Just How Effective is System Hardening? 154
SkiifGeek, pointing to our recent coverage of what the NSA went through to create SELINUX, wants to know just how effective system hardening is at preventing successful attack, and writes "When Jay Beale presented at DefCon 14, he quoted statistics (PDF link) that Bastille protected against every major threat targeting Red Hat 6, before the threats were known. With simple techniques available for the everyday user which can start them on the path towards system hardening, just how effective have you found system and network hardening to be? The NSA does have some excellent guides to help harden not only your OS but also your browser and network equipment."
Ahh yes, (Score:5, Funny)
Re:Ahh yes, (Score:5, Funny)
Oh, you're talking about computer security? Never mind, then.
Re:Ahh yes, (Score:4, Funny)
"The system is down."
Am I gay?
Re:Lunix bailout by big daddy gubment (Score:5, Informative)
As for backdoors, I don't know that they've created any code to secure the system, just produced a set of rules and guidelines that help people know what to secure and how.
Re: (Score:2)
Re:Lunix bailout by big daddy gubment (Score:5, Informative)
The rest of your post is probably trolling; but what the hell, I'll answer it anyway: SELinux added Mandatory Access Control abilities to Linux. These are very useful, and very powerful, security features and it is definitely good that Linux now has them; but it is hardly the case that any OS without them is necessarily insecure.
As for the "handout" angle, SElinux was certainly a handout for Linux; but it was also the cheapest and most effective way for the NSA to make MAC widely available in a short period of time. The objective of the program was a handout of security from the NSA to other entities. The handout to Linux was just the easiest path to that objective.
Re: (Score:2)
Re: (Score:2)
There is no such thing as a secure OS. Security is relative. People have been saying that Linux has less known security holes then Windows. Thus it is more secure. Does this have something to do with Linux not being the top OS? Of course, but that does not change the numbers. Linux is harder to hack.
This was basically work on the internal govt systems, you know the ones that hold all your p
Re: (Score:2)
Re: (Score:3, Informative)
SELinux
RSBAC
PaX
Grsecurity
Bastille
apparmor
are not new, its just that they are finally getting into the mainstream distos, if you wanted a secure linux system you could of had one 5/10 years ago, its just you had to actually do it yourself.
Re: (Score:2)
isn't that the way linux should be. having a guide line is exactly what you want when your starting out to do just that.
as far as how effective it is, i'd have to say it is good stuff too bad few people are ready for it. it would be great if everyone was to the point hardening the system is their weak spot but it isn't. IMHO most Linux machines don't get owned because they are administrate
Defense in Depth (Score:5, Insightful)
System hardening is also very helpful against inside jobs, or against other systems on the network compromised through brute force or social engineering.
Re:Defense in Depth (Score:5, Interesting)
If you have to allow actually users to use a shell on that box, however, I would agree that a SELinux approach is critical because you cannot really determine where you will get attacked from...
Re:Defense in Depth (Score:5, Insightful)
Many of the SNACs (or STIGs as I remember them being called) go into detail in such areas as setting the method for password hashing, setting policies for allowed authentication protocols, disabling authentication on time mismatches, and a plethora of other things.
If nothing else, system hardening can be a "best practices" framework for your systems and/or network. I remember one of my systems administrators complaining to a security inspector that the system would not allow a log on if the security log was full instead of just overwriting old entries. He didn't realize that filling the security log with bogus crap could mask a real intrusion. Nobody knows absolutely everything, and not everyone has the time to sit down and understand every intricate detail. Using a system hardening approach, however, is a very good foundation to build your overall security posture.
You say that you only allow http, but what happens when a vulnerability is found in code that you use for your http application? That's what defense in depth is all about. You may be able to knock down this wall, but there are 10 more behind it that are even bigger.
Re:Defense in Depth (Score:5, Insightful)
Re:Defense in Depth (Score:5, Insightful)
That's one of the biggest hurdles today in security: striking a balance and prioritizing. Everyone can say "Usability and security are both important," but it takes time and thought to come up with a detailed analysis of the priorities during an actual attack.
Re: (Score:2)
By far the majority of attacks are implemented using guesswork credentials.
It's not much of a problem anymore, because storage space is so cheap. I set mine to log everything for a few months, just out of curiosity at the crap going around my ISP and even at the highest levels the logs were only taking up about 15% of my drive space; mostly automated brute force attacks.
Once I restricted the
Re: (Score:2)
As far as logs, we traditionally have a series of items, such as hd data, temp data, etc that we automate with an srsync snapshot nightly. From there, we use a custom app we wrote to parse out key word data or repeatable trends we find interesting, such as error, failed login attempts, etc... Meaning, we also erase nothing, but let software processes smooth over the sheer volume of data for us...
Also, as far as additional security ite
Re:Defense in Depth (Score:5, Insightful)
SELinux almost makes more sense in an appliance server; as the config is not likely to change much. Just assume the web interface is vulnerable (it probably is; if not through your code then some as-yet undiscovered vulnerability in the LAMP stack.) I'll admit, SELinux is a religion you've got to practice, but Unix filesystem permissions leave a lot to be desired (I don't like having to create a new group every time I want to set permissions on a subset of users, thanks.) There needs to be more in the 21st century, and while SELinux is not the best solution, it's a workable one.
The goal of SELinux IMO is the realization that you will never get rid of all vulnerable code on your box. What you can do is limit the damage they can do when they get past the application layer security. Who cares if they can hack your sendmail server when it doesn't have access to read/write anything outside its config and spool directories?
Re: (Score:2)
Re: (Score:3, Interesting)
Re: (Score:2)
I'm not discouraging use of SELinux, but you can use Posix ACLs without SELinux. If flexible file permissions are the driving factor, SELinux is overkill.
Re: (Score:2)
Re:Defense in Depth (Score:5, Insightful)
Re: (Score:2)
Re: (Score:3, Insightful)
There is no one-stop panacea for security. Anyone who says otherwise is either a snake-oil salesman, or a massive liability to any company that hires them.
Re: (Score:2)
Re: (Score:2)
Would be really handy (Score:1)
Re:Would be really handy (Score:4, Insightful)
Re:Would be really handy (Score:5, Interesting)
Re: (Score:2)
Re: (Score:2)
Re: (Score:3, Informative)
Re: (Score:2, Insightful)
Re: (Score:1)
Re: (Score:2)
Re: (Score:2)
Concrete (Score:5, Funny)
Re:Concrete (Score:4, Insightful)
Re:Concrete (Score:5, Funny)
Re: (Score:3, Insightful)
Easy (Score:5, Funny)
Re: (Score:2)
Is it just me? (Score:4, Insightful)
Re: (Score:1, Funny)
Re: (Score:2)
"We're here to protect you from the terrible secret of space?"
Re: (Score:2)
There's a strong correlation between the libertarian/independent/freethinker community and the advocacy of Linux and other [F]OSS solutions.
And yet, doesn't every Linux kernel (2.6 or better) use SELinux [nsa.gov] [1] [wikipedia.org] ?
short answer, NO (Score:2)
SElinux sure it could have a NSA back-door, probably doesn't, but a lot of distros dont use SElinux instead they opt for apparmor, or nothing at all, or other security measures ( PAX, etc)
Re: (Score:2)
Rest assured that although a good 1/2 to 2/3 of the work came from NSA staff, the people involved were competent, and understood the importance of peer review in security design. So the NSA guys didn't get any code or policy in there that didn't get reviewed by a good number of non-NSA people who had reason to expect and look
Re:Is it just me? (Score:5, Insightful)
I'm not wary at all. Any access they might want into your Windows system was probably built in. I imagine they already have that kind of access to every Windows computer. Anything they can give you to help keep your Windows machine from turning into part of a North Korean botnet can only benefit both you and the government.
Yes, it's just you (Score:3, Insightful)
Probably. What risk does it introduce, which you didn't already have?
Very effective (Score:5, Informative)
That is just a start. Now you also have to monitor the activity on the host or network to detect any changes or indicators of malicious behavior.
Hardening is easier to do with servers because servers tend to have more stable configuration requirements and less user touch. Workstations and desktops are more difficult. You can lock down a windows host very tightly using the GPO and other OS tools. You can also buy other applications to fill gaps. Financial institutions, for example, often have very tight workstations. In most other organizations however, users are used to having more control and the pain of locking down a workstation compared to the outcry IT will receive normally leads to looser standards.
Everyone knows... (Score:5, Funny)
Re:Everyone knows... (Score:4, Interesting)
Re:Everyone knows... (Score:5, Funny)
Re: (Score:2)
Re: (Score:2)
And Windows? If I was running Windows, even my ENIAC clone wouldn't be secure!
And als*7)87&*&(*&(*&)(*[no carrier]4$%^&^%[connect]ave to change a vaccuum tube once in a while.
Re: (Score:2)
Judging by how well the NSA.gov website is (not) handling being Slashdotted, I'm guessing that's exactly what they did.
Re: (Score:2)
Re: (Score:2)
The Network guides are nice (Score:5, Interesting)
I can't speak to how well they withstand attacks after that but if you follow their instructions an nmap scan basically reveals no open services (ssh ports have their own access lists)
I prefer the guides to tools like RAT because auditors get so out of date that you end up chasing down their rules to find out they don't even know about the last few years of security enhancements. Cisco's Output Interpreter is also good for advice on hardening your devices.
Re:The Network guides are nice (Score:4, Interesting)
Re: (Score:2)
Re:The Network guides are nice (Score:5, Informative)
Cisco Routers [nsa.gov]
Cisco Switches [nsa.gov]
Everyday user? (Score:2, Interesting)
So in summary the only everyday users who could do this are those using Vista.... an
Re: (Score:2)
Re: (Score:3, Informative)
Re: (Score:3, Informative)
What happened to (Score:1)
There's no perfect safety ... (Score:5, Insightful)
Two guys are out on a hike in the forest. They go around the corner of a rock outcropping, and are confronted with a grizzly bear, not far away, who immediately springs toward them. The first guy starts running away. The second yells after him, "You damned fool, you can't outrun a grizzly bear!" The first says, over his shoulder, "I know -- but I can outrun you."
Your house doesn't have to be impossible to break into; it helps quite a bit if it's just harder than your neighbor's.
Re: (Score:3, Funny)
Re: (Score:3, Insightful)
Re: (Score:3, Funny)
Re: (Score:2)
To shift metaphors, I've heard that the way to handle canine attack is to get down on the ground and bare your neck. It's a submission symbol, and they generally respect it. Plus they can outrun and outbite you. Of course I've never tested this personally, and I've usually been able to intimidate dogs just by acting intimidating. (I once intimidated a pair of nasty looking German shepherds, until their ow
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Two guys are walking around, one has hurt his leg. They run into a zombie. The one without injuries runs, leaving his friend behind.
He now needs to outrun two zombies.
For targeted attacks, yes, having better security means attackers will likely pick easier targets. Since botnets carry out a fair portion of attacks though, the average computer user having better security means everyone has better security.
Re: (Score:2)
How hard is it to get any real work done on locked (Score:2)
Re:How hard is it to get any real work done on loc (Score:5, Insightful)
Re: (Score:3, Interesting)
You could always bring in a lappy and do like this guy [shandyking.com] did ...
Just because you're inept at systems management (Score:3, Insightful)
How hard is it to get any real work done on super locked done system with out a lot of dead time waiting for IT to unlock what you need to get your job done?
So kindly go fuck yourself with your condescending attitude.
Re:How hard is it to get any real work done on loc (Score:2)
Security hardening is all about removing unnecessary facilities. So obviously whatever is left is necessary for you to do your job, if not then the security guys/procedures didn't do their analysis well enough.
Of course, what they think is necessary and what you think is "necessary" may not be quite the same thing....
Re:How hard is it to get any real work done on loc (Score:3, Informative)
Responsible IT departments will can configure your systems while still allowing you to work. mike
allow execution of only known good binaries (Score:1, Interesting)
one good tool out there is from solidcore.. it is being used in Point of Sale devices, ATMs and production servers in some big enterprises..
works on windows* and unices..
-Yv
Re:allow execution of only known good binaries (Score:4, Interesting)
Re: (Score:3, Insightful)
Re: (Score:2)
holy crap (Score:2)
works ok for me (Score:4, Interesting)
It's not perfect by a long shot, but it's good enough that we've not had a sniff of a virus or malware outbreak in getting on for three years now. Hell, we don't even consider it necessary to install most MS updates straight away. We let other people do the testing, and roll them out via WSUS 3-6 months later.
Re: (Score:3, Insightful)
How many cases have you had of users not being able to do work, or being greatly inconvenienced and slowed thanks to those security measures?
How about incidents where users bypassed security? Like, how have you disabled the CD? Went into the BIOS setup and simply disabled the IDE interface it's connected to? And why are you even using IE?
You're a good way down the path of just not allowing the use of computers at all.
Re: (Score:2)
CD-ROM drives are disabled by disabling the windows device driver. Users don't have admin rights so they can't re-enable them. They used to be locked in the bios, with bios passwords.
Re: (Score:2)
But yes, we are looking at Thin Clients. Costs have finally come down to a point where they are competative with PC's, we're just waiting for the right SAN / NAS technology. We'll probably rolling them out to most people in 12 months. Unfortunately the CAD workstations won't work as thin clients yet.
define "effective" (Score:4, Insightful)
1) improperly designed trusts between systems (e.g. the Internet can't talk to my database server, but my webserver has full access; when my webserver is compromised, the contents of my database are toast as well). Networks designed to fail safely and gracefully, with liberal application of the principle of least privilege, help mitigate this kind of risk.
2) stupid user tricks (I place social engineering in this category, along with phishing and the majority of email viruses). There is no technical solution for this essentially social problem - education helps, sane and safe defaults help tremendously (every unnecessary feature is an additional security risk, and the risk compounds as features are added), software policy approaches like ACL/MAC/UAC/RBAC help
Re: (Score:2)
I don't like the way security has been trumpeted and politicized since 9/11. Security is so all encompassing that anything can be characterized as a security issue. Security enhancement is the ultimate hammer for every problem. We have wasted a lot of time on a patchwork fix-as-we-go stance. In the other extreme, we've spent a lot of effort going for too much in OSes. SELinux is a case in point. Yeah, sure it can really lock down and separate things, but the overhead paid in administering the box, man
Re: (Score:2)
This is exactly the approach that e.g. the OpenBSD dev team takes - all bugs are squashed with equanimity. They don't consider bugs to be "less critical" because they don't represent an apparent security threat or come with an obvious exploit. This kind of consistent code-review housecleaning has the nice side effect of avoiding many security holes before they are even discovered. (See http://www.openbsd.org/security.htm [openbsd.org]
Marcus Ranum's got them beat... (Score:2)
Some people can build secure servers, not desktops (Score:2)
Actual system hardening works nice... (Score:2)
A bit before that, Crispin Cowen of Im