In close collaboration with Seoul National University's Structural Complexity Laboratory

 

Security and SELinux

Since SNU provides high network connectivity, and there are many powerful computers here, SNU is a honeypot for hackers and crackers. Our machines are being probed all the time. We need to exercise extreme care to ensure that SC Lab isn't compromised. The concerns about security apply both to the servers, and to personal machines. If you have a personal machine directly connected to the SNU internet, please

  • Make sure the OS is maintained up-to-date
  • Exercise professional care in opening applications, attachments etc
  • Use secure passwords

Please remember that if our computers are hacked and used in malicious ways, it will reflect very badly on SC Lab, and on our personal professionalism. Please be aware that SNU is now taking security very seriously, and is likely to be introducing strict standards for computers connected to the network.

The SC Lab computers mostly use Fedora Linux. On the SC Lab server, we are running a very tight firewall, and we are running the new linux SELinux security system. This makes for a very secure system. The key vulnerability is likely to be weak user passwords. So please choose a secure password. To emphasise this, I will be running cracking software against our accounts from time to time. Any accounts I am able to crack will be blocked for a period of time.

SELinux is very powerful, but it also introduces some extra pain in the use of linux. Among other things, files under SELinux have extra security permissions over what is in standard linux, so some things you expect to work won't.

For your own personal linux machines, if they are behind our natting routers, selinux may be overkill: it's very good for security, but it does make things in general harder to do. I leave it to your judgement.

To check the SELinux status of a file, use

  ls -Z

instead of

  ls -l

To change the selinux status use

  chcon

For further information

  man ls
  man chcon
  man selinux