On 6/18/07, Stephen Harris <[EMAIL PROTECTED]> wrote:
On Mon, Jun 18, 2007 at 12:18:40PM -0600, Stephen John Smoogen wrote:
> On 6/18/07, Stephen Harris <[EMAIL PROTECTED]> wrote:
> >I've never said there are _no_ cases for SELinux. I was questioning it
> >as a general rule for all machines.
> Several of the problems were machines that were not connected to the
> internet or were deep behind firewalls. The problems were that all it
> takes is one user who doesnt think well to make all those
> firewalls/issues useless. E.G the person who coming in from work finds
> a nice shiney USB fob and plugs it into a work computer to see who it
> belonged to so they could return it. The guy who downloads an
[ etc ]
This is why I mentioned "risk profile" in another message. You evaluate
the perceived risk, the likely-hood of the event happening, the cost of
the event, the "cost" of a potential solution and perform an analysis.
So one might rank the items this:
external facing servers: high risk! Automated attacks possible
Desktop work stations: moderate. User stupidity highest attack vector
General compute server: low risk. Only "trained" staff have access.
I was really grumpy yesterday.. so I just wanted to say that I believe
that in most cases where you are in a low risk.. you might be better
off with selinux in permissive mode versus off. Permissive at least
will give you a finger print of what might have gone wrong when the
PFY plugged in that nice shiney USB fob he found next to his car at
lunch.
--
Stephen J Smoogen. -- CSIRT/Linux System Administrator
How far that little candle throws his beams! So shines a good deed
in a naughty world. = Shakespeare. "The Merchant of Venice"
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
