Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
I am very very new to Linux security, so new that I am really pretty
stupid.  Would someone explain the SELinux thing to me, because I don't
get how to configure it etc...

Re: SELinux

JesusFreak wrote:

Quoted text here. Click to load it

Have you tried the documentation at NSA?

I'm allso new to it, so I just started reading and haven't much to say :o

By default, in grub's "menu.lst" there should be a parameter that reads
"selinux=0", set that to "1" first if you want to have it start at boot
time. It then starts in a mode that just monitors but doesn't prevent
anything from happening.

Have you read the manpage? It's short but has some hints where to look

Another thing I want to take a closer look at is:

Hope I did't bore you with things you allready were looking at..

kind regards,

Re: SELinux

On Tue, 18 Oct 2005 17:04:17 -0700, JesusFreak wrote:

Quoted text here. Click to load it

I hate SELinux. I disable it.


Re: SELinux

On Thu, 2005-10-20 at 23:12 +0000, Mike wrote:

Quoted text here. Click to load it

then what would you suggest to do to harden a linux
system from kernel side?

Re: SELinux

:On Thu, 2005-10-20 at 23:12 +0000, Mike wrote:
:> I hate SELinux. I disable it.
:then what would you suggest to do to harden a linux
:system from kernel side?

If you want SELinux badly enough to invest the time needed to learn how
it works and administer a complex system that tends to have some minor
breakage every time a new update is released, then SELinux would be a
good layer of protection.  Personally, I'm with Mike on this.  For an
average home system that provides no externally accessible services,
SELinux is _way_ more trouble than it's worth.

Bob Nichols         AT I am "RNichols42"

Re: SELinux

Robert Nichols wrote:

Quoted text here. Click to load it

I'm also with you. I am having some interest in it for learning purposes.
I'd konsidder it for a server system that seldom changes (but as for our
customers, I'd strongly favor regulary updates because we *do* changes

I do not use it at home yet and don't yet plan to.

Re: SELinux

Luca Pasquali wrote:

Quoted text here. Click to load it

Run something like Bastille.

Various Honeypot projects have tested various systems
to see how they get broken into. Linux systems do pretty well.
The biggest problems are simple dictionary attacks on passwords.
Use good passwords.  Or something like a thumbprint biometric
The second biggest type of break in was exploits.
Solution, keep your system patched rigourously and in
a timely manner.

That should do 99% of what you really need to do.

Don't run services you don't need.  Make sure
you don't have ports open to services you are not using.
Make sure your firewall is set up.

If you are going to be away from a system for some time
and don't need to ssh into it or some such, ifup and ifdown to
take it offline if you have broadband always on.

Back up your system to CD or DVD in case you want to be ready
for possible compromised systems.
Have Knoppix disc on hand.

Easy to break passwords seems to be the bete noire
of Linux systems if the honeypot project people
got it right.

The official spokesman of the Foxes said
today that investigation into what happened
to the henhouse may be needed.

Cheerful Charlie

Re: SELinux

Luca Pasquali wrote:
Quoted text here. Click to load it

GRSecurity has worked well for me.

At its most basic level, it can provide overflow protection (PAX) for
your whole box, and significant jail hardening - both automatically and
transparently. You can also effect role-based controls and other
things, which would require separate management.

If you then put your externally-connected processes (e.g. browser,
snort, privoxy, TOR, etc.) in individual, hardened jails, you're
probably a lot better protected against some of those wonderful new
0-day exploits that affect browsers, plugins/extensions, etc.

Here's a link that describes why some "hardened" kernel users do not
use SELinux:

LIDS and RSBAC are also well-regarded by their users.

Site Timeline