Red Hat Seeks to Deliver Most Secure Linux

Jack writes "ITO is running a story on Red Hat's plan to become the most secure Linux platform. From the article: "Red Hat officially joined The National Information Assurance Partnership to bring an improved level of security and assurance to Linux. This means that the next version of Red Hat Enterprise Linux will contain kernel and Security Enhanced Linux policy enhancements, developed by IBM, Red Hat, TCS, NSA and the community.""

OpenBSD

[biryokumaru]

Why don't the security conscious just use OpenBSD [openbsd.org]?

Is this a magnet?

[kpwoodr]

So does anouncing to the world that you want to be the most secure platform place a giant target on Redhat? It almost seems like an invitation for everone to come try and get a piece.

Granted, I think Red Hat has a much better head start on MS, but that may partly be due to the amount of market share they command. If they can pull it off, more power to Red Hat!

Yes the NSA does

[jhines]

Yes they do http://www.nsa.gov/selinux/info/faq.cfm#I2 [nsa.gov], the mentioned security enhancements are more like ACL's and policies.

Secure operating systems...

[Anonymous Coward]

First off, I should let it be known that I am a BSD fan, and not a Linux one. However, despite my many issues with Red Hat and Fedora Core, they have been integrating some really cool stuff of late, things I had wanted to have easy access to in a open source operating system for some time, such as the SELinux functionality.

It's absolutely fantastic work they are doing; making SELinux a default in their systems in meaningful ways, while at the same time, doing their damndest to make it as transparent as possible to the everyday user. No one else is doing that. OpenBSD are the kings of UNIX quality control, but they offer nothing in the way of mandatory access controls. FreeBSD has comparable technology in the form of the TrustedBSD MAC Framework (which is excelant), but they are not yet offering security policies that are transparent to ordinary users of the system, and like SELinux in most distributions that support it, it's a pain to set up correctly.

Now if only they (Fedora especially) would ship a basic "desktop install" on *one* CD image instead of requiring 2-4 CDs, my major gripes with their software would go away completely. This kind of hardcore but transparent security is most definately needed by everybody today, and right now, only Red Hat and the Fedora Project are providing it. As much as I prefer the saner development methodologies and more well thought out kernel architectures provided by the various BSDs, in an online world as inherrently dangerous as our own, employing an operating system that supports these security technologies is the only real way to go.

Come on FreeBSD! What are you waiting for? Keep up the (mostly) good work Fedora people!

Secure desktops

[shudde]

There are already a number of quality server distributions out there with security tools like SELinux, GRSecurity and PaX, but it will be interesting to see Redhat contribute to the mix. Personally, I use a number of modified Redhat patches while building HLFS-based systems.

While this is undoubtedly off-topic, what I really want to see (and continually try to create) is a desktop system with some of these advanced security concepts enabled. The problem seems to be finding the right balance between security and ease-of-use, it's a lot easier to create a server with non-standard access control than an xorg/KDE desktop.

Contributing to this problem (at least in my experience) are the documentation problems. These can occur in many opensource projects but seem to be magnified in security projects. Even with a fair working knowledge of relevant areas, incomplete and esoteric documentation provides a stumbling block for a lot of us.

Secure and Usefull

[Anonymous Coward]

What everyone seems to be missing here is that unlike BSD or the other so called secure Linux distros out there, when you install RedHat you actually have a usable platform from the get go. What is the point of having this ultra secure Linux server which has all services turned off by default. Not a very usefull server if you ask me. And while I like BSD, it does not have the software base available for it that RedHat does. Perhaps for the random home user none of this matters, but to anyone going to delpoy hundreds of Linux systems, this all makes a huge difference.

Summary: RedHat delivers both a secure and a usable Linux distro which is easily supportable and reproducable.

Re:But SELinux SUCKS for enterprise

[sabat]

Sure you can do it. Samba and Apache just have to be part of the same security domain. Study up, boy.

Re:But SELinux SUCKS for enterprise

[Anonymous Coward]

Actually you can allow this if you write your own SElinux policy, which can actually be quite easy. Maybe spend a few minutes reading the man page of audit2allow perhaps ?

Ignorance is no excuse.

Security vs. Usability

[Anonymous Coward]

Where I work, it's a Windows/Novell shop. The director doesn't care about security nearly as much as usability. Is that wrong? Hell yes, but that's how it is. Security is our responsibility (not his), and when he's choosing products, he goes for usability. He only recently allowed us to test some SuSE boxes because a) they were endorsed by Novell, and b) he liked YaST. He wanted to understand what we are doing to the boxes. Command line is evil to him, as is anything "open source" or free as in beer (free as in speech means nothing to him)). If it doesn't cost a lot of money and doesn't have an "easy" interface, it's inferior.

One Thing RH Does Do Well...

[EXTomar]

SELinux is a great idea but really complex to the point of obscurity. I couldn't come up on my own policy rules for SELinux to make Samba run in a more secure manner. I am the first to agree OpenBSD is the king of secure policy but really bites at allowing an administrator to manipulate them. This is where RH comes in and does very well with their push into SELinux. It is sufficiently complex but in most cases the way RH uses SELinux the user never notices.

Ever since they've introduced SELinux in the default install they've claimed it is incomplete but are adding rules every chance they get. And even better, there is nearly transparent to the "uninterested user". There is a seperate SELinux package that merges in every time they update it so my interaction (and the chance for me to break it) is minimized. And I'm constantly surprised by the settings they do work out as well (for instance some of their Samba settings are really good security policy anyway).

Red Hat's support for things like SELinux is stellar but it needs to be better and they are the first admit it needs more work. Isn't this what Open Source is all about?

Re:OpenBSD

[Anonymous Coward]

Sorry if I was misinformative. It feels like privilege separation came out yesterday, but I think you're right: it's been about 3-5 years now, right?

Anyway, I don't believe that my out of dateness really invalidates the rest of my post. The most important point is that trying to implement everything correctly is not really a practical way of making a secure system. This has (historically) been OpenBSD's approach, but it suffers from the issues I raised before. Having better access controls makes it easier to make a secure system given that some of your software will have bugs.

All other things being equal (i.e. implementation, no-exec stacks and heaps, etc), which is better: a kernel that has a all privilege/no privilege model where all software can generally see everything else, or a kernel where software can be given limited amounts of privilege if necessary and unrelated software is isolated from each other, limiting avenues of attack?

I think the work OpenBSD has done is good, and they've made a lot of progess in quality of implementation, secure default configuration, and doing a lot of the stuff that everyone should have been doing years ago. But it seems to me that they've only recently (i.e. past 3 years) figured out that bug fixing isn't enough.

The trusted systems community, on the other hand, has known for a long time (10 years, maybe more) that security through quality of implementation is impractical. I think our methods and markets have just been so niche that nobody knows about us or takes us seriously. And the usability of most trusted OS's stinks (not because it has to, though; that's just how things have turned out at the moment).

Anyway, I'd encourage you to take a look at the docs I mentioned earlier (especially the LX docs on the Argus site; LX is the lightest, most useable system of the bunch). I think you'll see where some of those access control mechanisms would be useful if you give them a chance.

Re:Missed a link :)

[Cally]

Interesting. I've been playing with OpenBSD at home for a few years, long enough to encounter the well-known 'challenging' areas (upgrades. And coping with two separate toolchains is fun :) Meanwhile I've been given some Fedora Core 4 machines to admin at work. I knew RH had the SELinux extensions but never used them. Where to start? I ended up with the FC3 SELinux FAQ at redhat.com, which makes it clear that it needs a fair amount of care and attention, especially during the time I call "the coming of the great admin learning curve" - well, this admin anyway :) A thought has struck me: has anyone got past the initial setup, false-positive squishing and crossing off log entries as you fix or reconfig stuff, to a stable machine, then either (a) first discovered attacks (successful or not) via SELinux alerting mechanisms, or (b) got useful, or even just interesting, evidence of naughty activity via SEL logs, etc?

Knowing my machines are bulletproof is great, and all, but if one of my users is deliberately doing something s/he shouldn't, I want to know about it!

Re:Missed a link :)

[pyrotic]

SE Linux is a mess, at least if you're one of the 60% odd of interent sites who use apache. Yes, apache is a complicated daemon, but Trusted Solaris had it right - foo.com has access to this part of the filesystem, bar.com has access to this. If you're using virtual hosting or user directories, especially with dynamic content, having apache run as www for everyone was pretty lousy security. But SE Linux hasn't moved very far from this, while adding layers of complexity to protect www from the rest of the filesystem. Nice if you have one site per server, but if you have multiple sites all running as www, with different user scripts all having write access to the same places, SE Linux doesn't solve your problem at all.

Re:OpenBSD

[QuietLagoon]

Anyway, I don't believe that my out of dateness really invalidates the rest of my post. The most important point is that trying to implement everything correctly is not really a practical way of making a secure system. This has (historically) been OpenBSD's approach, but it suffers from the issues I raised before. Having better access controls makes it easier to make a secure system given that some of your software will have bugs.

In addition to "trying to do things correctly" (and succeeding at it, btw), the OpenBSD team has had an excellent randomization algorithm for TCP/IP sequence numbers for years, has implemented the W^X flag, is now randomizing malloc addresses, has had OS support of cryptology for years, has practiced proactive instead of reactive security, etc, etc, etc. The list is rather long. I'm not an OpenBSD advocate, I don't pretend to be one, I don't want to be one. I just use OpenBSD in my security applications.

Maybe it would be helpful if you spent more time understanding what the OpenBSD team is really doing, instead of describing your incorrect perceptions of what you think they are doing.

selinux effectiveness

[burnin1965]

...SELinux does not make anything more secure...

It definitely will not make an insecure application or insecure installation more secure, but it will provide additional protection against those insecure situations.

And the post is modded appropriately as funny since it is a humorous jab at linux security. Besides, I could be off base on this but I suspect that simply installing BSD as your OS will not resolve security issues in the applications you install on top of it, i.e. SQL inject exploits in applications such as PHPBB.

...it's sufficiently complicated that most people are just going to turn it off...

From what I have observed in the #fedora channel on freenode.net most people are oblivious to the existence and operation of selinux and they do not turn it off. However, I have observed people having problems related to selinux when they start utilizing advanced services on their fedora boxes, i.e. apache, named, etc. And in many cases I've seen people offer up the solution of just disabling selinux. This is unfortunate, however, it is not surprising considering the current lack of selinux experience. When possible I've provided some assistance and prevented the disabling of selinux as a solution, but its just a drop in the bucket.

I suspect that in the future there will be some good selinux frontends to assist the masses with configuration. I would not write it off just yet.

burnin

Meaning of "Secure"

[hwyguy2]

I've read through the article, and I've read through the discussions here. The article really doesn't say that much.

Red Hat is talking about working with NIAP. This means they are going for a Common Criteria rating, which simply means it will be easier for the government to purchase the product for DoD acquisitions.

Does it mean the product is more secure? Only in press releases.

Security consists of two aspects: the functions provided to address threats in the environment (functional), and the confidence that those functions are correctly implemented (assurance). For a given product, the functional and assurance requirements are defined in the Security Target. As the article never mentioned the target, we have no idea what functions are claimed (although we can presume it is likely the set of C2 functions from TCSEC days, but that's unclear). This is important: I've seen products with really useless functions get evaluated, and I've seen ones with a reasonable function set.

Next, is the assurance question. EAL4 was mentioned, which is simply the highest level that can get mutual recognition. It is only moderate security... and again, only provides assurance relative to the functions that are claimed. Assurance is also related to the environment. If this product is for a "benign" environment, then it won't be subjected to strong testing.

This all comes together in the testing, which is relative to the functions and assurance. If there isn't strong vulnerability testing, then you only have relatively simple functional testing. If there is vulnerability testing, this is more in relation to the claimed functions. For example, if the product doesn't claim that it protects against denial of service attacks, then the vulnerability testers don't have the obligation to see if they can create a denial of service condition.

In short, this is a long way of saying: this is a press release, and needs the usual grain of salt. Get the Security Target. Read it. Understand the claimed security. This is true for ANY evaluated product.