Time to harden up – SE Linux is no longer an option
From an Youtube video below! SEC Linux was designed by the NSA.
More from an insider:
because even if you gain permission
[4:36:21 PM] you can’t do anything
[4:36:28 PM] like lets say someone got the password
[4:36:40 PM] or gave themselves permission on /var/www/ directory
[4:36:42 PM] of your web server
[4:36:46 PM] won’t matter
[4:37:03 PM] if they don’t have the context via semanage -l | grep httpd
[4:37:08 PM] they won’t be able to do shit
[4:37:23 PM] its an additional layer of security in redhat and centos
[4:37:28 PM] and was developed by the NSA
[4:37:36 PM] most people turn it off
[4:37:38 PM] because they don’t understand it
[4:37:48 PM] and its very hard to configure the system using it
[4:37:51 PM] because every boolean value
[4:37:53 PM] has to be set
[4:37:59 PM] on every file, service and port
[4:38:06 PM] because it embeds itself into every file, service and port
[4:38:15 PM] so thats why people disable it
[4:38:30 PM] however they are actually doing themselves a disservice by doing so and putting themselves at high risk of hacking
[4:38:49 PM] in my opinion the best way to manage it would be to use Puppet
won’t matter
[4:39:12 PM] if they have an exploit
[4:39:16 PM] that can give them file level access
[4:39:19 PM] they can always get back in
[4:39:23 PM] with SELinux
[4:39:28 PM] SecurityEnhanced Linux mode
[4:39:29 PM] enabled
[4:39:35 PM] all exploits go out the window
[4:39:44 PM] u would literally need root access and SSH access
[4:39:51 PM] to be able to change the policy level context
[4:39:54 PM] on any file, port or process
[4:40:02 PM] in order to do anything
[4:40:05 PM] its super hardened
[4:40:33 PM] https://www.youtube.com/watch?v=dtclmj3H7ZU
[4:40:42 PM] this is some of the lecture i watched
[4:40:47 PM] even a guy from Redhat whose worked with the NSA
[4:40:51 PM] made this domain
[4:41:27 PM] http://www.quora.com/Who-is-using-SELinux-as-part-of-their-production-security-implementation-and-why
https://www.nsa.gov/research/selinux/faqs.shtml
http://stopdisablingselinux.com/
[4:41:39 PM] stopdisablingselinux.com
https://www.nsa.gov/research/selinux/faqs.shtml
http://www.quora.com/Who-is-using-SELinux-as-part-of-their-production-security-implementation-and-why
Join my FREE newsletter to learn more about securing your trading server
NOTE I now post my TRADING ALERTS into my personal FACEBOOK ACCOUNT and TWITTER. Don't worry as I don't post stupid cat videos or what I eat!
