Posted on 01/16/2009 6:42:44 AM PST by ShadowAce
Russell Coker is not a man who sleeps with his computers. But he does come pretty close - two servers are positioned in a little cabinet in his bedroom, one being his server and the other his Security Enhanced Linux "play machine."
The play machine is open to anyone to log in and try to break the security. The root password is out in public - this is one of the many ways in which he engages with the wider FOSS community and a way by which he tried to improve what has become the project to which he devotes a considerable amount of time.
Security Enhanced Linux is a project begun by America's National Security Agency; it comprises a kernel patch to add security features, and patches to applications to allow them to determine the security domain in which to run processes.
To use Russell's own words, "For example, /bin/login selects the domain for user processes according to configuration files and the security policy database."
His interest in SE Linux was piqued after he attended the 2001 Linux symposium in Ottawa and listened to a talk by the NSA's Peter Loscocco. As a Debian developer, he felt it should be part of the distribution and thought it would take him a few months to do the integration.
It took much longer and it has certainly kept him interested. He has ended up making a sterling contribution to the SE Linux project - on the upstream front he has expanded and improved the example policy configuration, enhanced the run_init and spasswd utilities, developed a devfsd module for managing devfs file contexts, implemented improvements to the setfiles program, and extended strace to trace SELinux system calls. (Due to the evolution of SE Linux and Linux in general some parts of his work - such as the devfsd module and spasswd - are now obsolete.)
Offering up a play machine online helps to improve SE Linux - many configuration errors were found in the early days as the policy which was designed at that time was not designed to be used on a machine with public root access.
"Also some issues were discovered with general Unix code - for example, if UID==0 the 'locate'" program didn't check permissions and the pam_unix.so library did not launch the unix_chkpwd program if it couldn't open /etc/shadow. While these are unusual corner cases they could affect systems that didn't use SE Linux," says Russell. "The locate issue was discovered by a user on my play machine."
Russell's use of a play machine has helped developed a stronger security policy; if anyone gains unauthorised root access on a SE Linux machine they will now not be able to do anything dangerous. Additionally, their attempts to damage the machine will be logged clearly.
"It also helped start the SE Linux community. The #selinux IRC channel originally started as a support channel for my play machine," he says.
At next week's Australian national Linux conference, Russell will be giving a talk on the state of play in SE Linux with regard to the forthcoming Debian version, Lenny, a summary of how development has progressed.
SE Linux will not be part of the default or standard install in Lenny but it will be better integrated and have more features, Russell says. "Discussion is starting on what level of support will be in the Debian installer for future versions of Debian."
Those who do decide to use it, will be able to use scripts to implement settings and will not have to fiddle manually. The scripts themselves are simple incantations so Russell has no fear that someone will be stuck in the unlikely event that a script bombs out.
Russell says SE Linux works well on Fedora, Red Hat's community Linux distribution, and Debian with either GNOME or the older KDE . With KDE 4, there are some issues to be sorted out.
Apart from this talk, he has also had to take on two others, both on similar topics, both of which were to be delivered by a friend, Japanese developer KaiGai Kohei, who is certified as a "genius programmer" by Japan's IT Promotion Agency . Kohei has had to drop out at the last minute.
One of the talks will cover security-enhanced PostgreSQL which brings the controls present in SE Linux to the PostgreSQL database. Hence there is an unified access control model for the system, providing the same kind of security which SE Linux offers, for a web service stack.
Russell has also stepped into the breach to pick up KaiGai's second talk, which was to be on LAPP/SELinux. LAPP is an acronym for Linux, Apache, Perl/Python and PostgreSQL, a small deviation away from the better-known LAMP (Linux, Apache, Perl/Python and MySQL) stack which is used to run millions of websites.
LAPP/SE Linux focuses on using the same mandatory access controls in SE Linux across the entire stack. The kernel controls file access, Apache runs under contexts which match users, and PostgreSQL uses SE Linux support to allow access based on the context of the Apache threads.
Russell is a familiar face at LCA, having been to every conference apart from the one held in Perth in 2003. He says he learns a lot from some of the talks, gets to exchange ideas and also provide information to the community through his own talks.
He plans to launch a Xen server for SE Linux training in the near future. "I may get it going in time for LCA," he said.
This was posted as an attempt to explain that Windows and Linux/Unix security models are very different. The lack of virii for Linux/Unix is not due merely to differences in popularity of the OS.
Can I be added to the ping list? :)
You’ve been added. Welcome Aboard!
A good hacker never leaves a trace behind.
A good root kit will take care of that....
Thanks! I’ve been meaning to ask for some time, since I’m sick of always finding linux posts a month too late to make comments on...lol
A good hacker has his own private root kits and never lets anyone know that he owns a machine until he wants them to.
Why would he want to at all?
This stuff is over my head. I run a couple of Linux computers at home, but as an average user, how would I even know if I've been attacked? I rarely look at any system logs. I like linux because it's free, easy to install and maintain, and I like the (perceived) security it offers.
Guys who write their own rootkits, root machines and keep quiet are usually interested in being there for a particular reason. Your average cracker looking to make a zombie bot out of your PC is probably going for a windows machine and would also do something dumb to make their presence known when they did.
Steps you can take to make sure you’re okay:
Make sure your kernel is the latest version, which I know many of us, myself included, put off on with our home computers, since it’s a PITA to do some of the necessary reconfiguring (graphics card, etc) after a kernel upgrade.
Make sure any publicly available services, such as an Apache server, are up to date and properly secured.
Stay on top of any security issues with your web browser.
Make sure the md5sums are correct on your installed packages. You can do this with Rootkit Hunter (http://rootkit.nl).
chrootkit is also useful.
I really don’t think there’s much to worry about as a home Linux user, but it never hurts to stay on top of things.
Exactly my point...
At this point, I'm pretty much dependent on the Ubuntu guys feeding me the correct/most current security updates. Except for browser security, and I depend on the Firefox developers for that!
Sure would like to get on the ping list also!
You’ve been added as well. Welcome Aboard!
Have room for another?
There’s always room for one more. Welcome Aboard!
me too! love to get the tech pings! thanks!
You have also been added. Welcome!
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.