|
eschaton posted:I don’t think nBSD is defending SELinux, but defending MAC in general which is implemented in lots of systems including other BSDs 
|
#
?
Oct 6, 2018 20:58
|
|
|
|
| # ? Apr 23, 2024 22:05 |
|
|
eschaton posted:I don’t think nBSD is defending SELinux, but defending MAC in general which is implemented in lots of systems including other BSDs mac is selinux plus rounding errors
|
|
#
?
Oct 6, 2018 21:25
|
|
|
Shaggar posted:mac is linux plus rounding errors
|
|
#
?
Oct 6, 2018 21:37
|
|
|
Kevin Mitnick P.E. posted:openbsd may be a shitshow but holy poo poo is someone defending selinux itt selinux is necessary and important whether you like it or not Kevin Mitnick P.E. posted:also lol @ using any kind of on-machine firewall. do a proper security group ffs and if you have to manage physical machines just kill yourself now he was talking about using openbsd as a network firewall, which is loving lol herp derp just let me set up this $3,000, 1 kw xeon to handle as much traffic as a $250 embedded machine with eight cores that consumes 15w
|
|
#
?
Oct 6, 2018 23:16
|
|
|
a working MAC framework is table stakes to pretend your OS is secure windows is unironically a better security posture than openbsd
|
|
#
?
Oct 6, 2018 23:17
|
|
|
Notorious b.s.d. posted:selinux is necessary and important whether you like it or not i said nothing of the sort, now you're just talking trash nbsd about 250 would cover fine hardware for the task
|
|
#
?
Oct 6, 2018 23:35
|
|
|
Notorious b.s.d. posted:selinux is necessary and important whether you like it or not Oh you're one of those idiots.
|
|
#
?
Oct 7, 2018 00:31
|
|
|
to be honest, selinux *today* is much better than it was when it was released most notably, if you can work with existing packages, then you don’t really have to do any configuration beyond maybe setting a couple of flags and maybe running restorecon (the latter of which usually fixes all of my issues) I run a couple of servers with selinux turned up to 11 and I barely have to think about it unless I am installing something. And I have the peace of mind that root-owned processes won’t be able to mess with each other because of selinux
|
|
#
?
Oct 7, 2018 00:52
|
|
|
On the other hand, of course, we are hurtling towards a containerized future where selinux probably sits on the back burner forever
|
|
#
?
Oct 7, 2018 00:55
|
|
|
Notorious b.s.d. posted:a working MAC framework is table stakes to pretend your OS is secure orrr I can acknowledge that my os is a piece of poo poo and as a bonus never touch selinux ever
|
|
#
?
Oct 7, 2018 02:42
|
|
|
once all the motherboards have rogue firmware roms it won't matter
|
|
#
?
Oct 7, 2018 04:26
|
|
|
Gazpacho posted:once all the motherboards have rogue firmware roms it won't matter This is already a thing, and they're all owned by China, hth
|
|
#
?
Oct 7, 2018 07:55
|
|
|
Nowadays Selinux notifies you of issues and tells you exactly which commands to run to fix them. It's p deece.
|
|
#
?
Oct 7, 2018 08:05
|
|
|
openbsd has a good starting point for its brand of security: eliminate bugs by minimalism and careful inspection they failed to draw the really obvious conclusion "we need to drop c for something high-level and get the support of some formal verification tools" however lot is little research projects in that direction, a bit surprising that nothing has quite made it into art least openbsd levels of mainstream
|
|
#
?
Oct 7, 2018 08:37
|
|
|
i, for one, find it weird that nbsd's been on a good opinions streak lately who kidnapped nbsd and replaced him
|
|
#
?
Oct 7, 2018 11:53
|
|
|
plot twist, nbsd is actually linus
|
|
#
?
Oct 7, 2018 11:58
|
|
|
spankmeister posted:Nowadays Selinux notifies you of issues and tells you exactly which commands to run to fix them. It's p deece. if it already knows the commands it should just do it itself 
|
|
#
?
Oct 7, 2018 14:38
|
|
|
akadajet posted:if it already knows the commands it should just do it itself when the issue is “program tried to do something but was blocked” you really want a human in the loop
|
|
#
?
Oct 7, 2018 15:24
|
|
|
Broken Machine posted:i said nothing of the sort, now you're just talking trash nbsd 250 will not get you a server that will do gigabit with the openbsd firewall stack, friend not even close remember this is single-threaded code from the early 1990s. it was written as a replacement of ipf but is somehow even slower than ipf meanwhile embedded cores with multithreaded stacks (edit: meaning, Linux) have no trouble doing 1 MPPS or more, potentially kissing 10 gbps if jumbo frames are enabled Notorious b.s.d. fucked around with this message at 15:33 on Oct 7, 2018 |
|
#
?
Oct 7, 2018 15:30
|
|
|
el dorito posted:On the other hand, of course, we are hurtling towards a containerized future where selinux probably sits on the back burner forever selinux and containers are two great tastes that taste great together. aside from simple namespacing, none of the extant container tools have any kind of security story, because it's assumed you'll use selinux to manage that problem selinux from day one was designed to be parameterized. it's fairly straightforward to write a global policy that applies to all containers, but give each one its own set of contexts/labels for files you really couldn't have a better fit and you never have to worry about corner cases, because the containerized processes aren't meant to touch anything outside their labeled area, anyway
|
|
#
?
Oct 7, 2018 15:33
|
|
|
Cybernetic Vermin posted:openbsd has a good starting point for its brand of security: eliminate bugs by minimalism and careful inspection cute, but stupid
|
|
#
?
Oct 7, 2018 15:33
|
|
|
Notorious b.s.d. posted:250 will not get you a server that will do gigabit with the openbsd firewall stack, friend you can, i built one myself with 5 gb lan ports a few months ago
|
|
#
?
Oct 7, 2018 15:34
|
|
|
Broken Machine posted:you can, i built one myself with 5 gb lan ports a few months ago this just keeps getting better and better so your envisioned niche for openbsd is building insecure edge nodes, that handle pitiful amounts of traffic, on hardware you bolted together yourself in a basement this does indeed sound like the average use case for openbsd
|
|
#
?
Oct 7, 2018 15:37
|
|
|
Notorious b.s.d. posted:selinux and containers are two great tastes that taste great together. aside from simple namespacing, none of the extant container tools have any kind of security story, because it's assumed you'll use selinux to manage that problem great now convince my boss and whoever else controls the purse strings that selinux is a good thing to allocate an FTE to. also, files? really? this is tyool 2018. attackers accessing files is 100% not a concern
|
|
#
?
Oct 7, 2018 15:40
|
|
|
Notorious b.s.d. posted:aside from simple namespacing, none of the extant container tools have any kind of security story eh? acbuild+rkt have first class support for the ACI isolator framework which supports seccomp and linux caps (in addition to playing nicely with selinux, apparmor, and pax/grsec)
|
|
#
?
Oct 7, 2018 15:41
|
|
|
Rufus Ping posted:eh? acbuild+rkt have first class support for the ACI isolator framework which supports seccomp and linux caps (in addition to playing nicely with selinux, apparmor, and pax/grsec) docker also defaults to using caps but seccomp and caps are weak as gently caress
|
|
#
?
Oct 7, 2018 16:49
|
|
|
Kevin Mitnick P.E. posted:great now convince my boss and whoever else controls the purse strings that selinux is a good thing to allocate an FTE to. that's your job if you want to pay me enough i can make it my job haha Kevin Mitnick P.E. posted:also, files? really? this is tyool 2018. attackers accessing files is 100% not a concern ok just give everyone global access to /dev/kmem and enjoy?
|
|
#
?
Oct 7, 2018 16:50
|
|
|
Notorious b.s.d. posted:this just keeps getting better and better wanting a less costly alternative to a juniper box or other commercially available solution and opting instead for a nice, custom system with quality hardware just saves money, it's not an inferior solution. pf works great, but by all means don't use it idfc 
|
|
#
?
Oct 7, 2018 16:52
|
|
|
Broken Machine posted:wanting a less costly alternative to a juniper box or other commercially available solution and opting instead for a nice, custom system with quality hardware just saves money, it's not an inferior solution. pf works great, but by all means don't use it idfc you are a self-parody
|
|
#
?
Oct 7, 2018 17:27
|
|
|
Notorious b.s.d. posted:you are a self-parody i think it's funny you say this, given that pfsense is an incredibly common, robust firewall solution using inexpensive hardware; it's based on FreeBSD. yet for some reason to you this is, or openbsd an incredibly shoddy solution because it's not what you use. every time it comes up you post all this crap about poo poo that doesn't matter
|
|
#
?
Oct 7, 2018 17:34
|
|
|
Broken Machine posted:i think it's funny you say this, given that pfsense is an incredibly common, robust firewall solution using inexpensive hardware; it's based on FreeBSD. yet for some reason to you this is an incredibly shoddy solution because it's not what you use. every time it comes up you post all this crap about poo poo that doesn't matter freebsd is decades ahead of openbsd. we already went over this aside from the mouthbreathing chuds who worship theo, no one would choose openbsd for an edge device
|
|
#
?
Oct 7, 2018 17:35
|
|
|
p.s. pfsense is extremely uncommon this should not be surprising. it's not really a security thing. just very few network teams or small business sysadmins want to deal with the level of bullshit involved in provisioning a unix box vendors will sell you cheap boxes with more canned functionality using dedicated hardware instead of hot, hungry x86
|
|
#
?
Oct 7, 2018 17:38
|
|
|
Notorious b.s.d. posted:p.s. pfsense is extremely uncommon there's a bunch of nice hardware for embedded and low power consumption out that you can easily run unix on now, actually. just depends on what you want to go with. i mean, you can do some large projects with it easily, like netflix
|
|
#
?
Oct 7, 2018 17:46
|
|
|
Broken Machine posted:there's a bunch of nice hardware for embedded and low power consumption out that you can easily run unix on now, actually. for values of unix meaning "linux," yes. embedded vendors don't spend a lot of time on porting hardware offware code to dead operating systems. even when network SoCs have netbsd support, often the network offload hardware is broken and only the switch + control plane work pfsense relies on a single-threaded firewall so if you want to handle more than a trickle of traffic you will need a very big, hot x86 chip those issues aside, the reason pfsense is unpopular is not that it's slow. it's that the people who provision network equipment don't want to design and deploy a unix box for anything. that's not worth their time or money, and they'd rather have a canned solution from juniper / f5 / cisco / etc. Notorious b.s.d. fucked around with this message at 18:11 on Oct 7, 2018 |
|
#
?
Oct 7, 2018 18:09
|
|
|
the openbsd guys are aok in my book because they forked OpenSSL and are fixing the bullshit nightmare that is it’s code base.
|
|
#
?
Oct 7, 2018 18:15
|
|
|
ratbert90 posted:the openbsd guys are aok in my book because they forked OpenSSL and are fixing the bullshit nightmare that is it’s code base. yeah that's good and cool
|
|
#
?
Oct 7, 2018 18:25
|
|
|
also openssh
|
|
#
?
Oct 7, 2018 18:25
|
|
|
Notorious b.s.d. posted:pfsense relies on a single-threaded firewall so if you want to handle more than a trickle of traffic you will need a very big, hot x86 chip I think the pfSense were working on fixing firewall performance with their new Netgate funding, but they've also pushed themselves into being just another hardware vendor with a peculiar mix of software. I'd rather take a Ubiquiti box running their EdgeOS flavour of Vyatta though as it's just less poo poo (TM).
|
|
#
?
Oct 7, 2018 18:40
|
|
|
I have a couple cheap & tiny little MIPS Linux boards using a router SoC been thinking about benchmarking them versus say my SGI Indy, I wonder how many times faster they are
|
|
#
?
Oct 7, 2018 19:11
|
|
|
|
| # ? Apr 23, 2024 22:05 |
|
|
building your own when you can buy a box that does the job is for college students and other poors. it is never a correct business decision
|
|
#
?
Oct 7, 2018 22:06
|
|