Hi,

I have been discussing the issue of Linux security with a security professional, when I myself am not one, and the discussion has now gone far above my head. So, as part of the Linux community, if there are any security professionals out there willing to lend me a helping hand in answering his latest questions/ideas, then I would be extremely grateful. If not, our discussion is still a good read, as he puts forward some interesting questions, so I urge you to read it. Then, if you feel you are on a par with his level, please feel free to leave a reply

Here it is: http://wolphination.com/linux/2006/0...-and-security/

Thanks in advance,

-jk

Unfortunately the thread rambles a lot. It's hard to pick out just what you want to discuss or review.

There are several different aspects to what could be meant by "system security." It's a term that requires greater explanation.

The casual-user's view of the topic might simply be like what he thinks about when he locks his apartment door in the morning, but leaves an upstairs window open. A casual pocket-thief will probably test the door, find it locked, and move along without climbing up to the window. But the owner really isn't patrolling anything, doesn't have a security-camera inside and so on. This is like the usual Linux home-installation. (The usual Windows installation has all the doors and windows wide open, and soft music playing for the enjoyment of the thief. Nobody is home. )

The next level, also still casual, might be if, before leaving the house, he activated his alarm-system which is monitored. This is a slightly active approach in that an ordinary attempt at intrusion will be detected as well as prevented.

Several levels up from that would be what this person is talking about .. such as the local bank. Here, access to information and money is decentralized, cross-checked, accounted for, and otherwise carefully controlled. Responsibilities are divided into varying tiers of control and trust. There are periodic audits. If money were to be successfully stolen, or records successfully altered, a fairly large conspiracy would be required.

I read that the NSA is going to run vmware on top of SELinux. This allows them to avoid having 5 separate computers on a desk, each running at a different security classification.

There was an article I read once, about a cost saving initiative during the Clinton administration to use commercially available software in the military, rather than custom software written to military specs. They tried running a cruiser on XP. All of the XP computers crashed and the ship was dead in the water. So much for that idea!

sundialsvcs - Yes, it is quite long. The last two messages are probably the most important ones though.. And I really cannot reply to that last one
True, but he was using the bank as an example for a corporation you would trust to use the most stable and secure technology. He's putting across the point that SELinux is said to be "under research", and is therefore NOT something a corporation like a bank would use. Yet, many distros incorporate SELinux out of the box (such as the FC line), even though SELinux is not a stable product..

He then goes on to talk about how Linux does not have a reference monitor, but I do not know enough about that to reply to him. He knows that I'm asking for help, so if you could read that last message and understand what he was saying, I bid you to please write a reply.. I've never seen something like this brought up when talking about Linux's security on a lower level.

jschiwal - That they are going to run VMWare on top of SELinux? How can that be - SELinux is neither a distro nor an OS.. Or do you mean that they are going to run VMWare on an SELinux-enabled distro?

And to avoid have 5 computers on each desk, surely they could just dual-boot? Or is the aim of this to have all 5 OSs running at the same time?
Hehehe