLUG meetings about
> SELinux and there are a bunch of introductions/tutorials on youtube. I'm
> personally not a fan of SELinux, but knowing about any LSM will at least
> give you a leg up on the average engineer. Putting that on a resume will
> look good. I can only imagine it will become more important in the future.
>
> /*
> PLUG: http://plug.org, #utah on irc.freenode.net
> Unsubscribe: http://plug.org/mailman/options/plug
> Don't fear the penguin.
> */
>


More information about the PLUG mailing list