Vulnerability Development mailing list archives
Re: The NSA's Security-Enhanced Linux
From: Dom De Vitto <dom () DEVITTO COM>
Date: Tue, 26 Dec 2000 12:21:38 -0000
I think Scott's point uses OpenBSD as a baseline, which is darn secure 'out-of-the-box', compared to just about any other free OS. (none of which, IIRC, have been and are regularily 100% security audited) | From: VULN-DEV List [mailto:VULN-DEV () securityfocus com]On Behalf Of Neal | Dias | Scott D. Yelich" <scott () SCOTTYELICH COM wrote: | >It frightens me to think that anyone would | >trust linux :-> but, alas, who knows. Maybe is enough sugar is | >poured on top, it just won't continue to smell so bad. | | That's a pretty strong statement wouldn't you say? Sounds to me as if you | wouldn't advocate linux | in ANY circumstance. Am I reading and interpreting it wrong? To say that | something stinks, and | maybe adding features to it will improve the smell, sounds like you think | it's "a bad thing" at its core. | | You seem to be back peddling here. | | >Did I ever mention out of the box security of Solaris, linux or windows? | >It seems to me that most systems need quite a bit of "fixing" if not a | >whole heck of a lot of configuring. | | Actually you did: | "...is not attempting to be a demo -- such as Pitbull (solaris?)?" | | Any OS, including Solaris, if not properly configured is not an | OS I would | consider as "secure", | and that would include something like Pitbull. As far as I'm aware and | correct me if I'm wrong, | with proper configuration and documented auditing, Pitbull is a | secure and | trusted system, but | not "out of the box". I wouldn't "trust" ANYTHING "out of the box." Ditto, but once I've done cranked up and enabled IPfilters, I trust my OpenBSD boxes. | >Anyway, what closed OS are you referring to? Solaris is hardly closed. | >At least, it's a whole heck of a lot more open than mickeysoft, | >until/unless some jokers release the code they might have stolen | >from mickeysoft. Scott point is wrong, solaris and SunOS are still largely based on BSD/SysV, And with SunOS at least, you could buy a source license from Sun. | Since when? Ok, Solaris IS opening up, but that is a recent | occurrence. It has traditionally been just as closed as any other OS, | and I would include it with MS in that category. Again, as above, I don't believe that MS has ever allowed just anyone with $10,000 to get a copy of the source, I wonder why.........not. Sun's opening up of the source is a big step towards making the OS 'open', and in fact isn't a big step away from 'open', if you consider that Linus and Theo both have the same kind of veto that Sun would have on any patches you cared to supply. [snip] | "This work is not intended as a complete security solution for | Linux..." | | "...it is simply an example of how mandatory access controls | that can confine the actions of any process, including a | superuser process, can be added into Linux." | | "There is still much work needed to develop a complete security | solution." | | "we feel we have presented a good starting point to bring | valuable security features to Linux. We are looking forward to | building upon this work with the Linux community." | | "There is still significant work ahead to provide mandatory | access controls for all kernel services and to provide a | complete general purpose security policy configuration. " | | "It is expected that research in the above-identified areas of | technology will continue." [snip] | Seems to me from reading through the website that this is not a | demo, and more than a proof of concept, it appears to be a | continuing work with working source provided. Exactly. If you use Linux in a secure environment, and MAC would be a nice addition, maybe you should try it out, and even try and get the features in the core releases so everyone can help debug it. [snip] | Please note that I do not, nor have I ever, worked for any | government agency, therefore my comments above concerning | mentality and methods of operation should be construed strictly | as personal opinion, I am not speaking from experience, only | observation. Ahh, and though *I* believe you, from your snipped diagloue, even if you do/did, you may not be allowed to say... ;-) Dom
Current thread:
- The NSA's Security-Enhanced Linux Ralf-Philipp Weinmann (Dec 21)
- Re: The NSA's Security-Enhanced Linux Scott D. Yelich (Dec 22)
- Re: The NSA's Security-Enhanced Linux Michael H. Warfield (Dec 22)
- Re: The NSA's Security-Enhanced Linux Scott D. Yelich (Dec 22)
- Re: The NSA's Security-Enhanced Linux Michael H. Warfield (Dec 22)
- Re: The NSA's Security-Enhanced Linux Michael H. Warfield (Dec 22)
- Re: The NSA's Security-Enhanced Linux M Schubert (Dec 22)
- Re: The NSA's Security-Enhanced Linux Scott D. Yelich (Dec 22)
- <Possible follow-ups>
- Re: The NSA's Security-Enhanced Linux Neal Dias (Dec 22)
- Re: The NSA's Security-Enhanced Linux Neal Dias (Dec 25)
- Re: The NSA's Security-Enhanced Linux Dom De Vitto (Dec 26)
- Re: The NSA's Security-Enhanced Linux Neal Dias (Dec 27)
- Re: The NSA's Security-Enhanced Linux Timothy J. Miller (Dec 28)
- Re: The NSA's Security-Enhanced Linux Scott D. Yelich (Dec 29)
- Re: The NSA's Security-Enhanced Linux M.Schubert (Dec 29)
- Re: The NSA's Security-Enhanced Linux Neal Dias (Dec 29)
- Re: The NSA's Security-Enhanced Linux geoffrey (Dec 29)