| 1 |
--[cut]-- |
| 2 |
User-friendlyness depends on the level of security you want to implement. |
| 3 |
I use a rather lazy grsecurity policy, but I still have to update it |
| 4 |
approximately every two weeks - as new applications come by. |
| 5 |
--[cut]-- |
| 6 |
|
| 7 |
I don't expect miracles, on the other hand I can dedicate, |
| 8 |
approximately, 4 hours a week, in tuning and updating, |
| 9 |
I know it's not so much, but I have to face this boundary. |
| 10 |
|
| 11 |
--[cut]-- |
| 12 |
> If I've understood correctly GR-Security could |
| 13 |
> be the best choice for desktop and RSBAC the |
| 14 |
> best choice for server...isn't it? |
| 15 |
--[cut]-- |
| 16 |
|
| 17 |
I understand what you mean, but everything can be learned, |
| 18 |
so if something, I'm not using now, has a less-long history-list |
| 19 |
of exploitable bugs, I'll be happy to move to that solution! |
| 20 |
At the moment I'm using Grsecurity, I believe (and hope) |
| 21 |
it is decently affordable, in the sense of the shortest possible |
| 22 |
history-list of serious breaches/holes, but I've not done a really |
| 23 |
in-depth-analisys, just some googling on these topics. |
| 24 |
My first grsec configuration, was set up on a "Gentoo Workstation" |
| 25 |
profile then tuned for best fits my laptop needs. |
| 26 |
|
| 27 |
--[cut]-- |
| 28 |
You forgot to mention SSP (stack-smashing protection). |
| 29 |
--[cut]-- |
| 30 |
|
| 31 |
I didn't forget it, but I'd like to primarily focus on |
| 32 |
RSBAC and GR-Sec. and I didn't want to be wordy, |
| 33 |
more than I naturally am, so I had to make a selection |
| 34 |
and I've excluded it, nothing personal, just the need |
| 35 |
to be synthetic...in some way... |
| 36 |
I know this exclusion is questionable... |
| 37 |
I'm sorry if this hurt you, because you like SSP ;-) |
| 38 |
I've mentioned SELinux, 'cause it is a well-known |
| 39 |
it is inside the vanilla, so, in some way it is a must |
| 40 |
including SELinux in a topic like this! |
| 41 |
On AppArmor I've spent few words just because |
| 42 |
it comes with Ubuntu that is one of the most spred |
| 43 |
Linux distro. |
| 44 |
|
| 45 |
--[cut]-- |
| 46 |
You'll never find perfect security. |
| 47 |
--[cut]-- |
| 48 |
|
| 49 |
I totally agree with this statement! sadly :-( |
| 50 |
|
| 51 |
|
| 52 |
--[cut]-- |
| 53 |
Every software - even OBSD - has bugs. |
| 54 |
--[cut]-- |
| 55 |
|
| 56 |
I'd like to clear I'm not OBSD super-fan, |
| 57 |
it is only a term of comparison, |
| 58 |
just an example, not propaganda |
| 59 |
(that i personally dislike). |
| 60 |
|
| 61 |
--[cut]-- |
| 62 |
Let me ask you just one thing. Please point me to an OBSD alternative ofthe |
| 63 |
wide variety of Linux hardening solutions (SELinux, RSBAC, AppArmor or |
| 64 |
grsecurity). |
| 65 |
--[cut]-- |
| 66 |
|
| 67 |
OpenBSD had neighter the hardware support, |
| 68 |
nor the opportunity of choice that only Linux |
| 69 |
can offer to us, that's why I love Linux and |
| 70 |
that's why I'm looking for hardening Linux |
| 71 |
rather using OBSD, because I prefer Linux!! |
| 72 |
|
| 73 |
I agree Linux has a lot of hardening solutions |
| 74 |
and different approches, I love it! |
| 75 |
|
| 76 |
In perfect world I would have time to perfectly |
| 77 |
master every patch and then, consciously, |
| 78 |
could choose the one best suits my needs... |
| 79 |
|
| 80 |
coming back to real world, I've few hours a |
| 81 |
week and I have to find out what to study... |
| 82 |
I'd like to focus on 1 approch, hoping this will |
| 83 |
lead me, in the future, to get a decent level |
| 84 |
of knowledge. |
| 85 |
|
| 86 |
Obviously I'm aware, with few hours I'll never |
| 87 |
be up-to-date and seriously skilled, but I think |
| 88 |
some hours are better than zero hours and I |
| 89 |
hope I'll be, a bit more, cultered about security. |
| 90 |
|
| 91 |
|
| 92 |
--[cut]-- |
| 93 |
Sacrifices must be made according to the level of security you are |
| 94 |
targeting. |
| 95 |
--[cut]-- |
| 96 |
|
| 97 |
I have to start, not from the level of security I'd like to get, |
| 98 |
rather from the time I can dedicate... |
| 99 |
|
| 100 |
I mean: these are X hours I can dedicate, |
| 101 |
inside this perentory limit I can be free... |
| 102 |
it's sad, but it's so...anyway I've faith! |
| 103 |
|
| 104 |
Good evening ;-) |
Archives