| 1 |
>So the way this man sees things. |
| 2 |
>1) Stop the intrusion from happening in the first place (PaX should be |
| 3 |
>used) |
| 4 |
>2) First line of defense if a intrusion happens (be that grsecurity |
| 5 |
>rbac/acl, selinux lsm, rsbac or otherwise) you need something here. |
| 6 |
>3) Monitor for intrusions (prelude-ids is my choice) |
| 7 |
> |
| 8 |
>Anybody seen my margarita? |
| 9 |
> |
| 10 |
> |
| 11 |
|
| 12 |
This is a great summary! |
| 13 |
|
| 14 |
My only remaining questions are: |
| 15 |
|
| 16 |
- which is "best".. Grsecurity or selinux. Pros and cons seem to be: |
| 17 |
better support for selinux, but grsecurity actually seems to be |
| 18 |
"understandable" to me! Why the politics, and why won't grsec be in the |
| 19 |
mainstream? (yeah, yeah, I know there is no right answer, just curious |
| 20 |
to hear the pros and cons) |
| 21 |
- Why no focus on chroot jails? This seems to be an excellent way to |
| 22 |
tackle security. Why are there not more focuses on setting everything |
| 23 |
up to run in a chroot? Gentoo seems to be an ideal medium to have a use |
| 24 |
flag to chroot stuff if needed, and we appear to have the developers |
| 25 |
with the know-how to get a good chroot script for major packages as |
| 26 |
well. Am I missing the point about how useful a chroot jail is, |
| 27 |
especially for tools that host a scripting language, such as apache? |
| 28 |
Are there some other alternatives that I am overlooking (to be clear I |
| 29 |
am mostly worried about script injection in php or perl type scripts) |
| 30 |
|
| 31 |
Thanks everyone for what is looking like a pretty decent security source |
| 32 |
for gentoo. I can see how this is going to turn into something really |
| 33 |
exceptional once it works it's way into the mainstream! |
| 34 |
|
| 35 |
Thanks and good luck |
| 36 |
|
| 37 |
Ed W |
| 38 |
|
| 39 |
-- |
| 40 |
gentoo-hardened@g.o mailing list |
Archives