Re: [VULN-DEV] The NSA's Security-Enhanced Linux
These linux improvments and pitbull are two totally different things though. Pitbull aims to implement full B1 compatibilty into Solaris, while the work the nsa has done just aims to implement a security policy(which you can read at their site) that improves overall security on linux. -miah -- less talk more clue. On Fri, Dec 22, 2000 at 05:18:42AM -0700, Scott D. Yelich wrote:
On Fri, 22 Dec 2000, Ralf-Philipp Weinmann wrote:
citing http://www.nsa.gov/selinux/background.html: [...] The result is available for download at the above URL as well. Has anyone here toyed with it already ? Cheers, -Ralf
Seems like this is a "demo" ... would anyone be able to compare this system to a system that is not attempting to be a demo -- such as Pitbull (solaris?)? It frightens me to think that anyone would trust linux :-> but, alas, who knows. Maybe is enough sugar is poured on top, it just won't continue to smell so bad.
Scott
These linux improvments and pitbull are two totally different things though. Pitbull aims to implement full B1 compatibilty into Solaris, while the work the nsa has done just aims to implement a security policy(which you can read at their site) that improves overall security on linux.
It's interesting to see 3 major "secure linux" efforts, all with different goals we have http://www.wirex.com/ ImmunixOS, linux+Stackguard/formatguard/subdomain/cryptomark/etc, reasonably mature (I have a beta, works quite well). http://www.argussystems.com/ Pitbull, B1 shiz, I'm not to enamoured with this oprange book stuff (buzzword compliance) http://www.nsa.gov/selinux/ NSA, access controls, who did what when, ok, let's shoot 'em in the head. Basically it's like comparing apples to oranges to kiwi fruit. Some people hate kiwi but love apples. OTOH if you want to make kiwi fruit pie.....
-miah -- less talk more clue.
-Kurt
On Fri, Dec 22, 2000 at 01:10:26PM -0700, Kurt Seifried wrote:
It's interesting to see 3 major "secure linux" efforts, all with different goals we have
Actually, from your list, we have 2. Argus does not offer pitbull for linux.
http://www.wirex.com/ ImmunixOS, linux+Stackguard/formatguard/subdomain/cryptomark/etc, reasonably mature (I have a beta, works quite well).
Sure, it works well if you only want to protect against BufferOverflows and even then it doesn't do it that well. Properly written exploits can bypass the canary and still work properly see: http://phrack.infonexus.com/search.phtml?view&article=p56-5
http://www.argussystems.com/ Pitbull, B1 shiz, I'm not to enamoured with this oprange book stuff (buzzword compliance)
If you are running Solaris, and are properly trained by Argus, Pitbull will definately keep the kiddies out. Pretty good for being buzzword compliant.
http://www.nsa.gov/selinux/ NSA, access controls, who did what when, ok, let's shoot 'em in the head.
I'm still looking at the software they're offering here. A decent ACL implementation is somthing I've been waiting for in linux for a while. Not to mention a good system accounting/auditing toolset. Its interesting to see how many "secure linux" projects have been started and how many are actually still around. Most of them have given up "due to lack of interest from the community".
Basically it's like comparing apples to oranges to kiwi fruit. Some people hate kiwi but love apples. OTOH if you want to make kiwi fruit pie..... -Kurt
Sorry for bringing this to suse-security. -miah
Actually, from your list, we have 2. Argus does not offer pitbull for linux.
They say they will (spoke to them at length about this).
http://www.wirex.com/ ImmunixOS, linux+Stackguard/formatguard/subdomain/cryptomark/etc, reasonably mature (I have a beta, works quite well).
Sure, it works well if you only want to protect against BufferOverflows and even then it doesn't do it that well. Properly written exploits can bypass the canary and still work properly see:
Bzzzzzt. Wrong answer =). You should learn what subdomain and cryptomark and the rest are =).
I'm still looking at the software they're offering here. A decent ACL implementation is somthing I've been waiting for in linux for a while. Not to mention a good system accounting/auditing toolset.
ACL under linux sucks ass right now. there are ways to audit syscalls at the kernel level, that's a lot of data though, of questionable use.
Its interesting to see how many "secure linux" projects have been started and how many are actually still around. Most of them have given up "due to lack of interest from the community".
Heh. You think that's bad try something simpler like writing documentation on it. I've gotten 0 community support, so I basically gave up.
Sorry for bringing this to suse-security.
Actually I thought it was quite valid.
-miah
-Kurt
On Fri, Dec 22, 2000 at 03:01:35PM -0700, Kurt Seifried wrote:
Actually, from your list, we have 2. Argus does not offer pitbull for linux.
They say they will (spoke to them at length about this).
I cannot wait to see this. More vendors really need to jump into this area and fund it because we can't have people start working on the projects and then just quit. I'd love to see all the work that went into those secure linux distros that all decided to call it quits. All of their changes if posted publically could really help people lock down their boxes, or help people trying to do the same thing.
Bzzzzzt. Wrong answer =). You should learn what subdomain and cryptomark and the rest are =).
Hrm, Maybe I'll take time and look at it again. Its been a while. When last I looked the only thing they actually had stuff written for was Stackguard.
ACL under linux sucks ass right now. there are ways to audit syscalls at the kernel level, that's a lot of data though, of questionable use.
Its accounting and auditing is also crap. I don't think the BSD Accounting software is even being maintained.
Heh. You think that's bad try something simpler like writing documentation on it. I've gotten 0 community support, so I basically gave up.
I know the feeling trust me. I've been auditing so much software lately and having authors tell me " Oh, well if you supply me with a patch I might begin to care about the problem ". -miah
I cannot wait to see this. More vendors really need to jump into this area and fund it because we can't have people start working on the projects and then just quit. I'd love to see all the work that went into those secure linux distros that all decided to call it quits. All of their changes if posted publically could really help people lock down their boxes, or help people trying to do the same thing.
OpenBSD tried to send changes back to software maintainers/etc, but basically gave up after a while. A lot of bugs exist in linux utils/etc that were ironed out in OpenBSD ages ago.
Hrm, Maybe I'll take time and look at it again. Its been a while. When last I looked the only thing they actually had stuff written for was Stackguard.
They have a _lot_ more now. http://www.securityportal.com/closet/closet20000426.html
Its accounting and auditing is also crap. I don't think the BSD Accounting software is even being maintained.
Yup =(.
I know the feeling trust me. I've been auditing so much software lately and having authors tell me " Oh, well if you supply me with a patch I might begin to care about the problem ".
And people ask me what I'll do when software is secure/etc. HAHAHAHAH.
-miah
-Kurt
At 01:45 PM 22/12/2000 -0800, you wrote:
Actually, from your list, we have 2. Argus does not offer pitbull for linux.
Actually, I think they may... http://www.argussystems.com/products/overview/compack/ PitBull .comPack Benefits n Streamlines architectures, improves performance, and reduces costs and manpower requirements compared to common security practices. n Allows users from the Internet to access back-end applications in a totally safe, secure environment. n Provides secure, remote administration of PitBull-enabled servers. n Modular approach allows software to be tailored to a specific customer's environment. n Completely compatible with all applications supported by the standard base OS for quick configuration and integration. n Installs as a simple upgrade to Sun Solaris, IBM AIX and Linux. -- Microsoft is to operating systems & security .... .... what McDonalds is to gourmet cooking
participants (4)
-
Jeremiah Johnson -
Kurt Seifried -
miah
-
Nix