Slashdot Mirror

← Back to Stories (view on slashdot.org)

Just How Effective is System Hardening?

Posted by timothy on from the how-large-is-your-facade dept.

SkiifGeek, pointing to our recent coverage of what the NSA went through to create SELINUX, wants to know just how effective system hardening is at preventing successful attack, and writes "When Jay Beale presented at DefCon 14, he quoted statistics (PDF link) that Bastille protected against every major threat targeting Red Hat 6, before the threats were known. With simple techniques available for the everyday user which can start them on the path towards system hardening, just how effective have you found system and network hardening to be? The NSA does have some excellent guides to help harden not only your OS but also your browser and network equipment."

13 of 154 comments (clear)

  1. Ahh yes, by abolitiontheory · · Score: 5, Funny

    /. is just the place to come for advice on "system hardening."

    1. Re:Ahh yes, by sm62704 · · Score: 5, Funny

      "Trinity" from The Matrix hardened my system!

      Oh, you're talking about computer security? Never mind, then.

      --
      mcgrew's razor: Never attribute to stupidity that which can be explained by greedy self-interest
  2. Defense in Depth by Hyppy · · Score: 5, Insightful

    System hardening is just another layer of a "defense in depth" security posture. The more layers, the better. So, if an adversary manages to get through your site firewall, access lists, IPS, vlan segregation, virus scanner, etc, they still have to contend with a hardened local system in order to compromise data.

    System hardening is also very helpful against inside jobs, or against other systems on the network compromised through brute force or social engineering.

    1. Re:Defense in Depth by Hyppy · · Score: 5, Insightful

      If you consider system hardening as more than just installing SELinux, you can see it helps secure more than just users with shell access.

      Many of the SNACs (or STIGs as I remember them being called) go into detail in such areas as setting the method for password hashing, setting policies for allowed authentication protocols, disabling authentication on time mismatches, and a plethora of other things.

      If nothing else, system hardening can be a "best practices" framework for your systems and/or network. I remember one of my systems administrators complaining to a security inspector that the system would not allow a log on if the security log was full instead of just overwriting old entries. He didn't realize that filling the security log with bogus crap could mask a real intrusion. Nobody knows absolutely everything, and not everyone has the time to sit down and understand every intricate detail. Using a system hardening approach, however, is a very good foundation to build your overall security posture.

      You say that you only allow http, but what happens when a vulnerability is found in code that you use for your http application? That's what defense in depth is all about. You may be able to knock down this wall, but there are 10 more behind it that are even bigger.

    2. Re:Defense in Depth by Jeruvy · · Score: 5, Insightful

      OS Hardening is exactly that, risk mitigation. If you know that you don't need to run certain processes or your can run them with reduced variables not only will your systems run with less risk, they can also be more stable. Less updates and patching, less dealing with new variables (because someone enabled some feature that was disabled), adding new functions only after approval and ensuring they meet your requirements. So yes, I'd say OS hardening is an essential part of your good security practices.

      --
      Jeruvy
    3. Re:Defense in Depth by Hyppy · · Score: 5, Insightful

      Weigh it depending on your needs. Prioritize, without putting any two factors on equal footing. What is more important and least important out of these three: secure data, catching an intruder who may have accessed secure data, or having regular users log on during a DOS attack?

      That's one of the biggest hurdles today in security: striking a balance and prioritizing. Everyone can say "Usability and security are both important," but it takes time and thought to come up with a detailed analysis of the priorities during an actual attack.

    4. Re:Defense in Depth by Ryan+Amos · · Score: 5, Insightful

      SELinux is great for hardening a box. Unfortunately most sysadmins don't take the time to learn how it works and turn it off because they can't get something to work. Yes; it is a pain in the ass to deal with most of the time, but it's saved me from some big mistakes before as well.

      SELinux almost makes more sense in an appliance server; as the config is not likely to change much. Just assume the web interface is vulnerable (it probably is; if not through your code then some as-yet undiscovered vulnerability in the LAMP stack.) I'll admit, SELinux is a religion you've got to practice, but Unix filesystem permissions leave a lot to be desired (I don't like having to create a new group every time I want to set permissions on a subset of users, thanks.) There needs to be more in the 21st century, and while SELinux is not the best solution, it's a workable one.

      The goal of SELinux IMO is the realization that you will never get rid of all vulnerable code on your box. What you can do is limit the damage they can do when they get past the application layer security. Who cares if they can hack your sendmail server when it doesn't have access to read/write anything outside its config and spool directories?

  3. Concrete by Urger · · Score: 5, Funny

    I found encasing the system in steel reinforced concrete made the system much harder. Similar attempts to place end users in the same situation were not as successful.

    --
    Ubiquitously - A Ubiquity Developer Community
    1. Re:Concrete by abolitiontheory · · Score: 5, Funny

      concrete does end users quite nicely though.

  4. Easy by J3M · · Score: 5, Funny

    I use Ubuntu 8.04. It's hardy out of the box.

    --
    Aych tea tea pea colon slash slash slash dot dot org slash
  5. Re:Everyone knows... by sm62704 · · Score: 5, Funny

    I use security through obsolescence. Nobody's going to crack my ENIAC clone!

    --
    mcgrew's razor: Never attribute to stupidity that which can be explained by greedy self-interest
  6. Re:How hard is it to get any real work done on loc by abolitiontheory · · Score: 5, Insightful

    A lot more work and a lot less dead time than waiting for IT to resurrect a completely fsck'd system, maybe?

  7. Re:Is it just me? by been42 · · Score: 5, Insightful
    Am I the only one that is a bit skeptical of downloading .msi packages from nsa.gov?

    I'm not wary at all. Any access they might want into your Windows system was probably built in. I imagine they already have that kind of access to every Windows computer. Anything they can give you to help keep your Windows machine from turning into part of a North Korean botnet can only benefit both you and the government.