Tag Archives: harden

Time to harden up – SELinux is no longer an option

Time to harden up – SE Linux is no longer an option

From an Youtube video below! SEC Linux was designed by the NSA.

More from an insider:

because even if you gain permission
[4:36:21 PM] you can’t do anything
[4:36:28 PM] like lets say someone got the password
[4:36:40 PM] or gave themselves permission on /var/www/ directory
[4:36:42 PM] of your web server
[4:36:46 PM] won’t matter
[4:37:03 PM] if they don’t have the context via semanage -l | grep httpd
[4:37:08 PM] they won’t be able to do shit
[4:37:23 PM] its an additional layer of security in redhat and centos
[4:37:28 PM] and was developed by the NSA
[4:37:36 PM] most people turn it off
[4:37:38 PM] because they don’t understand it
[4:37:48 PM] and its very hard to configure the system using it
[4:37:51 PM] because every boolean value
[4:37:53 PM] has to be set
[4:37:59 PM] on every file, service and port
[4:38:06 PM] because it embeds itself into every file, service and port
[4:38:15 PM] so thats why people disable it
[4:38:30 PM] however they are actually doing themselves a disservice by doing so and putting themselves at high risk of hacking
[4:38:49 PM] in my opinion the best way to manage it would be to use Puppet

won’t matter
[4:39:12 PM] if they have an exploit
[4:39:16 PM] that can give them file level access
[4:39:19 PM] they can always get back in
[4:39:23 PM] with SELinux
[4:39:28 PM] SecurityEnhanced Linux mode
[4:39:29 PM] enabled
[4:39:35 PM] all exploits go out the window
[4:39:44 PM] u would literally need root access and SSH access
[4:39:51 PM] to be able to change the policy level context
[4:39:54 PM] on any file, port or process
[4:40:02 PM] in order to do anything
[4:40:05 PM] its super hardened
[4:40:33 PM] https://www.youtube.com/watch?v=dtclmj3H7ZU
[4:40:42 PM] this is some of the lecture i watched
[4:40:47 PM] even a guy from Redhat whose worked with the NSA
[4:40:51 PM] made this domain
[4:41:27 PM] http://www.quora.com/Who-is-using-SELinux-as-part-of-their-production-security-implementation-and-why

https://www.nsa.gov/research/selinux/faqs.shtml

http://stopdisablingselinux.com/


[4:41:39 PM] stopdisablingselinux.com

https://www.nsa.gov/research/selinux/faqs.shtml

http://www.quora.com/Who-is-using-SELinux-as-part-of-their-production-security-implementation-and-why

 

Join my FREE newsletter to learn more about securing your trading server

HOW DO YOU START A PROFITABLE TRADING BUSINESS? Read more NOW >>>

NOTE I now post my TRADING ALERTS into my personal FACEBOOK ACCOUNT and TWITTER. Don't worry as I don't post stupid cat videos or what I eat!

Linux Vagrant box to harden VirtualBox ISO image

Linux Vagrant box to harden VirtualBox ISO image

This came from an ‘insider’ to set up a remote server for live trading:

GovReady™ CentOS 6.5 x86_64 pre-hardened FISMA “server” profile. OpenSCAP, SSG, GovReady installed.
[11:52:40 AM] : http://www.vagrantbox.es/
[11:52:45 AM] : government standard hardening
[11:53:25 AM] : theres also some open source tools out there
[11:53:32 AM] : where you can just install your server with all the things you want on it
[11:53:36 AM] : run a scanner
[11:53:42 AM] : and it will tell you where you might have holes
[11:53:48 AM] : and things to fix with the commands to run to fix them
[11:53:51 AM] : make sense?
[11:54:12 AM] : u don’t have to bring it on a network access
[11:54:18 AM] : before scanning too

Cool. Thanks to him for sending. This will make life much easier

Join my FREE newsletter to learn more about setting up Linux secured servers 

HOW DO YOU START A PROFITABLE TRADING BUSINESS? Read more NOW >>>

NOTE I now post my TRADING ALERTS into my personal FACEBOOK ACCOUNT and TWITTER. Don't worry as I don't post stupid cat videos or what I eat!