| 1 |
7v5w7go9ub0o wrote: |
| 2 |
> |
| 3 |
> There seems to be a reluctance among some old-timers to use the |
| 4 |
> hardened tools anywhere else but on a server - I'd guess that is a |
| 5 |
> holdover from the last decade when both Linux and the hardening tools |
| 6 |
> were being created. Today's (non-selinux) tools are easy to use, and |
| 7 |
> are IMHO quite appropriate for home use in today's world of |
| 8 |
> professional crackers going after home users. Heh, even MS is |
| 9 |
> "hardening" their new OS, VISTA. |
| 10 |
> |
| 11 |
You probably aren't following the progression of SELinux but its quite |
| 12 |
easy to write policies (in the same type of learning mode as grsec, |
| 13 |
although you should be very careful about learning mode, see: |
| 14 |
http://securityblog.org/brindle/2006/03/25/security-anti-pattern-status-quo-encapsulation/ |
| 15 |
) and insert the new policies into your pre-existing base policy without |
| 16 |
needing any policy source. Gentoo is moving to the reference policy and |
| 17 |
modular policy infrastructure and has plenty of tools for managing the |
| 18 |
policy. As a plus you can actually analyze the policy to determine if |
| 19 |
you met your security goals. |
| 20 |
|
| 21 |
This is if your security goals require the use of MAC (mandatory access |
| 22 |
control) which isn't always the case, at the very least it's important |
| 23 |
to harden apps that are vulnerable to remote attack like firefox, |
| 24 |
evolution, gaim, etc. |
| 25 |
-- |
| 26 |
gentoo-hardened@g.o mailing list |
Archives