1 |
Calum wrote: |
2 |
|
3 |
> But as a general feeling, do people feel that SELinux will become the |
4 |
> hardening method of choice? I.e. If I have to make a choice and commit now, |
5 |
> shall I stick with GRSec, or start looking at SE? |
6 |
|
7 |
GrSec is great if you want good security with minimum configuration, |
8 |
plus it's written by a person who knows methods used by real hackers |
9 |
very very well. |
10 |
|
11 |
SELinux takes more time to configure properly, and there are more |
12 |
possibilities for mistakes (imagine setting proper permissions on |
13 |
Windows Registry). |
14 |
|
15 |
But good security is not limited to choosing between GrSec and SELinux - |
16 |
you probably will want to disable module loading, BSD ptys and mtrr, to |
17 |
choose software which has good security history (qmail/postfix instead |
18 |
of sendmail, djbdns instead of bind, etc.), to modify your configuration |
19 |
(disabling allow_url_fopen in php.ini, etc.), to chroot daemons if you |
20 |
want protection quickly, to add hardening patches to other software |
21 |
(mod_security, hardened-php, etc.) |
22 |
And all these measures will fail if some backdoor gets accidentally |
23 |
installed on one of workstations from which you ssh to your servers.... |
24 |
|
25 |
Oops, sorry, I ran away from topic :) So, choose GRSec, it's beautiful |
26 |
and well thought out piece of software which will solve 99% of your |
27 |
kernel security needs. |
28 |
|
29 |
Best Wishes, |
30 |
Viktors |
31 |
|
32 |
|
33 |
-- |
34 |
gentoo-security@g.o mailing list |