[CentOS] [OT][Practices] The Case for RBAC/MAC
lowen at pari.edu
Sat Nov 19 03:48:08 UTC 2005
On Friday 18 November 2005 21:54, Les Mikesell wrote:
> The black hat activities can only
> exploit existing bugs and adding new code that no one understands may
> not be the way to reduce bugs.
No, it may not be a reduction in the net number of bugs. I'll not argue that
point. I will say that I do think the base premise of one superuser is a
Wrong Thing, and I think properly implemented roles and mandatory access
controls are the right direction for adding yet another layer.
If I have a flat tire, and have five patches to fix the tire, but each patch
has a hole in it, the likelihood is that if I apply all five patches the
holes won't line up and I can make it home on the tire. Yes, it is possible
that all five holes will line up; but it is less likely than with one patch
on the tire. And all the patches have holes; there is always one more bug in
every program, regardless of age and experience.
> If you are starting from scratch building a new service you can do
> that. If you've inherited 30 years worth of existing stuff that
> relies on permissions being what the filesystem says they are, then
> you are going to be spending an enormous amount of time trying to
> fix something that wasn't broken.
And this is the sort of thing the Fedora and Red Hat developers are doing now.
This is why RHEL has a targeted and not a blanket enforcing policy. No, it
is not perfect. Neither are the other security features in recent Red Hat
releases, some of which interacted badly with some programs I use daily
(CrossOver Office, for one, didn't like execshield, but it was Wine that was
broken, not execshield).
> It's no fun arguing with someone who is being reasonable...
Judging from some others' replies, not all share your opinion; that's ok. I
try to be reasonable, but I also tend to expect others to be reasonable, and
tend to get nervy with those who are unreasonable. And I am not always
successful at being reasonable (just ask my kids). :-)
> But compare
> this to a few years back when distributions added ssh because of its
> security advantages over telnet - and in doing so introduced the means
> that many systems, including some of mine, were exploited using bugs
> in the new code. Following someone else's advice about best practices
> doesn't always make your system more secure, even when the theory
> sounds right.
In theory, there is no difference between theory and practice. In practice,
I wasn't impacted by the ssh holes, since I had two more layers above that
preventing any ssh sessions from untrusted IP's. Of course, I patched when
the patches came out, because I know that no firewall is perfect. But the
holes don't usually line up.
Layers, layers, layers. Winter is coming upon us, and the advice is always to
dress in layers. Sound advice, both for clothing and for security. The
Internet Blizzard of malware is upon us; weather the storm with layers.
Yeah, that woolen union suit might itch, but it sure is warm.
Director of Information Technology
Pisgah Astronomical Research Institute
1 PARI Drive
Rosman, NC 28772
More information about the CentOS