Paranoid Penguin - Security Features in SUSE 10.0
However, not everyone has given up on MAC-based system security, and SUSE has covered this area handsomely by acquiring and repackaging Immunix's AppArmor (aka Subdomain). AppArmor is similar to SELinux, in that it allows you to restrict the behavior of specific processes, with an effect similar to but more effective than running them in chroot jails.
(Note that although SUSE provides the libselinux package and includes SELinux functionality in its default kernel, SELinux isn't officially supported in SUSE Linux. You need the packages available at www.cip.ifi.lmu.de/~bleher/selinux to run SELinux in SUSE Linux.)
The document /usr/share/doc/packages/subdomain-docs/ug_apparmor.pdf, included in the subdomain-docs package, is the AppArmor User's Guide, and it tells you everything you need to know about configuring and using AppArmor. Suffice it to say for now that if you simply run the YaST AppArmor Control Panel module and enable AppArmor, a default profile is loaded that includes settings for many common daemons and commands, including netstat, ping, traceroute, firefox, evolution, gaim, syslogd, acroread, ethereal, appropos, procmail, postfix (smtpd, and so on), Apache2 (httpd2-prefork), nscd, identd, ntpd, sshd and squid.
This is a limited-feature version of AppArmor, so apparently it provides only a subset of features available in the full $1,250 US version. Personally, I'm not clear as to precisely what the difference is, though—everything I tried to do with the version in SUSE Linux 10.0 seemed to work fine, so this would not appear to be a too significantly crippled edition. Perhaps the full version includes a longer list of preconfigured applications.
These aren't SUSE Linux 10.0's only security features. I haven't talked about how secure many applications' default settings are (in general they're quite secure, with daemons running with nonroot privileges whenever possible, network listeners such as sshd typically disabled by default and so on).
This is a very security-friendly version of SUSE Linux indeed. Remember, though, that real security begins with you—little of SUSE's security potential is realized until you configure or at least enable it yourself! Hopefully, this article has helped you get a feel for what that potential is.
Next month, it's on to Debian 3.1. Until then, be safe!
Mick Bauer (email@example.com) is Network Security Architect for one of the US's largest banks. He is the author of the O'Reilly book Linux Server Security, 2nd edition (formerly called Building Secure Servers With Linux), an occasional presenter at information security conferences and composer of the “Network Engineering Polka”.
|Daily Giveaway - Fun Prizes from Red Hat!||Oct 25, 2016|
|Installing and Running a Headless Virtualization Server||Oct 25, 2016|
|Ubuntu MATE, Not Just a Whim||Oct 21, 2016|
|Non-Linux FOSS: Screenshotting for Fun and Profit!||Oct 20, 2016|
|Nasdaq Selects Drupal 8||Oct 19, 2016|
|Canonical Ltd.'s Ubuntu Core||Oct 19, 2016|
- Installing and Running a Headless Virtualization Server
- Daily Giveaway - Fun Prizes from Red Hat!
- Daily Giveaway
- Ubuntu MATE, Not Just a Whim
- Nasdaq Selects Drupal 8
- Build Your Own Raspberry Pi Camera
- Secure Desktops with Qubes: Compartmentalization
- Canonical Ltd.'s Ubuntu Core
- Non-Linux FOSS: Screenshotting for Fun and Profit!
- Polishing the wegrep Wrapper Script