1 |
Op dinsdag 16-01-2007 om 09:16 uur [tijdzone -0800], schreef Ned Ludd: |
2 |
> On Mon, 2007-01-15 at 22:08 +0100, Michael wrote: |
3 |
> > |
4 |
> > You've quite convinced me of your solution, but should I expect a lot |
5 |
> > more work to build and maintain gentoo installs with grsec and hardened? |
6 |
> > |
7 |
> > For me it won't be much of a problem, but the other admin is still |
8 |
> > learning gentoo (he never used linux before) but he should be able to |
9 |
> > maintain the server without me so it shouldn't be to hard for him |
10 |
> > either... Security is more important of course, but the easier the |
11 |
> > better (or the more automation the better). |
12 |
> > |
13 |
> > Should I expect to be able to install grsec and hardened and have it |
14 |
> > work just like a normal gentoo install? |
15 |
> |
16 |
> Yes pretty much. grsec+pax+hardened-toolchain(even w/o RBAC/SE/RSBAC) |
17 |
> offers admins a mostly transparent security system that vastly |
18 |
> improves security on linux. RBAC/SE/RSBAC mostly are for containing |
19 |
> an intrusion after it's already happened. With grsec+pax+toolchain the |
20 |
> idea is to prevent the intrusion from happening in the first place. |
21 |
|
22 |
I guess this is the way to go then. My last question involves the |
23 |
overhead caused by these security enhancers. I remember something about |
24 |
SELinux giving quite a performance penalty, but that's not based on |
25 |
facts. I don't need any numbers to believe the overhead is small or |
26 |
anything, I just don't want the dual opteron servers to feel like they |
27 |
were pentium 3s. |
28 |
|
29 |
Thanks for all the help so far, everyone who replied has provided very |
30 |
useful information and I can only hope I can do the same for each one of |
31 |
you in the future. |
32 |
Greetings, |
33 |
|
34 |
Michael |
35 |
|
36 |
-- |
37 |
gentoo-hardened@g.o mailing list |