Paranoid Penguin - Security Features in SUSE 10.0
However, not everyone has given up on MAC-based system security, and SUSE has covered this area handsomely by acquiring and repackaging Immunix's AppArmor (aka Subdomain). AppArmor is similar to SELinux, in that it allows you to restrict the behavior of specific processes, with an effect similar to but more effective than running them in chroot jails.
(Note that although SUSE provides the libselinux package and includes SELinux functionality in its default kernel, SELinux isn't officially supported in SUSE Linux. You need the packages available at www.cip.ifi.lmu.de/~bleher/selinux to run SELinux in SUSE Linux.)
The document /usr/share/doc/packages/subdomain-docs/ug_apparmor.pdf, included in the subdomain-docs package, is the AppArmor User's Guide, and it tells you everything you need to know about configuring and using AppArmor. Suffice it to say for now that if you simply run the YaST AppArmor Control Panel module and enable AppArmor, a default profile is loaded that includes settings for many common daemons and commands, including netstat, ping, traceroute, firefox, evolution, gaim, syslogd, acroread, ethereal, appropos, procmail, postfix (smtpd, and so on), Apache2 (httpd2-prefork), nscd, identd, ntpd, sshd and squid.
This is a limited-feature version of AppArmor, so apparently it provides only a subset of features available in the full $1,250 US version. Personally, I'm not clear as to precisely what the difference is, though—everything I tried to do with the version in SUSE Linux 10.0 seemed to work fine, so this would not appear to be a too significantly crippled edition. Perhaps the full version includes a longer list of preconfigured applications.
These aren't SUSE Linux 10.0's only security features. I haven't talked about how secure many applications' default settings are (in general they're quite secure, with daemons running with nonroot privileges whenever possible, network listeners such as sshd typically disabled by default and so on).
This is a very security-friendly version of SUSE Linux indeed. Remember, though, that real security begins with you—little of SUSE's security potential is realized until you configure or at least enable it yourself! Hopefully, this article has helped you get a feel for what that potential is.
Next month, it's on to Debian 3.1. Until then, be safe!
Mick Bauer (firstname.lastname@example.org) is Network Security Architect for one of the US's largest banks. He is the author of the O'Reilly book Linux Server Security, 2nd edition (formerly called Building Secure Servers With Linux), an occasional presenter at information security conferences and composer of the “Network Engineering Polka”.
Getting Started with DevOps - Including New Data on IT Performance from Puppet Labs 2015 State of DevOps Report
August 27, 2015
12:00 PM CDT
DevOps represents a profound change from the way most IT departments have traditionally worked: from siloed teams and high-anxiety releases to everyone collaborating on uneventful and more frequent releases of higher-quality code. It doesn't matter how large or small an organization is, or even whether it's historically slow moving or risk averse — there are ways to adopt DevOps sanely, and get measurable results in just weeks.
Free to Linux Journal readers.Register Now!
- Django Models and Migrations
- Hacking a Safe with Bash
- Secure Server Deployments in Hostile Territory, Part II
- Huge Package Overhaul for Debian and Ubuntu
- The Controversy Behind Canonical's Intellectual Property Policy
- Home Automation with Raspberry Pi
- Shashlik - a Tasty New Android Simulator
- Embed Linux in Monitoring and Control Systems
- KDE Reveals Plasma Mobile
- diff -u: What's New in Kernel Development