[CentOS] duqu

Wed Dec 7 20:52:12 UTC 2011
Lamar Owen <lowen at pari.edu>

On Wednesday, December 07, 2011 10:44:10 AM Michael Simpson wrote:
> SELinux is great but didn't save Russell Coker from having his play
> machine owned with the vmsplice exploit.

> http://etbe.coker.com.au/2008/04/03/trust-and-play-machine/
> http://www.coker.com.au/selinux/play.html

In this particular instance, the 2.6.23 kernel introduced a setting that is a workaround for the general NULL dereference to page zero case, and it requires SELinux to be in enforcing mode to work.  Whether upstream backported that to 2.6.18 (in EL5) or not, I don't know.  That fix is assuredly in the EL6 2.6.32+patches kernel.  April 2008 is a long time ago in terms of SELinux.  Russell is quite the brave soul for doing this sort of thing.

Nothing is 100%, of course.  That is a given.

> RSA also showed that social engineering is still an excellent vector.

Social engineering is the biggest problem, bar none.

> Rigorous patching, non-default ports, key based authentication,
> fail2ban/denyhosts, port knocking, SELinux &c are useful in increasing
> the cost of breaking into boxen above the (drive-by/skiddie)
> breakpoint of almost free but from that point onwards you need to
> balance potential cost of break-in against cost of prevention.

You cannot prevent an intrusion; you can only slow it down.  If you make it too slow to be useful, then you can have a chance at being relatively secure.  Make it cost the attacker, too, as they are also looking at a cost/benefit balance sheet.