Mark Armstrong wrote:
I recently discovered that there are security hardened version of SUSE that are certified/accredited to EAL 3 and even EAL 4.
Does anyone have any experienced feedback on how restrictive these setups are?
We are looking to implement a data retreival system that access disks over NFS and tape drives over SCSI, but does little else. Would like to know if I could still do these simple things. What is it you are trying to achieve? Security, or compliance?
The SLES9 EAL3 and EAL4+ configurations are exceedingly strict; to be in compliance, you have to have the exact software and hardware configuration specified. However, it is not a particularly secure configuration. Because it specifies an exact configuration, and it is now quite old (early 2004) many advances are technically not permitted in a compliant configuration. To achieve a high level of server security, you should, first of all, keep it up to date by running the update tools frequently. The second thing to do is to close all unnecessary network ports. There are several tools for that, including netstat (which lists the open ports) and Nessus (which does a detailed vulnerability assessment of the applications you are hosting). You should also use the AppArmor tools to secure your applications. AppArmor also has a tool to scan your server for open network ports called aa-unconfined. This program lists open network ports, the programs listening to those ports, and the AppArmor profiles wrapped around those programs, if any. Your goal here is to use AppArmor to confine all of the programs with open network ports. If you do that, then all network attackers are forced to go through your AppArmor policies. This does not perfectly prevent all intrusions (no policy mechanism can) but it does strictly bound what damage the attacker can do. All of these steps (updates, netstat, Nessus, and AppArmor) will do lots to help your security, but nothing to help your compliance with regulations. The EAL certified configurations are rather the converse; it does little to help your security, other than by providing a lower bound that your security isn't absolutely horrid, but does a lot to provide CYA (Cover Your Assets :-) by being compliant. Crispin -- Crispin Cowan, Ph.D. http://crispincowan.com/~crispin/ Director of Software Engineering http://novell.com --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org