Slashdot Mirror
Red Hat Seeks to Deliver Most Secure Linux
Jack writes "ITO is running a story on Red Hat's plan to become the most secure Linux platform. From the article: "Red Hat officially joined The National Information Assurance Partnership to bring an improved level of security and assurance to Linux. This means that the next version of Red Hat Enterprise Linux will contain kernel and Security Enhanced Linux policy enhancements, developed by IBM, Red Hat, TCS, NSA and the community.""
The article left out a hyperlink, corrected here :
Trolling is a art,
Why don't the security conscious just use OpenBSD?
When you're afraid to download music illegally in your own home, then the terrorists have won!
"Nothing for you to see here. Please move along."
Hulk SMASH Celiac Disease
So does anouncing to the world that you want to be the most secure platform place a giant target on Redhat? It almost seems like an invitation for everone to come try and get a piece.
Granted, I think Red Hat has a much better head start on MS, but that may partly be due to the amount of market share they command. If they can pull it off, more power to Red Hat!
This sig has been removed pending an investigation.
I didn't realize that ANYTHING they did was "open".
Here's to the IT Observer staff! They successfully copied and pasted a press release verbatim and now are going to get the page views from Slashdot!
As sections of the Linux community, such as RedHat, start merging with big businesses, such as IBM, we have to wonder how long it will be before the Red Hat team starts walking on 2 legs...RedHat could be well on it's way to becoming the next Microsoft.
ITO is running a story...
...and probably running it as root, too, the stupid bastards.
Major corporations (such as oracle) target Linux; specifically RedHat. With RedHat, you gain all of the applications that already work with Linux plus security enhancements. With OpenBSD, even though they have a decent amount of applications, they have nowhere near the variety that Linux has, so that gives Redhat an edge.
Oh wait, nevermind . . .
Yes they do http://www.nsa.gov/selinux/info/faq.cfm#I2, the mentioned security enhancements are more like ACL's and policies.
Redhat is the target OS of most corporations (as I pointed out), this is the advantage that Redhat has over OpenBSD. Any worthwhile features that this develops will eventually trickle down to the niche distros such as slackware and gentoo; so this initiative is a Good Thing.
As far as stealing users from windows; So Freaking What? The important thing is that people discover there are alternatives to using Windows and hopefully also discover the advantages of Free Software along the way.
Or does this sound just like m$, and their constant rant about security, increasing security, and more security.... When all the while security is just non-existent (at least with m$)
FragHARD or don't frag at all
MS-Windows is NOT in this exclusive group.
I'm both shocked, and amazed since most "exclusive groups" answer to the almighty dollar and not the true nature of their goals. Which, in this case, is "security."
I still see the rumors fly about Redhat being a sieve with regards to security. I've always used both Redhat and Slackware, and frankly haven't seen it. Is this the end of the accusations? Will this stop the inflammatory remarks in the my Penix is better than your Penix flame-wars? I say no! A Zealot is a Zealot.
San Dimas High School Football Rules!
My ZooLoo
Microsoft says it plans to create and ship the most secure version of Windows.
No folly is more costly than the folly of intolerant idealism. - Winston Churchill
First off, I should let it be known that I am a BSD fan, and not a Linux one. However, despite my many issues with Red Hat and Fedora Core, they have been integrating some really cool stuff of late, things I had wanted to have easy access to in a open source operating system for some time, such as the SELinux functionality.
It's absolutely fantastic work they are doing; making SELinux a default in their systems in meaningful ways, while at the same time, doing their damndest to make it as transparent as possible to the everyday user. No one else is doing that. OpenBSD are the kings of UNIX quality control, but they offer nothing in the way of mandatory access controls. FreeBSD has comparable technology in the form of the TrustedBSD MAC Framework (which is excelant), but they are not yet offering security policies that are transparent to ordinary users of the system, and like SELinux in most distributions that support it, it's a pain to set up correctly.
Now if only they (Fedora especially) would ship a basic "desktop install" on *one* CD image instead of requiring 2-4 CDs, my major gripes with their software would go away completely. This kind of hardcore but transparent security is most definately needed by everybody today, and right now, only Red Hat and the Fedora Project are providing it. As much as I prefer the saner development methodologies and more well thought out kernel architectures provided by the various BSDs, in an online world as inherrently dangerous as our own, employing an operating system that supports these security technologies is the only real way to go.
Come on FreeBSD! What are you waiting for? Keep up the (mostly) good work Fedora people!
Trustix Secure Linux has been one of the most secure distributions since its inception. No services are on by default and only a minimal install is needed most of the time. Updates come out seemingly hourly (more like daily) and it's one of the smoothest and securest server operating systems out there. If you're looking for desktop, you're not going to find it with Trustix. I've been using it as my main server distribution for ~3 years without a single problem.
Colin Dean Go a year without DRM
Even though you're trying to be funny, it does show a misunderstanding of what a "trusted" operating system provides. The biggest benefit is the ability to store information at various levels of classification, such as secret and top secret, on the same system and having access controls that are fine grained enough to make this secure. It's not just about keeping people who don't have access out, it's also enforcing need to know through the same system.
My Windows box has more security. It doesn't have internet. And it doesn't have an Enter key. Matter of fact, as long as I don't use it, don't let anyone else use it, and don't even turn it on, its secure as Fort Knox.
We need to act before that happens!
Let's get together and make sure that all new versions of software that RedHat sells are covered by some kind of license that prevents them from locking the software up! Hell...we could even include some kind of restriction that forces them to release any changes they make. That'll stop them!
Suggest that Linux not be the best solution, -1 Flamebait. Make inaccurate and unfounded statements about OpenBSD, +3 Funny.
Titanic... couldn't be sunk
Windows 2000... unhackable
RedHat Server 2007... uncrackable
Don't think so...
That is all.
-"...bad old ideas look confusingly fresh when they are packaged as technology" - Jaron Lanier (Digital Maoism on Edge.o
I think this is a bad idea. There are always tradeoffs between security and functionality, so a most secure linux will always be niche. There's a place for such distros, and the great thing about linux is that different distros can be made to suit anyone, but a distro trying to be mainstream like red hat should not aim to be the best at any one thing, because that means neglecting other important things.
I am trolling
They think they are so smart, encasing the distro CD in carbonite and placing 3 green pigfaced guards to keep it safe. But all it takes is ONE Organian rebel princess in a star trek Breen mask with a raspy voice to defeat it.
I use windows xp how does this effect me?
There are already a number of quality server distributions out there with security tools like SELinux, GRSecurity and PaX, but it will be interesting to see Redhat contribute to the mix. Personally, I use a number of modified Redhat patches while building HLFS-based systems.
While this is undoubtedly off-topic, what I really want to see (and continually try to create) is a desktop system with some of these advanced security concepts enabled. The problem seems to be finding the right balance between security and ease-of-use, it's a lot easier to create a server with non-standard access control than an xorg/KDE desktop.
Contributing to this problem (at least in my experience) are the documentation problems. These can occur in many opensource projects but seem to be magnified in security projects. Even with a fair working knowledge of relevant areas, incomplete and esoteric documentation provides a stumbling block for a lot of us.
Furthermore, keep in mind that most of the code behind linux is under either GPL or LGPL, which means that others can take redhat's source code and build their parallel distribution of Linux (there are already parallel distributions of RHEL, btw, I don't see how that is going to change in the future). Sure, Redhat could start replacing software with proprietary versions, but the cost of doing that is very high, and simply against their current direction
The Raven
To me, the whole idea of one distro magically becoming more secure than another is slightly strange - it's not really so much the kernel itself - it's what's ontop of the kernel, the default install, uh, defaults, and the entire chain-of-trust ontop of that. Any production server *should* be competently administered - and locked down fairly tight (e.g. NOT running an nwn dæmon, as a certain webserver I've come across did due to the sysadmin thinking he could get away with it....), and then the only security troubles you'll come up against are those that are totally PEBKAC. (Yes, I know must security problems lie BKAC, but this really does seem to me nothing other than a /. sponsored PR-stunt...)
/" from the man pages....
The flipside of this is linux on the desktop - which is where redhat could earn this title. However, all that really means is making sure wine is b0rken enough with windows viruses, not allowing samba or ssh access from outside the local subnet, and removing all instances of "rm -rf
My UID is prime. Is yours?
Adopting stuff like SELinux will make Red Hat Linux closer to Windows in security model. Red Hat moved to good default policies faster than Microsoft did, but they both seem to be pretty good in that respect now. In terms of implementation quality, it is much harder to say. I suspect that Linux and Windows are on similar ground now, but that Microsoft is improving implementation quality faster.
One problem for Linux in that regard is that a single vendor can't make a decree that all existing and new code will be checked and reviewed more carefully, because no single vendor controls all of the code. But the future is not yet written, and we have to wait to see which of them will improve the implementation.
Whoever corrects a mocker invites insult;
whoever rebukes a wicked man incurs abuse.
--Proverbs 9:7
a very viable way for Microsoft to keep Linux as weaker competitor.
1. In the corporate world where support is more valuable than the software in some cases, there is *not* a long list of viable Linux-based companies. I don't think Novell's going to dismantle Red Hat either.
2. The approach MS will likely take is to capture as many of the Linux dollars as they can. They know support is Linux's weakness and they can provide that. So, Microsoft bundles OSS application support to it's richest customers. Microsoft wins and OSS competitors are none the richer.
3. Microsoft chooses Red Hat, supports Red Hat, but that's all. It's the Devil they know and they make a new hybrid of vendor lock-in.
YMMV
http://www.maxineudall.com/2010/02/should-economists-be-sued-for-malpractice.html
Here's a simple task that you CAN'T do with SELinux: set up Apache and Samba so that Apache's html directory is shared using samba. Should be simple, right? Bzzt. Wrong answer. You will have to either turn off SELinux for Samba or for Apache, you can't protect both because they need to access the same files. From what I've seen, most people just turn SELinux off.
Now, from theoretical security standpoint this totally makes sense - you can't guarantee complete isolation between two apps if both access the same set of files and one of them can write. However, in the real world this is a nightmare. SELinux folks rightfully refuse to fix this - they've created SELinux for an entirely different purpose - to build verifiably secure systems, even if they can't run Apache on them.
What Linux needs is a proper ACL implementation a-la Windows (don't laugh - they have a really good one) or Mac OS X.
What everyone seems to be missing here is that unlike BSD or the other so called secure Linux distros out there, when you install RedHat you actually have a usable platform from the get go. What is the point of having this ultra secure Linux server which has all services turned off by default. Not a very usefull server if you ask me. And while I like BSD, it does not have the software base available for it that RedHat does. Perhaps for the random home user none of this matters, but to anyone going to delpoy hundreds of Linux systems, this all makes a huge difference.
Summary: RedHat delivers both a secure and a usable Linux distro which is easily supportable and reproducable.
Looks like it's time to trot out this link again:
Jonathan S. Shapiro, Ph.D: Understanding the Windows (and Red Hat) EAL4 Evaluation.
"In the case of CAPP, an EAL4 evaluation tells you everything you need to know. It tells you that Microsoft (Red Hat) spent millions of dollars producing documentation that shows that Windows 2000 (RHEL 5) meets an inadequate set of requirements, and that you can have reasonably strong confidence that this is the case."
Granted, RHEL is being evaluated for LSPP as well, but EAL4 is still weak.
All the comments about OpenBSD are missing the point: Common Criteria isn't about actual security; it's about security documentation. It's also about certain government purchasing requirements. Nothing to see here.
I'm not worried until they try Stalman for being a counter revolutionary and take to eating penguin eggs.
So do these folks ;P
One that hath name thou can not otter
Where I work, it's a Windows/Novell shop. The director doesn't care about security nearly as much as usability. Is that wrong? Hell yes, but that's how it is. Security is our responsibility (not his), and when he's choosing products, he goes for usability. He only recently allowed us to test some SuSE boxes because a) they were endorsed by Novell, and b) he liked YaST. He wanted to understand what we are doing to the boxes. Command line is evil to him, as is anything "open source" or free as in beer (free as in speech means nothing to him)). If it doesn't cost a lot of money and doesn't have an "easy" interface, it's inferior.
I spent a great deal of time trying to get SELinux in FC working, it turns out like most things, the devil is in the details. Here's why:
1. Enabling it during install doesn't magically make every application SELinux aware. It turns out that packages need to have SELinux features. Here's a link to the good fellow doing SELinux packages for Debian. http://www.coker.com.au/selinux/ Now, I don't know if the Fedora package volunteers have done the same kind of work or not, but I'd be interested to hear either way. It reminds me of LDAP, where LDAP is good, but applications need to support it to make it great.
2. My experience turning on SELinux in FC was not good. I attempted to build a firewall with IDS and the IDS just didn't work. I'm not a coder, nor am I a really strong Linux Admin, so bye-bye SELinux and the firewall/IDS worked like it should.
3. Generally speaking, American PHB's (at least) are finally getting the message that IT security is far more important than in the past and I think this is a well-timed Marketing message with the actual SELinux implementation throughout FC being very far from their glossy claims.
http://www.maxineudall.com/2010/02/should-economists-be-sued-for-malpractice.html
...TCPA type security as well? There probably are some useful aspects to Trusted Computing. I'd imagine it would make it much harder for people to cheat in online video games, or to spoof identities.
Microsoft seeks to deliver most secure Windows
I'm not a troll, but I play one on Slashdot.
Again, it's not secure no matter what you do. If you can scan memory at anytime, you can find keys and such and get what you want. Running at PL0 and PL3 and leaving out the other 2 PLs can allow any code to run in-between PL0 and PL3 and then where will you be. A 4-layer OS is the answer.
Fortunately, my company is going to announce soon with an OS that truly is secure.
Flame away (again).
SELinux is a great idea but really complex to the point of obscurity. I couldn't come up on my own policy rules for SELinux to make Samba run in a more secure manner. I am the first to agree OpenBSD is the king of secure policy but really bites at allowing an administrator to manipulate them. This is where RH comes in and does very well with their push into SELinux. It is sufficiently complex but in most cases the way RH uses SELinux the user never notices.
Ever since they've introduced SELinux in the default install they've claimed it is incomplete but are adding rules every chance they get. And even better, there is nearly transparent to the "uninterested user". There is a seperate SELinux package that merges in every time they update it so my interaction (and the chance for me to break it) is minimized. And I'm constantly surprised by the settings they do work out as well (for instance some of their Samba settings are really good security policy anyway).
Red Hat's support for things like SELinux is stellar but it needs to be better and they are the first admit it needs more work. Isn't this what Open Source is all about?
Those are my top three. OpenBSD is slick, and I love using it for applications where 99% of the functionality I need can be provided by the base system. For services that change rapidly, though, it's more of a hassle than I'm willing to put up with.
Secure Linux on the desktop? Sure (although I'd hate to give up my FreeBSD desktop system). OpenBSD on the desktop? Shoot me now.
Dewey, what part of this looks like authorities should be involved?
I think alot of people are really missing the point, but saying "use openbsd" or use "xzy". use can have a secure data server in gov or mil orgs and have secert or top seceret data on if without "trusted" computer and defined and verus security qualifacations. SElinux provides ROLE based access control. this is a good thing, as RH will add alots documentation to selinux and maybe even some tools as well.
-Nex6
-Nex6.blogspot.com
It was a basically flawed design from the start, and failed to withstand an obvious hazard that would not have sunk one of Brunel's much earlier iron ships. So it's quite different from Windows 2000 which is not a basically flawed design...er, what am I saying?
Panurge has posted for the last time. Thanks for the positive moderations.
You mean someone with a clue moded them down for very good reason. I can remember in 1999 when the BSD folks were crowing about how "secure" they were, making a big deal about it. Hackers simply ported all of those Linux hacks to BSD and BSD was very *insecure* for years to come. Shall we do another round? I have a feeling it is coming since you guys are saying it is so much more secure again.
SELinux *IS* very secure. In spite of what others say, it is easy to define policies. When I ask people saying it is tough to do, how would they do it, they come up with very similar ideas (but more broken). It is a lot like adding more locks to the rooms in a building. Wanna do a updatedb in demand as root? Denied! You have to change your context first (and have the ability to do that)! Things like that. Becoming root would mean nothing if it is set up right, in fact I could give you the password to root and dare you to do something bad - good luck, you would need it. This level of security simply isn't available in BSD, nor will it be for the foreseable future. Indeed it seems that you are the one with no clue what SE Linux is all about, what went into it and how secure it can be.
Please mod parent up, if only for point 6 alone.
Security is not a product. It is a process. You cannot talk about the "most secure OS." You can only talk about two tangental issues:
1) The most securable OS and
2) The most secure OS in the default install.
There will always be some MS Windows boxes that are more secure than some OpenBSD boxes if only because someone thought that "Cool OpenBSD is really secure, man. So I just installed Sendmail on it.... I don't have to worry about security, do I?" while there are a few Windows admins who take security really really seriously.
In reality, I think that Linux is probably more securable than OpenBSD but most Linux distros are not as secure in the default install.
LedgerSMB: Open source Accounting/ERP
OpenBSD has systrace, which is easier to understand than SELinux.r ace&apropos=0&sektion=0&manpath=OpenBSD+Current&ar ch=i386&format=htmla ry_Daemons.html
http://www.openbsd.org/cgi-bin/man.cgi?query=syst
Here is a tutorial:
http://www.onlamp.com/pub/a/bsd/2003/01/30/Big_Sc
"EAL4 permits a developer to gain maximum assurance from positive security engineering based on good commercial development practices which, though rigorous, do not require substantial specialist knowledge, skills, and other resources. EAL4 is the highest level at which it is likely to be economically feasible to retrofit an existing product line."
... applicable in those circumstances where developers or users require a high level of independently assured security in a planned development and require a rigorous development".
"EAL4 is applicable to those circumstances where developers or users require a moderate to high level of independently assured security in conventional commodity (OSs) and are prepared to incur additional security-specific engineering costs."
Compare that with EAL5's description,.
"EAL5 permits a developer to gain maximum assurance from security engineering based on rigorous commercial development practices supported by moderate application of specialist security engineering techniques. Such a (OS) will likely be designed and developed with the intent of achieving EAL5 assurance."
"EAL5 is
EAL 5 (and 6 and 7) provide more assurance but achieving those levels is only done at significant cost both in the design requirements they impose on the OS, as well as the cost in $ and time to develop the additional documantation necessary to achieve these levels.
EAL5 requires "semiformal design descriptions, the entire implementation, a more structured (and hence analyzable) architecture, covert channel analysis, and improved mechanisms that provide confidence that the (OS) will not be tampered with during development."
EAL5 begins the series of levels which require the OS developer to design for security first. They also require tests and documentation to be written to exacting standards.
Quotes are from CC documents themselves.
Considering the discussion that was generated about Windows Rootkits, does anyone see a direct application for this Red Hat Secure Linux? Heck, it would work well for their business model.
That's not a failing of SELinux, nor of OpenBSD, or even of Samba itself. Samba's a tool for communicating with systems through an insecure protocol.
Re: I don't know how to do it and therefore it can't be done and therefore it sucks.
It can be done. Here's how:
First some good documentation.
Run:
# up2date --install (or yum install) selinux-policy-targeted-sources /etc/selinux/targeted/src/policy
# cd
# make enableaudit
Run whatever service that is currently broken because of SELinux. Then:
# audit2allow -i /var/log/messages -l
allow httpd_t cifs_t:dir search;
allow httpd_t unlabeled_t:dir { getattr search };
...which will tell you where SELinux blocked the service. (Just some sample output here.)
Then add your own rules like this:
# cat >domains/misc/local.te <<EOF
allow httpd_t unlabeled_t:dir { getattr search read };
allow httpd_t unlabeled_t:file { getattr read };
allow httpd_t unlabeled_t:lnk_file { read getattr };
allow httpd_t cifs_t:dir { getattr search read };
allow httpd_t cifs_t:file { getattr read };
allow httpd_t cifs_t:lnk_file { read getattr };
allow httpd_t default_t:lnk_file { getattr read };
EOF
# make reload
The above is again just an example.
Try again. If it doesn't work you need to allow some more stuff, which audit2allow will tell you.
You flamed the other guy for being "not particularly informed" and then you post "I don't want to be hold hostage to some binary-only shoddy RAID managment software running on Linux"?
I've been running completely open-source soft RAID for years on Red Hat linux. My backup server, which uses the same basic idea as dirvish, uses a couple of terabytes of RAID10. There are even multiple RAID implementations freely available, although you are typically restricted by your choice of kernels.
You zealots never seem to realize your conception of the system you disdain is necessarily going to be incorrect, because you aren't going to spend the time required to really understand it. Concentrate on cheerleading you chosen religion's good points and stop trying to point out the other guy's bad points, that way you can show some real insight.
Who's got a serious comparative analysis of a secure Linux distro vs "Trusted Solaris"?
--
make install -not war
It definitely will not make an insecure application or insecure installation more secure, but it will provide additional protection against those insecure situations.
And the post is modded appropriately as funny since it is a humorous jab at linux security. Besides, I could be off base on this but I suspect that simply installing BSD as your OS will not resolve security issues in the applications you install on top of it, i.e. SQL inject exploits in applications such as PHPBB.
From what I have observed in the #fedora channel on freenode.net most people are oblivious to the existence and operation of selinux and they do not turn it off. However, I have observed people having problems related to selinux when they start utilizing advanced services on their fedora boxes, i.e. apache, named, etc. And in many cases I've seen people offer up the solution of just disabling selinux. This is unfortunate, however, it is not surprising considering the current lack of selinux experience. When possible I've provided some assistance and prevented the disabling of selinux as a solution, but its just a drop in the bucket.
I suspect that in the future there will be some good selinux frontends to assist the masses with configuration. I would not write it off just yet.
burnin
All nine of my LAN nodes, all four of my laptops (one for each family member), and all the white boxes I used to build the late unlamented big-slow-beowulf cost me nothing but some of my time. And perhaps a little extra laundry detergent. As long as you are willing to settle for Windows-level performance while running linux, you can get all the hardware you need dumpster-diving. At least here on the suburban east coast of the USA, anyway; or maybe the previous poster received the computer as a gift, or stole it, or something.
Used 1GB hard drives are cheaper than CD-Rs. At one point I had a cardboard box with 50 of them in it, but I managed to give them all away eventually.
When the Beowulf stack fell over and nearly killed me (the ceiling wedges held, but one of the casters broke off the plywood sheet on the bottom) I realized there is such a thing as being too cheap. I had a bruise shaped like the mounting flange of a 3com 100bt hub on my back for weeks!
Their packages are ancient. I don't want to install KDE 3.3.2 (came out November 2004) on an OS release that came out in May 2005. I don't expect to get packages that came out yesterday from a release that came out 5 months ago (even if {Free,Net}BSD and most Linuxes manage it), but I'd like to at least have the versions that were current when that release was made.
not a flame. Just some honest questions:
1. why are you running KDE on a server?
2. if you're not running it, then what specific application has been updated that is not included in OpenBSD? When I think of a server, I think of (for example) something like Apache or Bind. OK sure, if there is a newer version of Apache then I'd expect that to be in OpenBSD - and it probably is. I don't really care that OpenBSD doesn't include the newest version of some mouse driver.
3. Even on a desktop system, I can't imagine that I'd want something that just came out yesterday.
That said, I'm not an OpenBSD evangelist. I just didn't think that you made a very good point there.
Then mod the grandparent "clueless!"
Linux Sorta Secure Standard
Linux Mostly Secure Professional
Linux Super Secure Gold
Linux Really Really Secure Platinum
Linux "Dude, Where's My Security" Ultimate
And call it MSLinux, for Most Secure Linux.
In fact, as The Spectator said at the time "Most people have learned with astonishment that is is possible for a ship like the Titanic to pass the Board of Trade tests with an insufficient number of boats. They had supposed hitherto that the invariable rule was "boat-room for every passenger". They went on to point out that the Titanic was nearly five times larger than the largest ship envisaged when the Regulations were drawn up.
However, the Titanic sank and the passengers died in large numbers because it was built down to a price. The builders did not do due diligence in considering whether the Regulations were appropriate, and the owners did not consider the hazards of operating so far north at the time of year. The failure of the Titanic was due to a failure of imagination as much as anything.
An Enterprise FOSS operating system is supposed to be accessible to review in a way which a closed source solution isn't. However, as the superstructure built around Linux is more corporatised, this review and exposure gets harder and, because of the constraint of commercial issues, the amount of review and testing is likely to be limited. So, FWIW, I do feel there is a risk of the fate of the Titanic overtaking supposedly secure Linuxes.
Panurge has posted for the last time. Thanks for the positive moderations.
So taken.
1. why are you running KDE on a server?
I never mentioned anything about servers. The poster favored using OpenBSD instead of RedHat, and since RedHat is a popular desktop distro, I was using KDE to highlight the main reason why I thought OpenBSD is unsuitable in that role.
what specific application has been updated that is not included in OpenBSD?
Its server applications seem somewhat more up-to-date. That's probably due to the way it's used most often, as well as the fact that point releases of server software don't tend to be dramatically different than previous versions. That is, Apache 1.3.28 isn't radically different from 1.3.29, and staying current isn't quite as big a deal. On the other hand, do you really want to be using Firefox 1.0.1 (the version available in 3.7) these days?
Even on a desktop system, I can't imagine that I'd want something that just came out yesterday.
I understand about yesterday, but shipping with a version of KDE that was old two months before release seems a little behind the times.
I hope I don't sound like I'm chanting KDE! KDE! KDE!. That just happened to be the biggest thing I installed when I was experimenting with OpenBSD as a desktop, and the first package to make me start noticing how old a lot of the 3rd-party software really was when the release came out.
That said, I'm not an OpenBSD evangelist. I just didn't think that you made a very good point there.
Fair enough. By the same token, I'm not an OpenBSD hater at all. However, people who advocate replacing RedHat with OpenBSD really need to be aware of what they're asking for. Swapping out a DNS, Postfix, or Apache server would probably be an upgrade. Switching it in for a desktop probably would not be.
Dewey, what part of this looks like authorities should be involved?
Putting the core and necessary aspects of Fedora on only 1-2 CDs is one big goal for the Core 5 release (tentatively scheduled for Februrary of next year). Check the FC5Future wiki page for more information: http://www.fedoraproject.org/wiki/FC5Future
Well, I agree that OpenBSD probably sucks as a desktop OS. I couldn't even get X running on FreeBSD and it's supposed to be easier to configure.
Continuing the discussion of older packages, you should know that I'm a debian guy so I'm used to being 10 years behind everybody else - but on the other hand, I always know that what I install is going to work.
I've read through the article, and I've read through the discussions here. The article really doesn't say that much.
Red Hat is talking about working with NIAP. This means they are going for a Common Criteria rating, which simply means it will be easier for the government to purchase the product for DoD acquisitions.
Does it mean the product is more secure? Only in press releases.
Security consists of two aspects: the functions provided to address threats in the environment (functional), and the confidence that those functions are correctly implemented (assurance). For a given product, the functional and assurance requirements are defined in the Security Target. As the article never mentioned the target, we have no idea what functions are claimed (although we can presume it is likely the set of C2 functions from TCSEC days, but that's unclear). This is important: I've seen products with really useless functions get evaluated, and I've seen ones with a reasonable function set.
Next, is the assurance question. EAL4 was mentioned, which is simply the highest level that can get mutual recognition. It is only moderate security... and again, only provides assurance relative to the functions that are claimed. Assurance is also related to the environment. If this product is for a "benign" environment, then it won't be subjected to strong testing.
This all comes together in the testing, which is relative to the functions and assurance. If there isn't strong vulnerability testing, then you only have relatively simple functional testing. If there is vulnerability testing, this is more in relation to the claimed functions. For example, if the product doesn't claim that it protects against denial of service attacks, then the vulnerability testers don't have the obligation to see if they can create a denial of service condition.
In short, this is a long way of saying: this is a press release, and needs the usual grain of salt. Get the Security Target. Read it. Understand the claimed security. This is true for ANY evaluated product.
I actually like FreeBSD as a desktop machine (it's what I'm posting from right now). The mailing lists are very newbie-friendly and helpful if you're into such things.
Continuing the discussion of older packages, you should know that I'm a debian guy so I'm used to being 10 years behind everybody else - but on the other hand, I always know that what I install is going to work.
In the interest of full disclosure, I was a Debian guy until I got tired of waiting for X.org, new KDE releases, and other such things. I used Gentoo for a while until Reiser ate my /usr partition, so I recently switched (back) to FreeBSD.
Dewey, what part of this looks like authorities should be involved?
You zealots never seem to realize your conception of the system you disdain is necessarily going to be incorrect, because you aren't going to spend the time required to really understand it. Concentrate on cheerleading you chosen religion's good points and stop trying to point out the other guy's bad points, that way you can show some real insight.
Dude, cool down, and read my post again. I was not talking about software RAID, but software to manage RAID cards . RAID card manufacturers, with LSI as an exception, does not give documention unless it's under NDA or similar. If they have some application to control the RAID card it's typically a Windows and/or Linux binary.
Read the commentary to the OpenbSD 3.8 song.
Plus, if you wanted to run ancient packages you'd just run Debian stable. ;-)
do you really want to be using Firefox 1.0.1 (the version available in 3.7) these days?
You do realize that most distributions are just applying all patches for the latest stable release and patching to keep the name down[1]. I know that Debian and Ubuntu do this, and wouldn't be surprised if OpenBSD did also.
FC4 just takes the latest release without any version patching at all.
1. This is because when they tried only taking the security patches, they found how all of the patches are interdependent and just kept the version number to keep from having to rebuild any extensions they may have packaged.
There: Something at a specific location.
Their: Owned by someone.
Please make sure your english compiles.
This will be good for Red Hat, I applaud them for the hard work.
However, a certifcate does not guarantee a secure system, just one that, properly managed, is capable of being secure ... or (strictly) pass certain security tests.
This will be good for other distributions, since they will be perceived to be secure since they are related to Red Hat; however to get the certification they will need to jump through the hoops to be tested ... that is a lot of work. Closely related distribitions such as Centos may be able to short circuit some of that work, but not all of it -- this is not a free lunch.
This will give Red Hat a marketing advantage (into some customer types) that will not be cheap/easy for others to follow. Good luck on them for their initiative ... let it raise the competitive bar and raise linux standards in general.
SELinux is turned on by default in RHEL. AFAIK, OpenBSD has no Discretionary Access Control method to speak of, much less turned on by default.
Do you think more people will learn a new OS (OpenBSD) or learn that files have a property called contexts, and that they need to have the right context for apps to serve them?
It's pretty simple once you read good documentation. And yeah, there isn't a lot of good documentation. Russel Coker is a great coder, but has no communications skills to speak of. I work with him, so I know. M4 for writing policies? In 2005? WTF? 'sesebool' - what? Why not 'setpoloptions'? Who cares if it's a boolean or not?
Luckily, the average joe doesn't need to write their own policies. And there's simpler tools, like system-config-securitylevel, to enable/disable policy options.
Nobody says Red Hat Enterprise Linux 5 (presumably that's what you mean by RedHat Server 2007) is uncrackable. They just say it's more secure.
Asslobster.
With the right (meaningless) security target, XP could get an EAL 7.
With a tough security target or conformance claim to a tough protection profile, a very good (read secure) OS could fail.
The question to ask is what protection profile or security target and who was the group that did the testing. I can tell you of an OS that underwent 6 months of 4 machines at a time penetration and code analysis testing against a rigorous security target. I'm not allowed to say who did the testing but you can guess since it was done in the US and resulted in an EAL 5 Augmented (and the Augmented only means elements above 5 were considered). And that OS had to be fixed with over 40 patches half way through the testing.
The lower EAL levels are easy, but just try to get a complicated product through at 5 or higher. Takes millions of $ and years of effort.
The parent poster is right. Red Hat is turning into the next Microsoft! Not the current Microsoft, but an even worse 'next' Microsoft that makes secure Operating Systems with decent default firewalling, MAC, no execute on new files, etc. And gives away all its source code to get you hooked! And even allows people to watch the revision control system to continue your OSS dependency habit! With a public bug database to get people sucked in! And but other companies that make directory servers and clustered filesystems, but then uploads the source code for these once-proprietary things onto the intarweb!
REDHAT IS CLEARLY TEH MOST PROPIETERY COMPANY IN TEH UNIVORSE
So essentially the answer to the complexity of SELinux is to simply add rules to ignore whatever it complains about? Great :). FWIW, I think for 99% of users standard Unix DAC is just about right on the security/convenience tradeoff curve, and there is /far/ more to be gained from programmatic defenses against errors in code (as OpenBSD, Fedora, RHEL have done) without a loss in convenience.
/whole/ lot more complexity).
BTW, the unlabeled cases - you really want to go label the files concerned instead. The cifs_t case is simply a fundamental weakness of SELinux (AIUI), to solve that you'd have to go add a cifs_and_http_t type (which seems about the same security as Unix groups, for a
--paulj
I use Friend/Foe + mod-point modifiers as a karma/reputation system.
I didn't put both on the same machine. (I left out a few details.)
I couldn't get the SELinux firewall to communicate with the Snort. Turned off SELinux and it worked. Again, I'm not that good a sysadmin and ran out of time allocated to the issue to work the problem out. The intention is to use SELinux firewall should our commercial firewall that protects our LAN die unexpectedly.
I'm using Base as a snort GUI. It's much better than the nothing they had before.
http://www.maxineudall.com/2010/02/should-economists-be-sued-for-malpractice.html
I'm not using any binary-only software on any of my boxes. I have raid card management that works just fine (granted, I do have an LSI chipset); so your initial post still makes no sense to me.
;)
I just used google for a couple of seconds and found that Adaptec and 3ware both are freely providing management software for their RAID cards under linux. So perhaps the BSD website is not the best place to find information about what linux does or doesn't do?
OpenBSD is great, because it has incredibly strong code auditing. Not because something else sucks.
OpenBSD sucks, because it conforms to traditional (some would say obsolete) unix paradigms. Not because something else is great.
OpenSSH doesn't even suck
It's for good reason OpenBSD (in the FAQ says) decided to disable Adaptec RAID support in GENERIC kernel i.e. whats considered reliable. The OpenBSD developers have mellowed somewhat later on since the FAQ entry about the removal of the Adaptec aac RAID driver from GENERIC is changed, to paraphrase (the original) "The aac driver is removed due to unreliability. What part of _unreliable_ is unclear to you?". Now it's just a "non-starter" in the FAQ .-)
Hehe, of course you should be careful. For example, if you need to have web content outside /var/www/html, the solution is not to relax the SELinux protection around httpd, but rather to relabel the web content:
# up2date --install selinux-policy-targeted-sources /etc/selinux/targeted/src/policy
/my/web/content(/.*)? system_u:object_r:httpd_sys_content_t
Possibly, yeah. In my case they're files in AFS. There should really be an afs_t though. But see below. Yeah. Maybe in the network filesystem case we should just trust the existing layer.# cd
# cat >file_contexts/misc/local.fc <<END
END
# make relabel
Hehe, of course you should be careful. For example, if you need to have web content outside /var/www/html, the solution is not to relax the SELinux protection around httpd, but rather to relabel the web content:
/multiple/ people to access).
Yep. And I don't think this scales very far (different files that you want
Yeah. Maybe in the network filesystem case we should just trust the existing layer.
POSIX ACLs would work too, so you'd allow both httpd and AFS daemon users to access it. Far more standard, simple and portable too.
Anyway..
I use Friend/Foe + mod-point modifiers as a karma/reputation system.
> POSIX ACLs would work too
No, they don't. A SEL component is forced to declare *exactly* which *resources* of the system it needs and what it provides to others.
One cannot do this with ACLs or jails for example.
Of course you can use ACLs, but if you want to lock a socket resource for example, you can use SEL as an additional protection.
I found this little php script called "cp.php" which I renamed pcp and use for mundane cp whenever I'm in a tty and hafta do lotsa copying. It gives lotsa info about progress of copying and such, which I really like compared to the rather spartan cp function. It may be somewhat superfluous, but it's nice eye candy in a bash, and nice for moving lotsa big files.
Someone with more Google skills than I might be able to find it online. I got it from sourceforge originally, but it doesn't seem to show up in their search any more (not that anything usually does =/ )
When you're afraid to download music illegally in your own home, then the terrorists have won!
Some packages are ancient, but much of the ports tree is not. If you want to run the most updated packages, then you have to use -current. Note that not all updates makes it before code freeze, like the case with KDE for 3.7. KDE released 3.4 after code freeze for upcomming OpenBSD 3.7
I use OpenBSD for desktop, and for my needs it's very nice.