Re: The NSA's Security-Enhanced Linux

[Dom De Vitto <dom () DEVITTO COM>]

I think Scott's point uses OpenBSD as a baseline, which is darn secure
'out-of-the-box', compared to just about any other free OS.
(none of which, IIRC, have been and are regularily 100% security audited)

 | From: VULN-DEV List [mailto:VULN-DEV () securityfocus com]On Behalf Of Neal
 | Dias
 | Scott D. Yelich" <scott () SCOTTYELICH COM wrote:
 | >It frightens me to think that anyone would
 | >trust linux :-> but, alas, who knows.  Maybe is enough  sugar is
 | >poured on top, it just won't continue to smell so bad.
 | 
 | That's a pretty strong statement wouldn't you say? Sounds to me as if you
 | wouldn't advocate linux
 |  in ANY circumstance. Am I reading and interpreting it wrong? To say that
 | something stinks, and
 | maybe adding features to it will improve the smell, sounds like you think
 | it's "a bad thing" at its core.
 | 
 | You seem to be back peddling here.
 | 
 | >Did I ever mention out of the box security of Solaris, linux or windows?
 | >It seems to me that most systems need quite a bit of "fixing" if not a
 | >whole heck of a lot of configuring.
 | 
 | Actually you did:
 | "...is not attempting to be a demo -- such as Pitbull (solaris?)?"
 | 
 | Any OS, including Solaris, if not properly configured is not an 
 | OS I would
 | consider as "secure",
 | and that would include something like Pitbull. As far as I'm aware and
 | correct me if I'm wrong,
 | with proper configuration and documented auditing, Pitbull is a 
 | secure and
 | trusted system, but
 | not "out of the box". I wouldn't "trust" ANYTHING "out of the box."

Ditto, but once I've done cranked up and enabled IPfilters, I trust my OpenBSD boxes.

 | >Anyway, what closed OS are you referring to?  Solaris is hardly closed.
 | >At least, it's a whole heck of a lot more open than mickeysoft,
 | >until/unless some jokers release the code  they might have stolen
 | >from mickeysoft.

Scott point is wrong, solaris and SunOS are still largely based on BSD/SysV,
And with SunOS at least, you could buy a source license from Sun.

 | Since when? Ok, Solaris IS opening up, but that is a recent 
 | occurrence. It has traditionally been just as closed as any other OS,
 | and I would include it with MS in that category.

Again, as above, I don't believe that MS has ever allowed just anyone with
$10,000 to get a copy of the source, I wonder why.........not.

Sun's opening up of the source is a big step towards making the OS 'open',
and in fact isn't a big step away from 'open', if you consider that Linus and
Theo both have the same kind of veto that Sun would have on any patches you
cared to supply.

[snip]
 |  "This work is not intended as a complete security solution for
 |  Linux..."
 | 
 |  "...it is simply an example of how mandatory access controls
 |  that can confine the actions of any process, including a
 |  superuser process, can be added into Linux."
 | 
 |  "There is still much work needed to develop a complete security
 |  solution."
 | 
 |  "we feel we have presented a good starting point to bring
 |  valuable security features to Linux. We are looking forward to
 |  building upon this work with the Linux community."
 | 
 |  "There is still significant work ahead to provide mandatory
 |  access controls for all kernel services and to provide a
 |  complete general purpose security policy configuration. "
 | 
 |  "It is expected that research in the above-identified areas of
 |  technology will continue."
[snip]
 |  Seems to me from reading through the website that this is not a
 |  demo, and more than a proof of concept, it appears to be a
 |  continuing work with working source provided.
Exactly.

If you use Linux in a secure environment, and MAC would
be a nice addition, maybe you should try it out, and even try and
get the features in the core releases so everyone can help debug it.

[snip]
 |  Please note that I do not, nor have I ever, worked for any
 |  government agency, therefore my comments above concerning
 |  mentality and methods of operation should be construed strictly
 |  as personal  opinion, I am not speaking from experience, only
 |  observation.

Ahh, and though *I* believe you, from your snipped diagloue, even
if you do/did, you may not be allowed to say... ;-)

Dom