On Monday 29 November 2010 03:37:29 Les Mikesell wrote: > On 11/28/10 5:29 PM, Marko Vojinovic wrote: > > I wouldn't know the typical ratio itself as a number, but I can tell you > > it is surely less than one. I had three identical systems compromised at > > the same time (one of the users had a weak password, and he used the > > same password on all three machines... you wouldn't believe...). Two > > systems had SELinux disabled, the third one had it enabled. For the > > first two, intruder managed to escalate to root and I had a busy weekend > > reinstalling those machines from scratch afterwards. For the third one, > > the intruder never managed to escalate to root, and this was clearly > > visible in SELinux and other system logs. I simply purged that user > > account and had everything working in no time. > > But that means you were running software with vulnerabilities or a user > would not be able to become root anyway. Is that due to not being up to > date (i.e. would normal, non-SELinux measures have been enough), or was > this before a fix was available? Well, the kernel I used at the time had a known exploit (exploitable by some services I was running), and the intruder got advantage of that. Of course, it was partly my fault, because I didn't restart those machines for a long time, so the updated kernel wasn't running on them. True, if I kept the kernel up-to-date, he wouldn't be able to gain root on any of the machines. But given that I am administrating these machines remotely (from a different country, several thousand km away), I don't quite enjoy rebooting them just to activate the latest kernel. If something goes wrong and the machine fails to boot, I need someone local to help me out, have a lot of downtime, etc. So yes, I agree, if I took good care of the rest of the system nothing serious would have happened. But in this particular case SELinux saved my skin, since the third machine could take the load from the first two while these were kickstarted by a friend of mine... :-) Best, :-) Marko