1 |
>So the way this man sees things. |
2 |
>1) Stop the intrusion from happening in the first place (PaX should be |
3 |
>used) |
4 |
>2) First line of defense if a intrusion happens (be that grsecurity |
5 |
>rbac/acl, selinux lsm, rsbac or otherwise) you need something here. |
6 |
>3) Monitor for intrusions (prelude-ids is my choice) |
7 |
> |
8 |
>Anybody seen my margarita? |
9 |
> |
10 |
> |
11 |
|
12 |
This is a great summary! |
13 |
|
14 |
My only remaining questions are: |
15 |
|
16 |
- which is "best".. Grsecurity or selinux. Pros and cons seem to be: |
17 |
better support for selinux, but grsecurity actually seems to be |
18 |
"understandable" to me! Why the politics, and why won't grsec be in the |
19 |
mainstream? (yeah, yeah, I know there is no right answer, just curious |
20 |
to hear the pros and cons) |
21 |
- Why no focus on chroot jails? This seems to be an excellent way to |
22 |
tackle security. Why are there not more focuses on setting everything |
23 |
up to run in a chroot? Gentoo seems to be an ideal medium to have a use |
24 |
flag to chroot stuff if needed, and we appear to have the developers |
25 |
with the know-how to get a good chroot script for major packages as |
26 |
well. Am I missing the point about how useful a chroot jail is, |
27 |
especially for tools that host a scripting language, such as apache? |
28 |
Are there some other alternatives that I am overlooking (to be clear I |
29 |
am mostly worried about script injection in php or perl type scripts) |
30 |
|
31 |
Thanks everyone for what is looking like a pretty decent security source |
32 |
for gentoo. I can see how this is going to turn into something really |
33 |
exceptional once it works it's way into the mainstream! |
34 |
|
35 |
Thanks and good luck |
36 |
|
37 |
Ed W |
38 |
|
39 |
-- |
40 |
gentoo-hardened@g.o mailing list |