1 |
7v5w7go9ub0o wrote: |
2 |
> |
3 |
> There seems to be a reluctance among some old-timers to use the |
4 |
> hardened tools anywhere else but on a server - I'd guess that is a |
5 |
> holdover from the last decade when both Linux and the hardening tools |
6 |
> were being created. Today's (non-selinux) tools are easy to use, and |
7 |
> are IMHO quite appropriate for home use in today's world of |
8 |
> professional crackers going after home users. Heh, even MS is |
9 |
> "hardening" their new OS, VISTA. |
10 |
> |
11 |
You probably aren't following the progression of SELinux but its quite |
12 |
easy to write policies (in the same type of learning mode as grsec, |
13 |
although you should be very careful about learning mode, see: |
14 |
http://securityblog.org/brindle/2006/03/25/security-anti-pattern-status-quo-encapsulation/ |
15 |
) and insert the new policies into your pre-existing base policy without |
16 |
needing any policy source. Gentoo is moving to the reference policy and |
17 |
modular policy infrastructure and has plenty of tools for managing the |
18 |
policy. As a plus you can actually analyze the policy to determine if |
19 |
you met your security goals. |
20 |
|
21 |
This is if your security goals require the use of MAC (mandatory access |
22 |
control) which isn't always the case, at the very least it's important |
23 |
to harden apps that are vulnerable to remote attack like firefox, |
24 |
evolution, gaim, etc. |
25 |
-- |
26 |
gentoo-hardened@g.o mailing list |