--[cut]--<br>User-friendlyness depends on the level of security you want to implement.<br>I use a rather lazy grsecurity policy, but I still have to update it<br>approximately every two weeks - as new applications come by.<br>
--[cut]--<br><div class="gmail_quote"><div class="im"><br>I don't expect miracles, on the other hand I can dedicate, <br>approximately, 4 hours a week, in tuning and updating,<br>I know it's not so much, but I have to face this boundary.<br>
<br>--[cut]--<br>> If I've understood correctly GR-Security could<br>
> be the best choice for desktop and RSBAC the<br>
> best choice for server...isn't it?</div><div>--[cut]--<br><br></div><div>I understand what you mean, but everything can be learned, <br>so if something, I'm not using now, has a less-long history-list <br>of exploitable bugs, I'll be happy to move to that solution!<br>
At the moment I'm using Grsecurity, I believe (and hope) <br>it is decently affordable, in the sense of the shortest possible <br>history-list of serious breaches/holes, but I've not done a really <br>in-depth-analisys, just some googling on these topics.<br>
</div><div>My first grsec configuration, was set up on a "Gentoo Workstation"<br>profile then tuned for best fits my laptop needs. <br><br>--[cut]--</div><div class="im"> You forgot to mention SSP (stack-smashing protection). <br>
--[cut]--<br><br>I didn't forget it, but I'd like to primarily focus on <br>RSBAC and GR-Sec. and I didn't want to be wordy,<br>more than I naturally am, so I had to make a selection<br>and I've excluded it, nothing personal, just the need<br>
to be synthetic...in some way...<br>I know this exclusion is questionable...<br>I'm sorry if this hurt you, because you like SSP ;-)<br>I've mentioned SELinux, 'cause it is a well-known <br>it is inside the vanilla, so, in some way it is a must <br>
including SELinux in a topic like this!<br>On AppArmor I've spent few words just because<br>it comes with Ubuntu that is one of the most spred<br>Linux distro.<br><br>--[cut]--<br>You'll never find perfect security.<br>
--[cut]--<br><br>I totally agree with this statement! sadly :-( <br><br><br>--[cut]--<br>Every software - even OBSD - has bugs.<br>
--[cut]--<br><br>I'd like to clear I'm not OBSD super-fan,<br>it is only a term of comparison,<br>just an example, not propaganda <br>(that i personally dislike).<br><br>--[cut]--<br>
Let me ask you just one thing. Please point me to an OBSD alternative ofthe wide variety of Linux hardening solutions (SELinux, RSBAC, AppArmor or grsecurity). </div><div>
--[cut]--<br><br>OpenBSD had neighter the hardware support, <br>nor the opportunity of choice that only Linux<br>can offer to us, that's why I love Linux and <br>that's why I'm looking for hardening Linux<br>
rather using OBSD, because I prefer Linux!!<br><br>I agree Linux has a lot of hardening solutions<br>and different approches, I love it!<br><br>In perfect world I would have time to perfectly <br>master every patch and then, consciously, <br>
could choose the one best suits my needs...<br><br>coming back to real world, I've few hours a<br>week and I have to find out what to study...<br>I'd like to focus on 1 approch, hoping this will<br>lead me, in the future, to get a decent level<br>
of knowledge. <br><br>Obviously I'm aware, with few hours I'll never <br>be up-to-date and seriously skilled, but I think <br>some hours are better than zero hours and I<br>hope I'll be, a bit more, cultered about security.<br>
<br><br>--[cut]--<br>Sacrifices must be made according to the level of security you are targeting.<br>--[cut]--<br><br>I have to start, not from the level of security I'd like to get,<br>rather from the time I can dedicate... <br>
<br>I mean: these are X hours I can dedicate,<br>inside this perentory limit I can be free...<br>it's sad, but it's so...anyway I've faith!<br><br>Good evening ;-)<br></div></div><br>
|
