|
|||
privilege separation ?
Hi again,
I want to ask about privilege separation, it is from this link. http://allthatiswrong.wordpress.com/...ty-of-openbsd/ -------- > Since the majority of attacks are not against the base system but against software operating at a higher level actively > listening over the network, it is likely that if an OpenBSD machine were attacked, it would be through such software. > This is where OpenBSD falls down, as it provides no means to protect from damage in the event of a successful attack. What BS! You don’t seem to be aware that OpenBSD lead the charge years ago for “priv sep”, and to this day installs every single ‘ports/packages’ daemon with a distinct, non-privileged userid – a good idea which not only proves that your statement above is based on ignorance, but provides “secure by default” a strong measure of what the formal approaches claim to offer but make complex to implement. And it’s also been copied into leading Linux distributions, e.g., Android does exactly the same thing for every app you install. -------- Many people indeed dismiss openbsd because of this idea, openbsd wont save you from sql attacks or bad php code. I don't get it, is that true? does "privilege separation" really is a saver or not? a real advantage even against sql attacks or php code problems ? If not, then openbsd is useless as a web server . Thanks . |
|
|||
Privilege separation limits the access of the application to only what it needs to execute. Nothing more.
Quote:
Quote:
|
|
|||
You are right , I'm sorry
But when I try to prove to people that openbsd is superior to linux in terms of security I have troubles.
I really don't understand whats the point of using openbsd with dynamic content like drupal or joomla. |
|
|||
A chain is as strong as its weakest link
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump |
|
||||
Quote:
In order to be able discuss "Security" you must first define the term and how it applies to the needs of your entire application and its infrastructure. Security does not come from an OS. Security is not an installable program. Security is not a feature. Instead, security is a series of processes inherent to the designs of your applications and their underlying systems. Security includes careful risk assessment and mitigation planning, and active monitoring of an implementation in order to reassess/reconfigure as required. |
|
|||
Quote:
Don't expect to master these topics quickly. Fluency comes with lots of study & pondering the more important questions. Quote:
Again, this knowledge will not be attained quickly. You will not find a definitive answer at a single site. You need to read a great deal & put significant time into research & planning. Thinking will be required. |
|
||||
A holistic approach to security is required
Barti,
Some months ago, I designed and tested an infrastructure for a web application with dynamic content. Security considerations were part of the design. The server infrastructure -- web, application, load balancers, and database servers -- are designed to be geographically dispersed. Some of the security decisions were:
Are there benefits to OpenBSD's implementations? Absolutely. For example:
Combined, the two security features protect the OS and other applications on the webserver. They do not directly protect the nginx webserver daemons. It is other choices and other infrastructure decisions made in combination that provide the level of security required for the application as a whole. |
|
|||
recent attacks
Hi again,
So much attacks recently and I asked people, why don't you use openbsd ? It seems that There is no big reason to use openbsd if you are a good linux sysadmin. chroot can be done with linux as well. Linux performs much better then openbsd. And the argument will go on ......... |
|
||||
I'll repeat: security is not something you install. It's something you do. It must be 1) integral to your architectural design, 2) tested and confirmed, 3) modified to meet new threats as they are observed and understood.
Quote:
My number two reason for choosing the OS is security. Security by default, security of design, and built-in technologies that aid security, some of which I mentioned earlier in this thread. I won't deploy any other OS directly on the Internet. I use other OSes when required. That requirement will be driven by the application or by the hardware. Quote:
Just be aware that the OS you choose is just one factor of many when you consider any application's "security". What I tried to tell you by my posts in this thread is that you need to consider all aspects of security of your application, not just your choice of OS. Think of your home... If you leave a window open, using a better lock on the front door isn't going to help very much. I try to ensure all the windows are closed and locked, as well as the door. OpenBSD comes with all windows closed and all doors locked, so I only need to make sure the new windows and doors I install are appropriately sealed. Last edited by jggimi; 8th April 2013 at 07:34 PM. Reason: clarity |
|
|||
plone + python only
http://www.cvedetails.com/vendor/1367/Drupal.html
http://www.cvedetails.com/vendor/4313/Plone.html http://www.cvedetails.com/vendor/3496/Joomla.html http://www.cvedetails.com/vendor/2337/Wordpress.html http://www.cvedetails.com/product/12...l?vendor_id=74 http://www.cvedetails.com/product/18...endor_id=10210 http://www.cvedetails.com/vendor/97/Openbsd.html http://www.cvedetails.com/vendor/23/Debian.html http://www.cvedetails.com/vendor/6/Freebsd.html http://www.cvedetails.com/vendor/33/Linux.html |
|
|||
barti, posting an assortment of links without explanation is most likely going to be ignored by most readers, including me. Readers can only assume that it is randomly found information which might add to discussion, or it might not. You either don't want to bother with providing context, or are unable to do so. Since the importance or pertinence of such information has not been established, you aren't providing any reason for anyone to bother with taking the time to comment.
You should consider your readers; they are busy people. While most are open to providing opinions & guidance, we aren't going to do your homework for you. |
|
||||
http://www.cvedetails.com/cve/CVE-2011-2895/
Taken from your link, Barti. States "The LZW decompressor in (1) the BufCompressedFill function in fontfile/decompress.c in X.Org libXfont before 1.4.4 and (2) compress/compress.c in 4.3BSD, as used in zopen.c in OpenBSD before 3.8" CVE was released in 2011. OpenBSD 3.8 was released in November 2005. In other words, the bug was fixed in OpenBSD six years before it was fixed in NetBSD, FreeBSD, Linux, etc... How is this a vulnerability for OpenBSD, again? You have to read the fine print. Edit - This particular CVE is a perfect example of why I use OpenBSD (proactive bug hunting...it's really hard to exploit a bug in OpenBSD when the patch for it went in six years before it went public). The difference is, though, that I don't care what other people run. If they want to gamble with Linux because they're too lazy to do the research and put in the effort to maintain a system they're not familiar with, that's on them.
__________________
Linux/Network-Security Engineer by Profession. OpenBSD user by choice. Last edited by rocket357; 9th April 2013 at 01:56 AM. |
|
|||
plone and python and openbsd
I meant that the cve shows that those three (plone and python and openbsd) are the clear winners in the security tests.
About cms, php and mysql are not security best friends. Plone is much much better. I thought it is obvious from the TOTAL in the page. |
|
||||
These metrics should not be used as a comparison of security between products. The website is merely a consolidator of CVE data, and it does not guarantee any accuracy of its information. As rocket357 has shown with only one example above, each CVE must be individually examined for applicability. Carefully.
|
|
||||
Yeah, that was the point I was trying to make. Sure, you can say that Windows is "more secure" than Linux because the past three months Microsoft has had fewer CVE's...but then you figure up the "severity score" average and note that M$ has an average severity of 7.8 compared to Linux's 4.8 (numbers being pulled from the air, no basis in reality).
What does it mean? It means you're comparing apples to oranges. If I run OpenBSD on my entire multi-million dollar infrastructure, and there exists one zero-day in OpenBSD that hasn't been patched yet and is remotely exploitable in the default install, what does it matter if there are fewer CVE's? See what I did there? CVE's aren't the problem, they are only a partial symptom of the problem. Granted, the odds of that occurring are incredibly low compared to "mainstream" operating systems, but it doesn't mean it *couldn't* happen.
__________________
Linux/Network-Security Engineer by Profession. OpenBSD user by choice. Last edited by rocket357; 9th April 2013 at 09:03 PM. |
|
|||
I looked at the total
openbsd Total is 197 while linux total is 1000.
------------- I made a comparison in the totals. If you use plone+freebsd it is much more secure then linux+joomla |
|
||||
Quote:
Let me try to clarify. We believe that:
Edited to add: My highlighted bullet is my belief and active practice. I haven't confirmed agreement on this with rocket357, and will accept correction, if my assumption is incorrect. Last edited by jggimi; 10th April 2013 at 02:23 PM. Reason: typo, clarity |
|
||||
I agree with your last bullet point, jggimi.
50% of all of the "vulnerabilities" Microsoft ran across during the big code audit in 2002 (that eventually became Windows Vista), were "design" issues and not "implementation" issues. Design issues are considerably more intensive to fix than simple implementation errors (such as strcpy vs strlcpy or the like) and as such design issues are *more likely* to be neglected because the cost of fixing them is greater. It's the same concept as "You cannot fix a bad algorithm by throwing more hardware at it": "You cannot fix security by throwing individual programs at it."
__________________
Linux/Network-Security Engineer by Profession. OpenBSD user by choice. |
|
|||
I think I now got the point.
But still , I think if you could find a "cve" for system security it will be similar to this cve.
plone is way more secure then joomla. |
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Security Security vulnerability in sudo allows privilege escalation | J65nko | News | 0 | 5th March 2013 03:52 PM |
Security Intel CPUs affected by VM privilege escalation exploit | J65nko | News | 9 | 18th June 2012 11:51 PM |
Performing network flow separation? | beaute | FreeBSD Security | 0 | 27th May 2010 01:40 PM |