[CentOS] SELinux - way of the future or good idea but !!!
vvmarko at gmail.com
Mon Nov 29 12:50:47 UTC 2010
On Monday 29 November 2010 03:37:29 Les Mikesell wrote:
> On 11/28/10 5:29 PM, Marko Vojinovic wrote:
> > I wouldn't know the typical ratio itself as a number, but I can tell you
> > it is surely less than one. I had three identical systems compromised at
> > the same time (one of the users had a weak password, and he used the
> > same password on all three machines... you wouldn't believe...). Two
> > systems had SELinux disabled, the third one had it enabled. For the
> > first two, intruder managed to escalate to root and I had a busy weekend
> > reinstalling those machines from scratch afterwards. For the third one,
> > the intruder never managed to escalate to root, and this was clearly
> > visible in SELinux and other system logs. I simply purged that user
> > account and had everything working in no time.
> But that means you were running software with vulnerabilities or a user
> would not be able to become root anyway. Is that due to not being up to
> date (i.e. would normal, non-SELinux measures have been enough), or was
> this before a fix was available?
Well, the kernel I used at the time had a known exploit (exploitable by some
services I was running), and the intruder got advantage of that. Of course, it
was partly my fault, because I didn't restart those machines for a long time,
so the updated kernel wasn't running on them.
True, if I kept the kernel up-to-date, he wouldn't be able to gain root on any
of the machines. But given that I am administrating these machines remotely
(from a different country, several thousand km away), I don't quite enjoy
rebooting them just to activate the latest kernel. If something goes wrong and
the machine fails to boot, I need someone local to help me out, have a lot of
So yes, I agree, if I took good care of the rest of the system nothing serious
would have happened. But in this particular case SELinux saved my skin, since
the third machine could take the load from the first two while these were
kickstarted by a friend of mine... :-)
More information about the CentOS