[CentOS] SELinux - way of the future or good idea but !!!

Mon Nov 29 12:50:47 UTC 2010
Marko Vojinovic <vvmarko at gmail.com>

On Monday 29 November 2010 03:37:29 Les Mikesell wrote:
> On 11/28/10 5:29 PM, Marko Vojinovic wrote:
> > I wouldn't know the typical ratio itself as a number, but I can tell you
> > it is surely less than one. I had three identical systems compromised at
> > the same time (one of the users had a weak password, and he used the
> > same password on all three machines... you wouldn't believe...). Two
> > systems had SELinux disabled, the third one had it enabled. For the
> > first two, intruder managed to escalate to root and I had a busy weekend
> > reinstalling those machines from scratch afterwards. For the third one,
> > the intruder never managed to escalate to root, and this was clearly
> > visible in SELinux and other system logs. I simply purged that user
> > account and had everything working in no time.
> 
> But that means you were running software with vulnerabilities or a user
> would not be able to become root anyway.  Is that due to not being up to
> date (i.e. would normal, non-SELinux measures have been enough), or was
> this before a fix was available?

Well, the kernel I used at the time had a known exploit (exploitable by some 
services I was running), and the intruder got advantage of that. Of course, it 
was partly my fault, because I didn't restart those machines for a long time, 
so the updated kernel wasn't running on them.

True, if I kept the kernel up-to-date, he wouldn't be able to gain root on any 
of the machines. But given that I am administrating these machines remotely 
(from a different country, several thousand km away), I don't quite enjoy 
rebooting them just to activate the latest kernel. If something goes wrong and 
the machine fails to boot, I need someone local to help me out, have a lot of 
downtime, etc.

So yes, I agree, if I took good care of the rest of the system nothing serious 
would have happened. But in this particular case SELinux saved my skin, since 
the third machine could take the load from the first two while these were 
kickstarted by a friend of mine... :-)

Best, :-)
Marko