On 11/28/10 5:29 PM, Marko Vojinovic wrote:
I wouldn't know the typical ratio itself as a number, but I can tell you it is surely less than one. I had three identical systems compromised at the same time (one of the users had a weak password, and he used the same password on all three machines... you wouldn't believe...). Two systems had SELinux disabled, the third one had it enabled. For the first two, intruder managed to escalate to root and I had a busy weekend reinstalling those machines from scratch afterwards. For the third one, the intruder never managed to escalate to root, and this was clearly visible in SELinux and other system logs. I simply purged that user account and had everything working in no time.
But that means you were running software with vulnerabilities or a user would not be able to become root anyway. Is that due to not being up to date (i.e. would normal, non-SELinux measures have been enough), or was this before a fix was available?