[CentOS] [OT][Practices] The Case for RBAC/MAC

Sat Nov 19 03:48:08 UTC 2005
Lamar Owen <lowen at pari.edu>

On Friday 18 November 2005 21:54, Les Mikesell wrote:
> The black hat activities can only
> exploit existing bugs and adding new code that no one understands may
> not be the way to reduce bugs.

No, it may not be a reduction in the net number of bugs.  I'll not argue that 
point.  I will say that I do think the base premise of one superuser is a 
Wrong Thing, and I think properly implemented roles and mandatory access 
controls are the right direction for adding yet another layer.

If I have a flat tire, and have five patches to fix the tire, but each patch 
has a hole in it, the likelihood is that if I apply all five patches the 
holes won't line up and I can make it home on the tire.  Yes, it is possible 
that all five holes will line up; but it is less likely than with one patch 
on the tire.  And all the patches have holes; there is always one more bug in 
every program, regardless of age and experience.

> If you are starting from scratch building a new service you can do
> that.  If you've inherited 30 years worth of existing stuff that
> relies on permissions being what the filesystem says they are, then
> you are going to be spending an enormous amount of time trying to
> fix something that wasn't broken.

And this is the sort of thing the Fedora and Red Hat developers are doing now.  
This is why RHEL has a targeted and not a blanket enforcing policy.  No, it 
is not perfect.  Neither are the other security features in recent Red Hat 
releases, some of which interacted badly with some programs I use daily 
(CrossOver Office, for one, didn't like execshield, but it was Wine that was 
broken, not execshield).

> It's no fun arguing with someone who is being reasonable...

Judging from some others' replies, not all share your opinion; that's ok.  I 
try to be reasonable, but I also tend to expect others to be reasonable, and 
tend to get nervy with those who are unreasonable.  And I am not always 
successful at being reasonable (just ask my kids). :-)

> But compare 
> this to a few years back when distributions added ssh because of its
> security advantages over telnet  - and in doing so introduced the means
> that many systems, including some of mine, were exploited using bugs
> in the new code.  Following someone else's advice about best practices
> doesn't always make your system more secure, even when the theory
> sounds right.

In theory, there is no difference between theory and practice.  In practice, 
there is.

I wasn't impacted by the ssh holes, since I had two more layers above that 
preventing any ssh sessions from untrusted IP's.  Of course, I patched when 
the patches came out, because I know that no firewall is perfect.  But the 
holes don't usually line up.

Layers, layers, layers.  Winter is coming upon us, and the advice is always to 
dress in layers.  Sound advice, both for clothing and for security.  The 
Internet Blizzard of malware is upon us; weather the storm with layers.  
Yeah, that woolen union suit might itch, but it sure is warm.
-- 
Lamar Owen
Director of Information Technology
Pisgah Astronomical Research Institute
1 PARI Drive
Rosman, NC  28772
(828)862-5554
www.pari.edu