Slashdot Mirror

← Back to Stories (view on slashdot.org)

Red Hat to Release Enhanced-Security Linux

Posted by timothy on from the compound-modifier dept.

Klatoo55 writes "According to an article by Techweb, Red Hat will release Red Hat Enterprise Linux 4.0, which includes support for Security-Enhanced Linux, in 2005. Red Hat has been running this system with a published IP address asking for hackers to try to break the security. The last version was defeated within 45 seconds, but this new version (apparently to be the policy for the next Fedora) has yet to be cracked."

9 of 326 comments (clear)

  1. Security Enhanced Sure! But... by Anonymous Coward · · Score: 5, Funny

    I think we can bring that baby down without a hack.

    What say you slashdot?

  2. I wonder how the last system was defeated? by Snake_Plisken · · Score: 5, Funny

    45 seconds? Sounds liek someone yanked the power cord out of the boxen to do it that fast...

    --

    Eat recycled food - it's good for the environment, and OK for you.
  3. Invulnerable to MyDoom type virii? by Raster+Burn · · Score: 5, Interesting

    The article implies that SE Linux would be more secure that Windows, especially in light of the MyDoom virus. But doesn't the MyDoom virus depend on a dope sysadmin clicking on a binary attachment to spread?

    So how does SE Linux protect systems against trojans?

    1. Re:Invulnerable to MyDoom type virii? by pavera · · Score: 5, Insightful

      Wrong,
      By simply clicking on an attachment in any mail client in linux it will not execute... The user would have to save the attachment to disk, chmod it +x, and then execute it, and then, if the trojan wanted to write anything to disk outside of the users home directory, it would have to ask for the root password, and then if the user was that stupid, ok they really deserve to be infected with a virus. However, in a decently admined system the users don't know the root password, they don't need it ever, and they should never be installing programs. The amount of work it would take to install the trojan on linux would be a deterrent, it is also the deterrent to wide scale adoption by home users of linux.. because installing programs is just as difficult as installing trojans.

  4. Windows Beats Linux! by Anonymous Coward · · Score: 5, Funny
    The last version was defeated within 45 seconds
    That's nothing. I put a stock Windows box on the internet, didn't even bother publishing the IP, and it was cracked within 10 seconds! Take that, open-source advocates, Windows has finally beat you at something!
    1. Re:Windows Beats Linux! by hendridm · · Score: 5, Interesting

      Not sure if you're joking or serious, but during the Code Red fiasco I put a Windows machine with IIS online on my cable modem. Thanks to port 80 being forwarded to that machine on my firewall, my computer was infected after I installed Windows in the time it took me to find and install the service pack! From then on, I made sure to remove port forwards before installing updates on newly installed machines :)

      I guess it's no surprise, given the amount of Code Red traffic there was at the time, but I just didn't think of it at the time since I had planned on installing all the updates after reloading.

  5. Re:Security? by Sexy+Bern · · Score: 5, Funny

    ifconfig eth0 down

  6. 45 Seconds? by Eberlin · · Score: 5, Insightful

    What happened? Someone ran a brute force root login with the pwlib dictionary or something? Maybe a quick ride with Nessus? Or was it a social engineer who managed to call someone and get the root password?

    As has been echoed before time and again -- security is a process, not a product. Of course you'll have more secure products, but it's still up to a competent admin to make sure things are kept secure. Even then, you better have good backups because that one disgruntled guy who works in the mailroom on a machine already inside the firewall just might have an extra ace up his sleeve.

  7. Other ways to improve Linux security? by Debian+Troll's+Best · · Score: 5, Insightful
    RedHat's 'trial by fire' approach for their new security policy is a good one, and is something all distro makers should try. Nothing beats having your default security config probed and tested by the world's best crackers in a real life environment. But network security is only one piece of the puzzle. As the Windows community has demonstrated time and time again, trojans and spyware can be just as dangerous from a security point of view as network exploits. And while the problem may not be as severe on Linux due to the separation of the root user from the average day-to-day account, havoc may still be wreaked by a regular user downloading a package and installing it, and thus inadvertently installing a trojan.

    It seems to me that our package managers (used by the majority of Linux users...not everyone compiles from source) are vulnerable to some type of subversion. They are not controlled or vetted by a central authority. There is no 'certificate' which can be attached to them to guarantee their purity. What the Linux community needs, I feel, is a type of central signing authority or cryptographically sealed DRM-compatible package management system. This could eliminate potential threats associated with trojaned Linux packages. Imagine a secure apt-get. Packages would be enveloped in a tough layer of crypt() security. They would be digitally signed by the Debian project manager, or even Ian Murdock for highly critical packages like the kernel. And it would be impossible to accidently load and install a trojan. Apt-get could even be modified to 'phone home' and let the Debian administrators know which packages where the most popular (and make security updating easier!) packages were being installed and to automatically e-mail users with news of package updates and 'special offers' from co-sponsors. I look forward to the community's response!