|
|
|||
privilege separation ?
Hi again,
I want to ask about privilege separation, it is from this link. http://allthatiswrong.wordpress.com/...ty-of-openbsd/ -------- > Since the majority of attacks are not against the base system but against software operating at a higher level actively > listening over the network, it is likely that if an OpenBSD machine were attacked, it would be through such software. > This is where OpenBSD falls down, as it provides no means to protect from damage in the event of a successful attack. What BS! You don’t seem to be aware that OpenBSD lead the charge years ago for “priv sep”, and to this day installs every single ‘ports/packages’ daemon with a distinct, non-privileged userid – a good idea which not only proves that your statement above is based on ignorance, but provides “secure by default” a strong measure of what the formal approaches claim to offer but make complex to implement. And it’s also been copied into leading Linux distributions, e.g., Android does exactly the same thing for every app you install. -------- Many people indeed dismiss openbsd because of this idea, openbsd wont save you from sql attacks or bad php code. I don't get it, is that true? does "privilege separation" really is a saver or not? a real advantage even against sql attacks or php code problems ? If not, then openbsd is useless as a web server . Thanks . |
|
|||
Privilege separation limits the access of the application to only what it needs to execute. Nothing more.
Quote:
Quote:
|
|
|||
You are right , I'm sorry
But when I try to prove to people that openbsd is superior to linux in terms of security I have troubles.
I really don't understand whats the point of using openbsd with dynamic content like drupal or joomla. |
|
|||
Quote:
Don't expect to master these topics quickly. Fluency comes with lots of study & pondering the more important questions. Quote:
Again, this knowledge will not be attained quickly. You will not find a definitive answer at a single site. You need to read a great deal & put significant time into research & planning. Thinking will be required. |
|
||||
If you're going into the setup with the idea that you're hard-set on running wordpress with poorly written plugins, OpenBSD won't save you. This is true.
When building an application stack, you MUST take everything from hardware to the userbase into consideration. If any one of those is a broken link, the rest typically won't matter.
__________________
Linux/Network-Security Engineer by Profession. OpenBSD user by choice. |
|
|||
A chain is as strong as its weakest link
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump |
|
||||
A holistic approach to security is required
Barti,
Some months ago, I designed and tested an infrastructure for a web application with dynamic content. Security considerations were part of the design. The server infrastructure -- web, application, load balancers, and database servers -- are designed to be geographically dispersed. Some of the security decisions were:
Are there benefits to OpenBSD's implementations? Absolutely. For example:
Combined, the two security features protect the OS and other applications on the webserver. They do not directly protect the nginx webserver daemons. It is other choices and other infrastructure decisions made in combination that provide the level of security required for the application as a whole. |
|
|||
recent attacks
Hi again,
So much attacks recently and I asked people, why don't you use openbsd ? It seems that There is no big reason to use openbsd if you are a good linux sysadmin. chroot can be done with linux as well. Linux performs much better then openbsd. And the argument will go on ......... |
|
||||
I'll repeat: security is not something you install. It's something you do. It must be 1) integral to your architectural design, 2) tested and confirmed, 3) modified to meet new threats as they are observed and understood.
Quote:
My number two reason for choosing the OS is security. Security by default, security of design, and built-in technologies that aid security, some of which I mentioned earlier in this thread. I won't deploy any other OS directly on the Internet. I use other OSes when required. That requirement will be driven by the application or by the hardware. Quote:
Just be aware that the OS you choose is just one factor of many when you consider any application's "security". What I tried to tell you by my posts in this thread is that you need to consider all aspects of security of your application, not just your choice of OS. Think of your home... If you leave a window open, using a better lock on the front door isn't going to help very much. I try to ensure all the windows are closed and locked, as well as the door. OpenBSD comes with all windows closed and all doors locked, so I only need to make sure the new windows and doors I install are appropriately sealed. Last edited by jggimi; 8th April 2013 at 07:34 PM. Reason: clarity |
|
|||
plone + python only
http://www.cvedetails.com/vendor/1367/Drupal.html
http://www.cvedetails.com/vendor/4313/Plone.html http://www.cvedetails.com/vendor/3496/Joomla.html http://www.cvedetails.com/vendor/2337/Wordpress.html http://www.cvedetails.com/product/12...l?vendor_id=74 http://www.cvedetails.com/product/18...endor_id=10210 http://www.cvedetails.com/vendor/97/Openbsd.html http://www.cvedetails.com/vendor/23/Debian.html http://www.cvedetails.com/vendor/6/Freebsd.html http://www.cvedetails.com/vendor/33/Linux.html |
|
|||
barti, posting an assortment of links without explanation is most likely going to be ignored by most readers, including me. Readers can only assume that it is randomly found information which might add to discussion, or it might not. You either don't want to bother with providing context, or are unable to do so. Since the importance or pertinence of such information has not been established, you aren't providing any reason for anyone to bother with taking the time to comment.
You should consider your readers; they are busy people. While most are open to providing opinions & guidance, we aren't going to do your homework for you. |
|
||||
These metrics should not be used as a comparison of security between products. The website is merely a consolidator of CVE data, and it does not guarantee any accuracy of its information. As rocket357 has shown with only one example above, each CVE must be individually examined for applicability. Carefully.
|
|
||||
Yeah, that was the point I was trying to make. Sure, you can say that Windows is "more secure" than Linux because the past three months Microsoft has had fewer CVE's...but then you figure up the "severity score" average and note that M$ has an average severity of 7.8 compared to Linux's 4.8 (numbers being pulled from the air, no basis in reality).
What does it mean? It means you're comparing apples to oranges. If I run OpenBSD on my entire multi-million dollar infrastructure, and there exists one zero-day in OpenBSD that hasn't been patched yet and is remotely exploitable in the default install, what does it matter if there are fewer CVE's? See what I did there? CVE's aren't the problem, they are only a partial symptom of the problem. Granted, the odds of that occurring are incredibly low compared to "mainstream" operating systems, but it doesn't mean it *couldn't* happen.
__________________
Linux/Network-Security Engineer by Profession. OpenBSD user by choice. Last edited by rocket357; 9th April 2013 at 09:03 PM. |
|
|||
I looked at the total
openbsd Total is 197 while linux total is 1000.
------------- I made a comparison in the totals. If you use plone+freebsd it is much more secure then linux+joomla |
|
||||
Quote:
Let me try to clarify. We believe that:
Edited to add: My highlighted bullet is my belief and active practice. I haven't confirmed agreement on this with rocket357, and will accept correction, if my assumption is incorrect. Last edited by jggimi; 10th April 2013 at 02:23 PM. Reason: typo, clarity |
|
||||
I agree with your last bullet point, jggimi.
50% of all of the "vulnerabilities" Microsoft ran across during the big code audit in 2002 (that eventually became Windows Vista), were "design" issues and not "implementation" issues. Design issues are considerably more intensive to fix than simple implementation errors (such as strcpy vs strlcpy or the like) and as such design issues are *more likely* to be neglected because the cost of fixing them is greater. It's the same concept as "You cannot fix a bad algorithm by throwing more hardware at it": "You cannot fix security by throwing individual programs at it."
__________________
Linux/Network-Security Engineer by Profession. OpenBSD user by choice. |
|
|||
I think I now got the point.
But still , I think if you could find a "cve" for system security it will be similar to this cve.
plone is way more secure then joomla. |
|
|||
I think I now got the point.
Thank you for the explanation.
But still , I think if you could find a "cve" for system security it will be similar to this cve. plone is way more secure then joomla. |
|
|||
Teacher jggimi thanks so much for the infrastructure example !
I will never favour any OS to OpenBSD even though I am not smart enough to fully benefit from its unique features ........ |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Security Security vulnerability in sudo allows privilege escalation | J65nko | News | 0 | 5th March 2013 03:52 PM |
Security Intel CPUs affected by VM privilege escalation exploit | J65nko | News | 9 | 18th June 2012 11:51 PM |
Performing network flow separation? | beaute | FreeBSD Security | 0 | 27th May 2010 01:40 PM |