Gentoo Archives: gentoo-security

From: Viktors Rotanovs <Viktors@××××××××.com>
To: Calum <gentoo-security@××××××××××××.uk>
Cc: gentoo-security@l.g.o
Subject: Re: [gentoo-security] Gentoo dev sources
Date: Mon, 23 Aug 2004 18:35:52
Message-Id: 412A3911.3070308@Rotanovs.com
In Reply to: Re: [gentoo-security] Gentoo dev sources by Calum
1 Calum wrote:
2
3 > But as a general feeling, do people feel that SELinux will become the
4 > hardening method of choice? I.e. If I have to make a choice and commit now,
5 > shall I stick with GRSec, or start looking at SE?
6
7 GrSec is great if you want good security with minimum configuration,
8 plus it's written by a person who knows methods used by real hackers
9 very very well.
10
11 SELinux takes more time to configure properly, and there are more
12 possibilities for mistakes (imagine setting proper permissions on
13 Windows Registry).
14
15 But good security is not limited to choosing between GrSec and SELinux -
16 you probably will want to disable module loading, BSD ptys and mtrr, to
17 choose software which has good security history (qmail/postfix instead
18 of sendmail, djbdns instead of bind, etc.), to modify your configuration
19 (disabling allow_url_fopen in php.ini, etc.), to chroot daemons if you
20 want protection quickly, to add hardening patches to other software
21 (mod_security, hardened-php, etc.)
22 And all these measures will fail if some backdoor gets accidentally
23 installed on one of workstations from which you ssh to your servers....
24
25 Oops, sorry, I ran away from topic :) So, choose GRSec, it's beautiful
26 and well thought out piece of software which will solve 99% of your
27 kernel security needs.
28
29 Best Wishes,
30 Viktors
31
32
33 --
34 gentoo-security@g.o mailing list