1 |
--[cut]-- |
2 |
User-friendlyness depends on the level of security you want to implement. |
3 |
I use a rather lazy grsecurity policy, but I still have to update it |
4 |
approximately every two weeks - as new applications come by. |
5 |
--[cut]-- |
6 |
|
7 |
I don't expect miracles, on the other hand I can dedicate, |
8 |
approximately, 4 hours a week, in tuning and updating, |
9 |
I know it's not so much, but I have to face this boundary. |
10 |
|
11 |
--[cut]-- |
12 |
> If I've understood correctly GR-Security could |
13 |
> be the best choice for desktop and RSBAC the |
14 |
> best choice for server...isn't it? |
15 |
--[cut]-- |
16 |
|
17 |
I understand what you mean, but everything can be learned, |
18 |
so if something, I'm not using now, has a less-long history-list |
19 |
of exploitable bugs, I'll be happy to move to that solution! |
20 |
At the moment I'm using Grsecurity, I believe (and hope) |
21 |
it is decently affordable, in the sense of the shortest possible |
22 |
history-list of serious breaches/holes, but I've not done a really |
23 |
in-depth-analisys, just some googling on these topics. |
24 |
My first grsec configuration, was set up on a "Gentoo Workstation" |
25 |
profile then tuned for best fits my laptop needs. |
26 |
|
27 |
--[cut]-- |
28 |
You forgot to mention SSP (stack-smashing protection). |
29 |
--[cut]-- |
30 |
|
31 |
I didn't forget it, but I'd like to primarily focus on |
32 |
RSBAC and GR-Sec. and I didn't want to be wordy, |
33 |
more than I naturally am, so I had to make a selection |
34 |
and I've excluded it, nothing personal, just the need |
35 |
to be synthetic...in some way... |
36 |
I know this exclusion is questionable... |
37 |
I'm sorry if this hurt you, because you like SSP ;-) |
38 |
I've mentioned SELinux, 'cause it is a well-known |
39 |
it is inside the vanilla, so, in some way it is a must |
40 |
including SELinux in a topic like this! |
41 |
On AppArmor I've spent few words just because |
42 |
it comes with Ubuntu that is one of the most spred |
43 |
Linux distro. |
44 |
|
45 |
--[cut]-- |
46 |
You'll never find perfect security. |
47 |
--[cut]-- |
48 |
|
49 |
I totally agree with this statement! sadly :-( |
50 |
|
51 |
|
52 |
--[cut]-- |
53 |
Every software - even OBSD - has bugs. |
54 |
--[cut]-- |
55 |
|
56 |
I'd like to clear I'm not OBSD super-fan, |
57 |
it is only a term of comparison, |
58 |
just an example, not propaganda |
59 |
(that i personally dislike). |
60 |
|
61 |
--[cut]-- |
62 |
Let me ask you just one thing. Please point me to an OBSD alternative ofthe |
63 |
wide variety of Linux hardening solutions (SELinux, RSBAC, AppArmor or |
64 |
grsecurity). |
65 |
--[cut]-- |
66 |
|
67 |
OpenBSD had neighter the hardware support, |
68 |
nor the opportunity of choice that only Linux |
69 |
can offer to us, that's why I love Linux and |
70 |
that's why I'm looking for hardening Linux |
71 |
rather using OBSD, because I prefer Linux!! |
72 |
|
73 |
I agree Linux has a lot of hardening solutions |
74 |
and different approches, I love it! |
75 |
|
76 |
In perfect world I would have time to perfectly |
77 |
master every patch and then, consciously, |
78 |
could choose the one best suits my needs... |
79 |
|
80 |
coming back to real world, I've few hours a |
81 |
week and I have to find out what to study... |
82 |
I'd like to focus on 1 approch, hoping this will |
83 |
lead me, in the future, to get a decent level |
84 |
of knowledge. |
85 |
|
86 |
Obviously I'm aware, with few hours I'll never |
87 |
be up-to-date and seriously skilled, but I think |
88 |
some hours are better than zero hours and I |
89 |
hope I'll be, a bit more, cultered about security. |
90 |
|
91 |
|
92 |
--[cut]-- |
93 |
Sacrifices must be made according to the level of security you are |
94 |
targeting. |
95 |
--[cut]-- |
96 |
|
97 |
I have to start, not from the level of security I'd like to get, |
98 |
rather from the time I can dedicate... |
99 |
|
100 |
I mean: these are X hours I can dedicate, |
101 |
inside this perentory limit I can be free... |
102 |
it's sad, but it's so...anyway I've faith! |
103 |
|
104 |
Good evening ;-) |