[News] More Choice Given in Linux Security - Linux

This is a discussion on [News] More Choice Given in Linux Security - Linux ; Kernel space: should security modules be dynamically loadable? ,----[ Quote ] | The ever-contentious Linux Security Modules (LSM) API is being debated once | again on linux-kernel, not its removal, which Linus Torvalds came down firmly | against, but whether ...

+ Reply to Thread
Results 1 to 3 of 3

Thread: [News] More Choice Given in Linux Security

  1. [News] More Choice Given in Linux Security

    Kernel space: should security modules be dynamically loadable?

    ,----[ Quote ]
    | The ever-contentious Linux Security Modules (LSM) API is being debated once
    | again on linux-kernel, not its removal, which Linus Torvalds came down firmly
    | against, but whether it should allow security modules to be loaded
    | dynamically.
    `----

    http://www.linuxworld.com/news/2007/...rss-linux-news

    Just look what the Windows security mess has left all across the Web...

    UK.gov lambasted for ignoring peers' cybercrime report

    ,----[ Quote ]
    | A leading security expert has criticised the UK government for ignoring
    | recommendations on tackling cybercrime from peers.
    `----

    http://www.theregister.co.uk/2007/10...rime_response/

    FTC demands bigger spyware penalties

    ,----[ Quote ]
    | US consumer watchdog the Federal Trade Commission (FTC) is calling for a
    | bigger stick with which to punish spyware purveyors.
    `----

    http://www.theregister.co.uk/2007/10...are_sanctions/


    Related:

    Tip of the Trade: SELinux *

    ,----[ Quote ]
    | You don't need to be a super-guru to set up a workable SELinux policy, just
    | an ordinary, diligent server administrator unafraid to read a bit of *
    | documentation.
    `----

    http://www.serverwatch.com/tutorials...le.php/3702626


    Linux Application Hardening

    ,----[ Quote ]
    | When we talk about Linux hardening, we typically mean runtime
    | application hardening to improve application reliability, leading to expected
    | and predictable execution despite undesirable operating conditions (such as
    | high memory or network overload). * *
    `----

    http://opensource.sys-con.com/read/431838_p.htm


    SELinux — is it really too complex?

    ,----[ Quote ]
    | What I discovered is that part of SELinux’s current dilemma is more easily
    | fixable than the other, because it has nothing to do with technological chops
    | and everything to do with public perception. Jim Klein, the director of
    | information services and technology at the California-based Saugus Union
    | School District, put it best: “The biggest problem for SELinux is mindshare,” *
    | Klein told me. “It developed a stigma early on due to the lack of tools for
    | configuration and troubleshooting, which led people to simply turn it off.”
    | Currently, Klein is one of the many IT guys who has the SELinux switch in
    | the “off” position. * * *
    `----

    http://enterpriselinuxlog.blogs.tech...y-too-complex/


    SELinux vs. OpenBSD's Default Security

    ,----[ Quote ]
    | Darrin Chandler suggested, "security should not be grafted on, it should be
    | integrated into the main development process. I'm sure the patch maintainers
    | are doing their best, but this doesn't change the fundamental flaw in the
    | process. It's not a flaw of their making, it's inherent in the situation. But
    | it's still a flaw." * *
    `----

    http://kerneltrap.org/OpenBSD/SELinu...fault_Security

  2. Re: More Choice Given in Linux Security

    On Oct 31, 9:11 am, Roy Schestowitz
    wrote:
    > Kernel space: should security modules be dynamically loadable?
    >
    > ,----[ Quote ]
    > | The ever-contentious Linux Security Modules (LSM) API is being debated once
    > | again on linux-kernel, not its removal, which Linus Torvalds came down firmly
    > | against, but whether it should allow security modules to be loaded
    > | dynamically.
    > `----


    Pluggable authentication modules have been in Linux since the early
    Slackware days. It's one of the main features of Linux. Linux users
    can have the option of using an internal password file, a shadow file,
    Kerberos authentication ("password" changes every few seconds), or
    LDAP with or without Kerberos protection for the LDAP server.

    The pluggable authentication module also lets users or corporations
    plug in other security models such as Active Directory compatibility,
    or use SSL connections to the LDAP servers. The security can be very
    simple, or secure enough for the NSA (remember, they did a security
    audit to make it good enough for their needs). When the top spy
    organizations like the NSA and MI5 start using Linux, because they
    have plug-in modules, that's a pretty strong endorsement for PAM.

    The main argument against PAM is that you could theoretically subvert
    the configured security system. If I have a passworded disk drive, I
    still need root access to modify the configuration. If the drive is
    not passworded, it could be removed from the laptop, mounted on a USB
    to IDE or USB to SATA cable, and configured to use password
    authentication.

    There are ways to prevent that as well, but at that point, ANY OS
    could be "cracked" using such extreme routines.

    Compiling the security into the kernel doesn't really change much. If
    the security is configurable, the configuration can still be
    comprimized using the technique described above. If the police get a
    search warrant and seize your computer, none of the authentication
    methods used in ANY operating system will slow them down more than a
    few minutes. Using file level encryption and using different
    encryption keys for each file will make things more difficult, but
    even those files can be cracked if necessary.

    > http://www.linuxworld.com/news/2007/...fsrc=rss-linux...




  3. Rex Ballard: citations please ..

    Rex Ballard wrote:

    Citations please for these statements of yours ...

    http://groups.google.co.uk/group/com...d44043ede488d8

+ Reply to Thread