Re: You got some 'splaininn to do Lucy ;-)

[Cohen Liota <cliota diplomatic passport ca>]

> We just had a security application vendor come in.  We asked about Linux
> support and he said that putting a security application on top of an
> insecure OS was useless.

Its interesting that the application vendor assumes linux is an insecure
OS, did the vendor explain the basis for their assumption? It is also
interesting that they support putting the security application on Solaris
if the vendor has issues with insecure OS's. I guess what I am getting at
is that very few operating systems are secure in their default
configuration, with the exception of A and B TSEC rated systems. Putting a
default Solaris, HP-UX and linux box on a hostile network like the
Internet will find all of them comprimised rather quickly. I think
commercial OS's suck, for security especially and generally they don't
give away source without requiring a NDA.  Again I personally think that
having the source code to an operating system is great!  It allows me to
find, report and force willing post fixes to any problems I encounter. I
know the source versus no source argument has taken place on the firewall
wizards list and it saddens me that the man who coined the term "bastion
host" has said that source may not be such a good idea in todays highly
competative security arena, but I have to respectfully disagree.  Not
making source code available seems to me to be security through obscurity,
yes it works for a time but wouldn't you rather have a better mouse trap
then simply the least well known (and even if it is the best how do you
show that without source)?

> When I asked what he meant by insecure he replied that Linux does not
> have a true Auditing capability - as opposed to HP-UX & Solaris which
> they do support.

Strange that the vendor felt that linux doesn't have a "true Auditing
capability" when linux in fact has auditd, that monitors and logs specific
system calls. It can be found at ftp://ftp.hert.org/pub/linux/auditd/ if
interested. What auditing was this vendor reffering to on Solaris &
HP-UX, both can be configured to do increased logging but this also
true of linux.

I think your best course of action is to put the question you have raised
to your application vendor. They should be responsive enough to explain
in more depth what they meant and may be able to give exapmles. As
well they might be able to give you a more defined statement as what
they require to qualify as a secure os. Having worked as a consultant I
would never want to leave clients with unaddressed concerns, so they
should be happy to help clear things up for you.

Cheers,
Cohen

--
I want to publish zines and rage against machines.
                                        - Harvey Danger