[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: LSM or GRSecurity

On Sat, 23 Feb 2002 20:30, Jason Lim wrote:
> Okay... i'm not sure if there has ever been a "religious" flame war
> between the two camps supporting either LSM or GRSecurity, so I stress
> this is not my intention.

I originally packaged the GR Security kernel patch for Debian and I'm working 
on SE-Linux (which is one of the security modules for LSM).  I have not been 
having religious arguements with myself.  ;)

> However, which security model is more suited to an ISP/Webhosting
> environment (anyone ever done a head-to-head comparison between the two?
> And which is easier to integrate with Debian, as such? I think Russell was
> working on something like this, so perhaps he could expand a bit (or
> whomever is in charge of this).

If you want a nice easy way of locking down chroot's then GRSec is what you 

If you want a kernel patch that has a heap of different security improvements 
that are easy to use then GRSec is what you want.

If you want something that you can deploy on your server right now then LSM 
is not an option.

LSM is a modular security architecture that currently supports SE-Linux and 
(in 2.5.5) LIDS.  It does not have some of the features of GRSec (network 
security improvements, chroot lock-down, easy lock-down of "ps aux" and 
"dmesg"), but apart from the network security patches it can all be done in 
SE Linux configuration.

SE Linux is much harder to configure than GRSec.  At the moment there is a 
lack of documentation and a lack of sample files for the common cases.  
Expect to spend at least a week of full-time work if you want to get SE Linux 
configured for your system!

Also my packages of SE Linux programs are experimental and some of them break 

Signatures >4 lines are rude.  If you send email to me or to a mailing list
that I am subscribed to which has >4 lines of legalistic junk at the end
then you are specifically authorizing me to do whatever I wish with the
message (the sig won't be read).

Reply to: