Just How Effective is System Hardening? 154
SkiifGeek, pointing to our recent coverage of what the NSA went through to create SELINUX, wants to know just how effective system hardening is at preventing successful attack, and writes "When Jay Beale presented at DefCon 14, he quoted statistics (PDF link) that Bastille protected against every major threat targeting Red Hat 6, before the threats were known. With simple techniques available for the everyday user which can start them on the path towards system hardening, just how effective have you found system and network hardening to be? The NSA does have some excellent guides to help harden not only your OS but also your browser and network equipment."
Re:Defense in Depth (Score:5, Interesting)
If you have to allow actually users to use a shell on that box, however, I would agree that a SELinux approach is critical because you cannot really determine where you will get attacked from...
The Network guides are nice (Score:5, Interesting)
I can't speak to how well they withstand attacks after that but if you follow their instructions an nmap scan basically reveals no open services (ssh ports have their own access lists)
I prefer the guides to tools like RAT because auditors get so out of date that you end up chasing down their rules to find out they don't even know about the last few years of security enhancements. Cisco's Output Interpreter is also good for advice on hardening your devices.
Everyday user? (Score:2, Interesting)
So in summary the only everyday users who could do this are those using Vista.... an unusual plug for Redmond from Slashdot.
Re:Everyone knows... (Score:4, Interesting)
Re:The Network guides are nice (Score:4, Interesting)
allow execution of only known good binaries (Score:1, Interesting)
one good tool out there is from solidcore.. it is being used in Point of Sale devices, ATMs and production servers in some big enterprises..
works on windows* and unices..
-Yv
Re:Would be really handy (Score:5, Interesting)
Re:allow execution of only known good binaries (Score:4, Interesting)
Re:How hard is it to get any real work done on loc (Score:3, Interesting)
You could always bring in a lappy and do like this guy [shandyking.com] did ...
works ok for me (Score:4, Interesting)
It's not perfect by a long shot, but it's good enough that we've not had a sniff of a virus or malware outbreak in getting on for three years now. Hell, we don't even consider it necessary to install most MS updates straight away. We let other people do the testing, and roll them out via WSUS 3-6 months later.
Re:Defense in Depth (Score:3, Interesting)
Add the amount of general awe the people hold toward the NSA and SELinux, and there is a tendency for it to be not just A silver bullet, but THE silver bullet.
That's not even to say anything necessarily bad about SELinux or the job it does, but there can be difficult circumstances created around it.