Paranoid Penguin - Security Features in SUSE 10.0
However, not everyone has given up on MAC-based system security, and SUSE has covered this area handsomely by acquiring and repackaging Immunix's AppArmor (aka Subdomain). AppArmor is similar to SELinux, in that it allows you to restrict the behavior of specific processes, with an effect similar to but more effective than running them in chroot jails.
(Note that although SUSE provides the libselinux package and includes SELinux functionality in its default kernel, SELinux isn't officially supported in SUSE Linux. You need the packages available at www.cip.ifi.lmu.de/~bleher/selinux to run SELinux in SUSE Linux.)
The document /usr/share/doc/packages/subdomain-docs/ug_apparmor.pdf, included in the subdomain-docs package, is the AppArmor User's Guide, and it tells you everything you need to know about configuring and using AppArmor. Suffice it to say for now that if you simply run the YaST AppArmor Control Panel module and enable AppArmor, a default profile is loaded that includes settings for many common daemons and commands, including netstat, ping, traceroute, firefox, evolution, gaim, syslogd, acroread, ethereal, appropos, procmail, postfix (smtpd, and so on), Apache2 (httpd2-prefork), nscd, identd, ntpd, sshd and squid.
This is a limited-feature version of AppArmor, so apparently it provides only a subset of features available in the full $1,250 US version. Personally, I'm not clear as to precisely what the difference is, though—everything I tried to do with the version in SUSE Linux 10.0 seemed to work fine, so this would not appear to be a too significantly crippled edition. Perhaps the full version includes a longer list of preconfigured applications.
These aren't SUSE Linux 10.0's only security features. I haven't talked about how secure many applications' default settings are (in general they're quite secure, with daemons running with nonroot privileges whenever possible, network listeners such as sshd typically disabled by default and so on).
This is a very security-friendly version of SUSE Linux indeed. Remember, though, that real security begins with you—little of SUSE's security potential is realized until you configure or at least enable it yourself! Hopefully, this article has helped you get a feel for what that potential is.
Next month, it's on to Debian 3.1. Until then, be safe!
Mick Bauer (email@example.com) is Network Security Architect for one of the US's largest banks. He is the author of the O'Reilly book Linux Server Security, 2nd edition (formerly called Building Secure Servers With Linux), an occasional presenter at information security conferences and composer of the “Network Engineering Polka”.
|openHAB||Apr 24, 2017|
|Omesh Tickoo and Ravi Iyer's Making Sense of Sensors (Apress)||Apr 21, 2017|
|Low Power Wireless: 6LoWPAN, IEEE802.15.4 and the Raspberry Pi||Apr 20, 2017|
|CodeLathe's Tonido Personal Cloud||Apr 19, 2017|
|Wrapping Up the Mars Lander||Apr 18, 2017|
|MultiTaction's MT Canvus-Connect||Apr 17, 2017|
- Teradici's Cloud Access Platform: "Plug & Play" Cloud for the Enterprise
- Low Power Wireless: 6LoWPAN, IEEE802.15.4 and the Raspberry Pi
- The Weather Outside Is Frightful (Or Is It?)
- Simple Server Hardening
- Understanding Firewalld in Multi-Zone Configurations
- Bash Shell Script: Building a Better March Madness Bracket
- Gordon H. Williams' Making Things Smart (Maker Media, Inc.)
- Server Technology's HDOT Alt-Phase Switched POPS PDU