Slashdot Mirror

← Back to Stories (view on slashdot.org)

SELinux Panel at FOSE in Washington

Posted by timothy on from the battening-hatches dept.

Tony Stanco writes: "Newsforge has an article on what happened at the Security Enhanced Linux panel in Washington about certification under the Common Criteria for Information Technology Security Evaluation standard."

5 of 73 comments (clear)

  1. Good choice by Slash+Veteran · · Score: 3, Insightful

    I like the term "Security Enhanced" instead of "Secure." The former is attainable, the latter is quite laughable to anyone in the know.

  2. SELinux vs. LIDS by UnderAttack · · Score: 2, Insightful

    Now they just need to merge LIDS and SELinux!

    What is realy missing for both is a good documentation. E.g. an O'Reilly book ;-). The LIDS documentation are terribly out of date.
    Are there any distro plans for SELinux? It would be nice to combine its great features with the momentum if would get from packaging it in a nice distro.

    --
    ---- join dshield.org Distributed Intrusion Detec
  3. Re:Windows is secure??? by Anonymous Coward · · Score: 1, Insightful

    Actually, UNIX is not secure. It was designed
    before security was a huge issue, and therefore
    Linux/BSD and even OpenBSD will never reach some
    of the other more secure OS's out there. There
    design reasons for this like
    1. Most utilities written in C/C++. These
    languages are notorious for bugs (the infamous
    buffer overflow comes to mind). It would be fine
    to write the kernel in C, but anything in userland
    from the shell up would benefit in security by using
    a much more safe language. Of course, C and C++
    are speed daemons, and servers/number crunching
    benefit.
    2. The user heirarchy and its implementation. There
    is only one super user. This is a problem, for
    example, when stuff like X needs to be suid to run.
    (I heard the new XFree86 tries to fix this.
    I do not know if this is true.)
    3. All kinds of stuff, like ps -Al allowing view
    of everyone's procesees (spelling?). Lots of other
    stuff that takes a while to describe.

    Many of these problems can be traced to UNIX's roots
    , since in those days l337 hAx0rz weren't everywhere
    and neither were professional uber-crackers. I
    think there is a system called Plan 9 (also made
    in part by Ken, around late 80s/90s) that is
    significantly more secure.

  4. Certification and the GPL by ndogg · · Score: 2, Insightful
    Among the 30 audience members were several Microsoft booth workers. One asked a couple of questions about the SELinux project, including, ironically, whether changes made to ready it for the security certification would be released back to the community under the GNU General Public License. Panelists said that although the rules of security certification and the GPL sometimes conflict they were looking at ways to resolve the potential problems. Among those issues: A security certified operating system that's had outside changes made to it may lose its certification, and a distribution that's downloaded from a site that's not part of the official certification channels loses its certification, Westerman said.


    If an OS loses certification due to changes from the outside, then do what Debian does, have a stable, testing, and unstable distributions, and officially distribute only the stable distributions on CD. A long as you keep tight control over the changes made to the stable distribution, this shouldn't be a problem. This is how Debian does it, and also the reason why it's often accused of being out of date.

    Also, distribute the certification only with CDs if you can't certify downloaded OSes (and make CDs the official distribution), even if they are exactly the same. Make it clearly noted, obviously, that certification only comes on official distribution channels (i.e. the CDs.)
    --
    // file: mice.h
    #include "frickin_lasers.h"
  5. Re:Windows is secure??? by Anonymous Coward · · Score: 1, Insightful

    EAL or Common Criteria Security evaluations are all only valid for a VERY specific configuration of the operating system, server, hardware or software (or anything else) that is claiming to be certified. It is possible to install any operating systems in a "secure" manner, and hence comply with the appropriate EAL certification (assuming that the operating system has been evaluated), however keeping it compliant and in an acceptable state is difficult.

    As an example, the current EAL evaluated Cisco PIX firewall runs version 5.2(3) which has a number of known security issues. If a higher version (with the known security issues fixed) of the IOS is used, then the firewall is no longer configured as per the EAL evaluated configuration, and hence is no longer EAL compliant.

    Appologies in advance for the change from Operating Systems to Cisco PIX, but I know the version information for PIX.