Security Posture of ALP/LEAP?
Hi Folks, It may be too soon to ask about this, but I'll do it anyway. How will security posture enforcement and monitoring be done with ALP? Specifically, will Nessus-style security posture scanning be supported? How about SELinux? Also, what about end-point security systems, such as McAfee (now Trellix) Host Based Security System (HBSS) support. Trellix does not yet support Leap 14.4, which is actually a good thing, because HBSS is a horrible rootkit mess that introduces non-deterministic behavior and poor performance into a normal Linux environment. Regards, Lew
On 2/6/23 10:01, Lew Wolfgang wrote:
Hi Folks,
It may be too soon to ask about this, but I'll do it anyway.
How will security posture enforcement and monitoring be done with ALP?
Specifically, will Nessus-style security posture scanning be supported?
How about SELinux?
SUSE has been pretty clear that ALP will support selinux, when I worked on my prototypes last week I swapped back from enforcing to permissive mode because i'm not 100% sure we have that for all of tumbleweed and I didn't want to fight that in the week I had.
Also, what about end-point security systems, such as McAfee (now Trellix) Host Based Security System (HBSS) support. Trellix does not yet support Leap 14.4, which is actually a good thing, because HBSS is a horrible rootkit mess that introduces non-deterministic behavior and poor performance into a normal Linux environment.
Not sure about the rest though. -- Simon Lees (Simotek) http://simotek.net Emergency Update Team keybase.io/simotek SUSE Linux Adelaide Australia, UTC+10:30 GPG Fingerprint: 5B87 DB9D 88DC F606 E489 CEC5 0922 C246 02F0 014B
Hello, Am Montag, 6. Februar 2023, 00:31:34 CET schrieb Lew Wolfgang:
Also, what about end-point security systems, such as McAfee (now Trellix) Host Based Security System (HBSS) support. Trellix does not yet support Leap 14.4, which is actually a good thing, because HBSS is a horrible rootkit mess that introduces non-deterministic behavior and poor performance into a normal Linux environment.
Based on your description (and a few "interesting" stories I've read about such things), I'd recommend to call these things end-point _in_security sytems Please do this especially when talking to people who think they are a good idea ;-) If you really have to use them, I'd recommend to confine them as strict as possible - for example with an AppArmor profile ;-) Regards, Christian Boltz -- Es ist halt nur nicht eine einzige zentrale Filterdatei. Vorteil ist, dass die Anwender ihre eigenen Scripte verwalten (und sich dabei in den Fuss schiessen können). Nachteil ist genau das gleiche. (^-^) [Sandy Drobic in suse-linux über Sieve]
On 2/6/23 13:19, Christian Boltz wrote:
Hello,
Am Montag, 6. Februar 2023, 00:31:34 CET schrieb Lew Wolfgang:
Also, what about end-point security systems, such as McAfee (now Trellix) Host Based Security System (HBSS) support. Trellix does not yet support Leap 14.4, which is actually a good thing, because HBSS is a horrible rootkit mess that introduces non-deterministic behavior and poor performance into a normal Linux environment. Based on your description (and a few "interesting" stories I've read about such things), I'd recommend to call these things end-point _in_security sytems Please do this especially when talking to people who think they are a good idea ;-)
If you really have to use them, I'd recommend to confine them as strict as possible - for example with an AppArmor profile ;-)
Some of these things may be required by management of large organizations. The Nessus scanner requires remote-root access and examines the system looking for security vulnerabilites. In particular it cross-references RPM package versions with threats listed in the CVE database. openSUSE is very good with keeping up-to-date with published vulns. Hopefully ALP will have some sort of a database like RPM to see what's installed that's compatible with the scanner. Otherwise, ALP may be forbidden to operate in those contexts. The end-point security system (HBSS) is something else! It installs kernel modules and stuff that takes over the system. On-access virus scanning is an example. Visit a web site or transfer a file and the traffic is scanned, usually bringing the system to a crawl. Then it also runs virus scans on a scheduled basis on all the disk filesystems. This can be an annoyance when you have a petabyte of data lying about. Then, it may enforce executable white-listing, where only pre-approved programs are allowed to run, if their crytpgraphic hashes match. It also mucks around with the host-based firewall. It does most of its evil on Windows hosts, but it mucks around with Linux systems too. SLES and RHEL are supported, but openSUSE usually lags long enough so that the next version is available before support is announced. This is a "good thing"! Regards, Lew
participants (3)
-
Christian Boltz -
Lew Wolfgang -
Simon Lees