Download

More Information

Secure-SLinux

Re: good luck, anyways
Thanks for your constructive reply!

It would be nice if people want to discuss Secure-SLinux if could to so in our forum (http://sourceforge.net/forum/?group_id=163367) - otherwise this project page will soon become rather long!

Thanks!

good luck, anyways
[moved to top]

> but honestly, do you really believe that

> just by fixing a couple of bugs will make you safe

Honestly, I just don't even consider my safety dependent of computer systems (particularly online ones). There's limitation for everything, I don't trust things that complex what should not be. That simple.

[sigh]

> If you have a point, you may discuss it but please

> keep it technical.

I try, just some of it (like "enterprise" stuff) isn't only technical. OK, moving to email (if you find the links there interesting).

> You are simply discussing something which

> Secure-SLinux is not intended for.

But why do you -- I'd say "falsely" to a friend! -- advertise it as such then?

I'm sometimes asked for very custom (or odd) things on community side; my problem is often to be able to either recommend something orthogonal but nice (like DeLi last week) -- or warn against something well-known but non-robust (like Slackware).

I've tried to:

- understand what nice/unique features and application possibilities this distro might have;

- possibly share some dev/user experience;

- probably point out that some of the gorgeous description is inaccurate after having asked,

but managed to offend you. That wasn't intended, sorry.

> Don't you see that you are constantly

> being negative? And anyhow: why should

> you bother what kind of people consider

> joining development of Secure-SLinux?

Probably I was a bit.

Last time I've been seriously negative about other people's pet projects was "Linux Netwosix". That was another distro by a boy who was actively advertising it as an "enterprise secure server", even spammed bugtraq with update announces, and funny enough stressed its tarball grade simplicity and quick installation.

The project's long "on hold" with overall maintenance period being like half a year.

He could avoid bothering, gathering, and then frustrating people -- or at least the latter part -- by listening to my advice back then (which accompanied the bug report on world writable files/dirs in his "secure" tarballs).

You sure miss his technical incompetence but missing organizational clue, responsibility or spare time is or becomes very often the case. It's better understood in advance than not.

That's "why".

> I wouldn't mind if you had constructive

> criticism (and also come with some

> solutions). Grow up boy and tell me what

> you're really after!

Well, I'm 28 M.Sc. boy who's after interesting people (to communicate sometimes) and interesting projects (sometimes helping them, sometimes just using results). The two major projects I currently participate in are ALT Linux and TYPO3 CMS, if that matters.

If my knowledge that:

- a non-managed (at least in terms of bare packages) product cannot be considered (and should not be declared) "secure" in enterprise these days;

- single-sided approach to security (like "RBAC/MAC-only" or "updates-only") is not generally reasonable;

- there might be already solutions for many problems not handled in major distros but done elsewhere

is worth nothing to you, well, you can delete the comments (or ask FM folks to) and consider that wasted time (yours and mine).

Or check your email for technical part that might be interesting if you want.

[skipped a couple yups re kernel, compiler, binutils...]

[rant]

> I did not develop Secure-SLinux to attack ALT linux.

Sorry, I didn't comment to bash SSLX too. Rather comparing what's common in goals or tools, and what differs.

I might be attacking some "ad" statements that I personally find misleading, but that's completely different and not at all specific to your webpages only.

I've somehow thought German developers are ever *so much* pedantic that it's a bug to be reported against a public description! :)

Yes, let's leave it at that. Sorry for overemphasizing, if my wording feels like that to you.

Re: distro security approaches

>

>

> % So what can we do? A hardened system

> % detects malicious behaviour and kills

> % applications accordingly.

>

>

> We do SSP and PIE by default in gcc

> AFAIR (together with -DFORTIFY_SOURCE

> and hardened glibc, and quite a few

> other infrastructural barriers), but

> that's a layer pretty independent of

> packaging/updates.

You cannot nearly compete with GRSecurity/PAX or SeLinux if you "just" use SSP/PIE and a few other practical measurements. GRSecurity/PAX or SeLinux provide hardening on totally other levels. See the discussion on hardened Gentoo about this.

Again I agree with you that keeping your system up2date is a good thing - but honestly, do you really believe that just by fixing a couple of bugs will make you safe considering that a system as huge as linux contains thousands of potential bugs (which will officially never be found/fixed)?

>

> Re "sellers claiming", ALT's

> implementation/buzz ratio is definitely

> higher than "market average" ;) It's

> very much a technocratic distro/project,

> not marketing one.

>

I don't understand why you always defend ALT linux. I am sure that ALT linux is an excellent distro and it probably has its points. I did not develop Secure-SLinux to attack ALT linux. I developed it so that I have a distro which does not have the shortcommings of lots of the major distros (as far as my uses are concerned) - and Secure-SLinux actually turned out to be so good that I made it available to the public for those which are equally minded.

I am not claiming that Secure-SLinux is the only solution - there are others with their advantages and disadvantages. That's up to the users choice which distro he preferes.

I just want to make the point that this site is for discussion about Secure-SLinux. It's not ment for advertising ALT linux or defending it or attacking Secure-SLinux. If you have a point, you may discuss it but please keep it technical.

> You cannot even know what "all" little

> programs I do use daily, you might even

> not have heard of some of them.

Ouch! You are pedantic! If this is your only problem you have with Secure-SLinux than Secure-SLinux must be a really excellent distribution!!! ALT linux throws with words such as "universal" and "complete office solution" - how do you know what I need? Secure-SLinux provides more usefull progs than some of the major distros allthough most major distros come with thousands of packages. However it's up to you to install what you will be running. I won't discuss it further. I get the point you don't like my wording. Can we leave it at that?

>

> Hey but you *can* install a compiler

> with a single pass of apt-get! ;-) (both

> in Debian and ALT, even if they do dpkg

> and we do rpm)

>

It's not just the compiler. You need binutils, make and a lot of other progs too and a lot of header files in /usr/include.

Anyway, Secure-SLinux is not intended for those who just want to use a graphical RPM based installer and who don't know anything about the internals. So this discussion - again - is of no point. You are simply discussing something which Secure-SLinux is not intended for. And Secure-SLinux does not try to compete with ALT linux. Actually Secure-SLinux does not try to compete with any distro: if you like it, use it. Otherwise don't!

> change distros; re kernel, as I've said,

> I gave up on building those since I

> cannot really build a better one than I

> already have on a silver plate (that

> just works).

>

Secure-SLinux is for those who have no problem in compiling a new kernel and I really see no problem or magic in compiling a new kernel (although Secure-SLinux comes with precompiled kernels so there is normally no need to compile one yourself).

>

> Prepare for questions like these from

> those who might consider joining and

> whom you'd rather welcome than just have

> to educate from the ground up. :)

Don't you see that you are constantly being negative? And anyhow: why should you bother what kind of people consider joining development of Secure-SLinux?

What are you really seeking? Are you not confident enough about your ALT linux that you have to seed doubt in other people's distros on their homepages?

I wouldn't mind if you had constructive criticism (and also come with some solutions). Grow up boy and tell me what you're really after!

distro security approaches

> The Problem is that you assume that when

> all packages are bug free, you are on

> the safe side.

Nope, I'm seeing security as a multi-stage defense line with varied methods involved.

> So what can we do? A hardened system

> detects malicious behaviour and kills

> applications accordingly.

We do SSP and PIE by default in gcc AFAIR (together with -DFORTIFY_SOURCE and hardened glibc, and quite a few other infrastructural barriers), but that's a layer pretty independent of packaging/updates.

Re "sellers claiming", ALT's implementation/buzz ratio is definitely higher than "market average" ;) It's very much a technocratic distro/project, not marketing one.

> Well if you read a bit more carefully:

> Secure-SLinux claims that it contains

> all those little programs you need for

> your everyday work and also all

> libraries you need for most applications

> you want to install.

*sigh*. It *cannot*, by definition. You cannot even know what "all" little programs I do use daily, you might even not have heard of some of them. The same would go for me if I'd advertise anything to you as containing "everything you need*" and a fine print that you can build the rest yourself anyways.

Frankly, I'm against that sort of advertisement, but of course it's up to you.

(re "big apps" -- there's always at least some possibility for "generally good enough" package of those more mature projects; cases needing rebuild are more rare these days -- given sane distro at least, I'm not talking of every one out there)

> I always had to solve problems which were

> unsolvable with current distros [...]

> So I don't trust them.

Well I can offer you some sort of exchange: you look at current ALT regarding security and consistence with the job, I look at SSLX regarding the same (probably with some mail conversation). At least that might be interesting experience given "opposites" above :)

> Thats exactly what I don't like with

> some distros (eg. Debian). If you

> install the core system you are actually

> left with a system which contains too

> few apps. For example I want to be able

> to compile a kernel and want to have all

> tools I usually use.

Hey but you *can* install a compiler with a single pass of apt-get! ;-) (both in Debian and ALT, even if they do dpkg and we do rpm)

Re usual tools, that was one of the major factors for me personally to change distros; re kernel, as I've said, I gave up on building those since I cannot really build a better one than I already have on a silver plate (that just works).

> Thats the difference to Secure-SLinux and other

> distros: Neither too bloated nor too few

> packages.

That might only be true for one person, its author. Trust me there are no two identical opinions on what should be in basesystem. :)

That's why minimalistic basesystem with large package base and reasonable default install is so nice: you can kick the CD in and be up and running in minutes, while being able to strip off unneeded stuff or add what's missing by default (or just build custom ISO off the same repository if that's frequent but lobbying needed packages into default setup is generally unreasonable).

> % glibc-2.4+ and NTPL :(

> Not true: glibc-2.4+ with linuxthreads

logical "and"

> Soon Secure-SLinux will come with both

> kernel 2.4 and 2.6 than there won't be

> any problem anymore.

I wish there could be any distro solving that, but you're not going to do "NPTL or 2.4" without providing two builds of glibc and two builds of at least MT apps AFAIK. We _did_ stick to 2.4 as long as we could, until it was more really stable than really stale.

> I will switch to 2.6 when the development has

> stabalised. Currently there are still

> some redesigns underway which are quite

> fundamental.

Yup, our current kernels in 4.0 (standard and openvz) are 2.6.18-based. For different reasons but some of them are like yours too.

> % % Secure-SLinux tries a practical

> % % balance between the two.

> % The funny thing is "we do too" :)

> Why is this funny? Do you think there is

> only one kind of balance?

Exactly the opposite -- because there can be different kinds, but that's one of the stated goals for our distro.

> % I'm also not an expert in security

> What makes you think that I am not an

> expert on security? I have been working

> in this area for over 10 years!

Sorry, it was meaning "I'm also", not "also not an expert". That is, not referring to you [indirectly].

I'm working with Linux since 1998, and was following bugtraq since 1999 or 2000 until its SNR ratio dropped below secunia's advisories; on ALT Linux Team since 2001. There was exactlty one known case of one of my publicly accessible ALT-based systems being supposedly broken into, and that was #1 remote hole in OpenBSD.

But that's a compliment to Dmitry Levin, Sergey Vlasov and some other security/kernel pros on the team, not myself.

> You cannot secure a system by making it more

> complex. Humans always are erronous.

Exactly.

> That's why Secure-SLinux kills apps which

> misbehave rather than relying on updates

> (which are good otherwise but you cannot

> rely on them as a security measurement).

That's far from perfect, as discussed e.g. on bugtraq@ many times. Bringing remote code exec down to remote DoS is better than not but it's still a DoS, and providing security updates so the condition resulting in that would not be met in yet another situation (which is rather beyond the possibilities of two hands from what I see if the distro pretends to be at least a bit universal).

> I like it. And if anyone wants to join -

> just write to info/secure-slinux.org!

Prepare for questions like these from those who might consider joining and whom you'd rather welcome than just have to educate from the ground up. :)

Re: what's the package system?

%

>

> % In my experience it is very dangerous

> % and does not add stability if you can

> % update individual packages.

>

>

> My experience is the other way around,

> but then again I don't use Red Hat or

> its derivatives (ALT is rpm-based but

> also employs apt-rpm for higher-level

> management). E.g. I can schedule

> updates application by means of cron(8)

> which helps to maintain quite a few

> systems.

>

The Problem is that you assume that when all packages are bug free, you are on the safe side. However a) Linux consists of millions of lines of code and has at least (according to some statistics) 1 serious bug every 1000 lines of code (which is a lot better than most commercial products). b) when you update it will only fix bugs which are currently known. There is no guaranty that there are bugs which hackers know but not anyone else.

So what can we do? A hardened system detects malicious behaviour and kills applications accordingly. SSP/PAX/GRSecurity will detect unusual behaviour and will stop the application before any harm is done. Even for bugs which are unknown. So I think having automated updates is a fine thing but does not improve security nearly as much as distro sellers are claiming.

>

> % To answer at least some of your

> points:

>

>

> % "everything you need and no more":

> % Secure-SLinux contains everything you

> % need for working with linux.

>

>

> Does it provide graphviz and evms? (the

> question is ridiculous, there are

> packages missing in the largest distros

> but I actually use these; there is

> simply no distro providing "everything

> you need" for everyone)

>

Well if you read a bit more carefully: Secure-SLinux claims that it contains all those little programs you need for your everyday work and also all libraries you need for most applications you want to install. It further on explains that Secure-SLinux does not come with any of the big server applications - since there are so many different ways you can compile, patch and configure them, that you will probably install those applications your way anyway.

>

> % So you will have to install them

> yourself anyway

> % (eg. Apache, MySQL, Oracle, etc.)

>

>

> Ouch! Any high-level admin I know would

> (re)package the build, not install from

> tarball. Delivering slackware is the

> worst thing that IT may do to an

> enterprise, it's just a mess to hand

> over or take over. Seen that :(

>

> Oracle is a special case though.

>

Well I have the opposite experience. I always had to solve problems which were unsolvable with current distros (had to use my own patched kernel, reinstall most server apps, etc. to get things going). Now-a-days distros have become much more powerfull but also much more bloated and some of the configurations are so rediculous that they are way off from being secure. So I don't trust them.

>

> You can look here to find that ALT's

> basesystem is *very* spartan (removing

> apt and libs needed makes tarball ~4M

> smaller yet):

>

Thats exactly what I don't like with some distros (eg. Debian). If you install the core system you are actually left with a system which contains too few apps. For example I want to be able to compile a kernel and want to have all tools I usually use. Thats the difference to Secure-SLinux and other distros: Neither too bloated nor too few packages.

>

> % "professional enterprise servers":

> % Can you tell me a single app which

> will

> % not run under 2.4.* kernels?

>

>

> glibc-2.4+ and NTPL :(

>

Not true: glibc-2.4+ with linuxthreads works just fine. NPTL is pretty much the only thing which does not work with kernel 2.4 - but applications work with both threading solutions and linuxthreads is good enough for most server needs. If you do need NPTL than you will have to switch to kernel 2.6. Soon Secure-SLinux will come with both kernel 2.4 and 2.6 than there won't be any problem anymore.

%

> I did prefer 2.4.x until the last year

> (ca. 2.6.18) when I/O sched got fixed,

> particularly, and our distro switched

> mostly due to hardware support and

> recent glibc. There wasn't much sense

> to stay until it would be officially

> unsupported.

>

I have seen recent kernels not being able to boot certain servers. Since I cannot test my distro any many different hardware layouts - I rather stick to a solutions which works everywhere. I will switch to 2.6 when the development has stabalised. Currently there are still some redesigns underway which are quite fundamental.

%

> BTW do you employ chrooted

> services? :)

%

Yes. The DNS server for example. However gradm provides much stronger restrictions than chroot. So use that to force _all_ apps to run in their restricted environment.

>

> % Secure-SLinux tries a practical

> balance

> % between the two.

>

>

> The funny thing is "we do too" :)

>

Why is this funny? Do you think there is only one kind of balance?

>

> I'm also not an expert in security but

> do have some experience in this area,

> most of it being just practical.

>

What makes you think that I am not an expert on security? I have been working in this area for over 10 years! And I have been designing Secure-SLinux exactly because I was not amazed by the major distros. Its just that a lot of so called "security measures" which you find a lot in major distros and lots of security apps which are sold for lots of money aren't really secure. Thats why I do things differently. You cannot secure a system by making it more complex. Humans always are erronous. You have to break complexity down. That's why a good firewall disallows everything by default and you have to tell it exactly where it should be open. If you get it wrong, it won't accidentally open a whole. That's why Secure-SLinux kills apps which misbehave rather than relying on updates (which are good otherwise but you cannot rely on them as a security measurement). Secure-SLinux may not be the perfect answer to security and one certainly could do more - but its a simple and very effective solution for lots of servers.

>

> It's pretty boring to maintain a distro

> with two hands from kernel to website,

> I've seen that in detail.

>

I like it. And if anyone wants to join - just write to info@secure-slinux.org!

%

> Anyways, thanks for the answers and good

> luck!

%

Thanks for your replies and also good luck!