[ale] veteran unix admin

Jim Kinney jim.kinney at gmail.com
Tue Feb 15 15:30:33 EST 2011


I'm not enough of a selinux admin to qualify as an expert, much less
as guru. I've worked with people who do qualify as expert and guru.

http://docs.fedoraproject.org/en-US/Fedora/13/html/Security-Enhanced_Linux/index.html

The docs there are well done. The last section, 8.2 Other Resources,
has a list of sites and groups involved. TreSys is the upstream keeper
of the reference policy.

The book you are using is good for the theory but is outdated on the
policy and toolset. Use the guides on the tresys site instead for
that.

On Tue, Feb 15, 2011 at 2:13 PM, David Tomaschik
<david at systemoverlord.com> wrote:
> Jim,
>
> I know you're somewhat of an SELinux guru.  In order to learn to
> properly implement SELinux, what are the best books/resources?  I have
> SELinux by Example from Prentice Hall (c. 2007).  Any other
> recommendations?
>
> David
>
>
> On Tue, Feb 15, 2011 at 12:40 PM, Jim Kinney <jim.kinney at gmail.com> wrote:
>> rootsh is your friend! http://sourceforge.net/projects/rootsh/
>>
>> Setup a simple script gogoroot that is called from sudo. It logs the
>> sudo and creates the root shell environment. Now rootsh is on and
>> associated with the user from the sudo call.
>>
>> Alternatively, selinux should be set to active and auditd should be
>> running. Now even if an admin does the su - or even sudo su -, auditd
>> tracks their REAL UID with each command.
>>
>> Sudo is for giving limited admin ability to people who are not trusted
>> to be admins. There are other, better tools for logging admin
>> transgressions than sudo. Any admin worth their gray beard can edit
>> logs. auditd can log to a remote machine that records to an
>> append-only drive. If auditd can't log anymore the system locks up.
>> That way ALL actions are always logged.
>>
>> Corporate, audited, government body certified usually means "we use
>> technology that's 10 years too late to solve problems yesterday." :-)
>>
>> On Tue, Feb 15, 2011 at 11:34 AM, Jerald Sheets <questy at gmail.com> wrote:
>>> -----BEGIN PGP SIGNED MESSAGE-----
>>> Hash: SHA1
>>>
>>>
>>> On Feb 15, 2011, at 11:20 AM, Jim Kinney wrote:
>>>
>>>> Um. yeah. Like the poster "Peters Laws of the Sociopathic
>>>> Obsessive-Compulsive" I'm afraid to ever let a shrink see this list as
>>>> well.
>>>>
>>>
>>>
>>> I saw that article, Jim.  The guy lost all credibility on point #1 alone.  In a corporate, audited, governing-body certified environment, you should NEVER not use sudo.  (with full logging).
>>>
>>> I have been in environments where we had to go look up the root pw when a vendor product refused to honor sudo, but aside from that, 97+ % of what you do can (and should) be managed via sudo.  Anything else is pure laziness.
>>>
>>> If you don't impose those guidelines on yourself, SAS70, ITIL, ISO, or some other body will.
>>>
>>> #!/jerald
>>> Linux User #183003
>>> Ubuntu User #32648
>>> Public GPG Key:  http://questy.org/js.asc
>>>
>>> - -----BEGIN GEEK CODE BLOCK-----
>>> Version: 3.1
>>> GIT/MU d-@ s++(++)>+++:> a+ C++++(+++)$>++ UBLAVHSC++(on)$>++++ P++(+++)$>++++ L++(++++)$>+++ !E---(---)>--- W+(++)$>+++ N(+)$>++ !o !K-- w(--)>--- O()@> M++(++)$>++ V()>- PS+++()@>-- PE(++)@>+ Y+(+)@>+ PGP++(++)$>+++ t+(++)@>+++ 5(+)@>+ X+(++)@>+++ R+(+)@>++ tv-(+)$>++ b+++(++)$>++ DI++++(++)>+++ D++(++)@>++ G++(++)@>++ e++(++)$>++ h(-)$>- r+++(+++)@>+++ y+(+++)>++++@
>>> - ------END GEEK CODE BLOCK------
>>>
>>>
>>>
>>> -----BEGIN PGP SIGNATURE-----
>>> Version: GnuPG v1.4.11 (Darwin)
>>>
>>> iQEcBAEBAgAGBQJNWqsRAAoJEAek0rkZiSvcM9cH/jSLJ04K/o03ip1lOH1HI6cO
>>> hmlmQv42j+jx9W0xsI4r0n72kcRkOD8IdhQOZtTsYFvZhZZZA9XPN36jl5EXMO0Z
>>> 7bcz7/SacsiGg8m8j97T2UY7tcUfdqzV2fIX9jAYs5o8Qk3di3uukv1MbpTAfwXl
>>> KCdiC8UQNFOUfbkwRp9JEem4QahwemNG7Kdtpl0egbAn9vY9JLH3mfeM8ok/mbU9
>>> wYjRnG5IgIkwkxDxBto/0W2Otdc+xw0QYYTYgHT0dYhQ7dkWm4qwvkY6/zkJAeta
>>> 4EdvWShHX3qdgvplnXtMdHRma6gf4VceODYT5nZ6+XI4O7ZZ8M61ZY1XRXngUG8=
>>> =XN5i
>>> -----END PGP SIGNATURE-----
>>>
>>> _______________________________________________
>>> Ale mailing list
>>> Ale at ale.org
>>> http://mail.ale.org/mailman/listinfo/ale
>>> See JOBS, ANNOUNCE and SCHOOLS lists at
>>> http://mail.ale.org/mailman/listinfo
>>>
>>
>>
>>
>> --
>> --
>> James P. Kinney III
>> I would rather stumble along in freedom than walk effortlessly in chains.
>>
>> _______________________________________________
>> Ale mailing list
>> Ale at ale.org
>> http://mail.ale.org/mailman/listinfo/ale
>> See JOBS, ANNOUNCE and SCHOOLS lists at
>> http://mail.ale.org/mailman/listinfo
>>
>
>
>
> --
> David Tomaschik, RHCE, LPIC-1
> System Administrator/Open Source Advocate
> OpenPGP: 0x5DEA789B
> http://systemoverlord.com
> david at systemoverlord.com
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
>



-- 
--
James P. Kinney III
I would rather stumble along in freedom than walk effortlessly in chains.



More information about the Ale mailing list