[linux-security] Re: RedHat 5.X Security Book

[Grant Taylor <gtaylor picante com>]

[mod: This discussion has been going on "offline" with an occasional
CC to linux-security. By the time I got around to do another
"moderation round" this one was the latest. Everyone is keeping good
context, so I think you all will be able to follow the discussion. --REW]


>>>>> <seifried seifried org> writes:

>> The only thing I can see coming out of a "checklist" security setup
>> is a false sense of security.  The moment poor Joe User does
>> something unanticipated or tricky, he'll be both unaware of his
>> problem and unable to handle it once/if detected.  Conversely, a
>> clueful user stands a chance at anticipating problems and being
>> able to handle them.

> That is rather arrogant if you don't mind me saying so. Joe User
> would be up shit creek in any case. If we follow this dogma that
> teaching users is bad because they won't know enough to deal with
> every eventuality, well where does one start? We should force users
> to use Linux and learn it inside and out for a few months before
> even letting them secure their system?

This is not what I said.  I merely point out that it is difficult or
perhaps impossible to make a "checklist" that will be complete enough
to result in a system that is actually secure.  Particularly so over
time.

And note that while I don't think that your book will actually result
in fully secure Linux systems run by neophytes, I do think it's a net
improvement in the state of the world.  The more material out there
for people to learn from, the better...

> Theory is great but most people do not have the time, or technical
> background to read PUIS. To draw an analogy:

> I have a car. I know how to drive it. I can change flat tires, add
> oil and gas. This covers about 99% of normal stuff. I take it to a
> car mechanic when it needs it. I am not going to stop on the side of
> the road, pull 200 pounds of tools out of the trunk and change all
> the gaskets in the engine.

Absolutely.  But network security is more complex than car
maintenance.  It also differs in that "99% secure" isn't significantly
better than "40% secure".  Anyone interested in breaking in has only
to try out a bag of tricks until he hits that forgotten 1%.  OTOH, a
99% well maintained car is very nearly indistinguishable from a 99.9%
well maintained car.

>> Linux isn't ready, any more than any other Unix, to be thought of
>> as "secure" in an environment of cluelessness.  Neither is any
>> other operating system, although some probably fare much better out
>> of the box...

> That's the beauty of RedHat however. It's standardized. I tell you
> to run pwconv and grpconv as root, and check the files in /etc and
> boom, you got shadow passwords. You follow my instructions to chroot
> and change the user dns runs as and boom, you got named running a
> hell of lot more safely.

Red Hat isn't any more standardized than Solaris, Digital UNIX, AIX,
or any of the others.  RH might even be less so - there are a lot of
interchangable packages whereas most commercial UNIXes tend to have a
fixed base and a pile of optional packages.

In any case, more secure configurations like shadow passwords and
chrooted bind are things which Red Hat should provide out of the box.

>> Now, with all that said, I think the best thing would be to do
>> something to raise awareness of the issues with the unaware folks
>> out there.  At least then they'll know that they're naked.

> Guess what, most people do not want to really learn all the ins and
> outs.  they just want to secure the system. They usually learn in
> time, but expecting them to sit down and study Linux manuals/etc is
> a bit much.

Hmm.  An admin cannot secure something he does not understand.
Expecting a Unix system to operate flawlessly without reading and
understanding the instructions is clearly not the way to go.

Shipping a Unix system that starts with no known misconfigurations is
a good start, and it's what the best Linux vendors have been trying to
do, albeit with limited success.  Anything beyond that requires clue
on the admin's part.

> All the feedback I have gotten (except from you =)) has been very
> positive, and mostly from semi clued in users saying they did X and
> it worked and thank you.

Leave it to me to ruin an otherwise sunny day ;)

Remember, I'm allowed to be wrong.  But it's more likely that we both
are.  Such is the nature of the human mind...

> Making a person aware that their system is unsecure isn't really
> going to help much, however giving them instructions on a variety of
> simple to complicated things they can do to secure it from a
> majority of attacks will help.

Sure it will help - otherwise they'll never go find the instructions.
My argument is simply that, since most of the instructions and tools
already exist, we should just tell people why they need them and where
to find them.

This argument applies to Windows users even more - they're _all_
running around with their pants down.  Sheesh!

>> Do Red Hat, SuSE, or Debian manuals include a section on security?
>> A brief introduction, with a discussion of just what RH does and
>> doesn't do for you (ie, prompt updates, etc), would be a good thing
>> to have included with each copy.

> Not really. Talk to RedHat about that (I am not associated with
> RedHat in any way other then being a customer).

They're out there.  But until I bother to actually look, they'll
ignore me.  So I looked, and the answer is basically no - there isn't
a section on security in the RH 5.1 manual.  There are occasional
brief bits on certain security procedures like restricting a service
with tcp_wrappers, and where to get ssh as an rpm, but little
discussion of why you would want these things.

> P.S. I personally think PUIS is a great book, but it's way to
> advanced for a lot of Linux users/admins. These people need to learn
> to walk first and rmemeber to close the front door before they start
> armour plating the roof and putting a minefield in the front lawn =)

Yup.

--
Grant Taylor - gtaylor picante com - http://www.picante.com/~gtaylor/
  Where do these people come from?       Finger for PGP public key.