[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: LSM or GRSecurity

So long answer short... go with GRSec, because Russell says so *j/k*

So what would really need to be changed/modified to run GRSec on a Debian
system running testing distro? Not too much I hope....

----- Original Message -----
From: "Russell Coker" <russell@coker.com.au>
To: "Jason Lim" <maillist@jasonlim.com>; <debian-isp@lists.debian.org>
Sent: Monday, February 25, 2002 12:45 PM
Subject: Re: LSM or GRSecurity

> On Sat, 23 Feb 2002 20:30, Jason Lim wrote:
> > Okay... i'm not sure if there has ever been a "religious" flame war
> > between the two camps supporting either LSM or GRSecurity, so I stress
> > this is not my intention.
> I originally packaged the GR Security kernel patch for Debian and I'm
> on SE-Linux (which is one of the security modules for LSM).  I have not
> having religious arguements with myself.  ;)
> > However, which security model is more suited to an ISP/Webhosting
> > environment (anyone ever done a head-to-head comparison between the
> > And which is easier to integrate with Debian, as such? I think Russell
> > working on something like this, so perhaps he could expand a bit (or
> > whomever is in charge of this).
> If you want a nice easy way of locking down chroot's then GRSec is what
> want.
> If you want a kernel patch that has a heap of different security
> that are easy to use then GRSec is what you want.
> If you want something that you can deploy on your server right now then
> is not an option.
> LSM is a modular security architecture that currently supports SE-Linux
> (in 2.5.5) LIDS.  It does not have some of the features of GRSec
> security improvements, chroot lock-down, easy lock-down of "ps aux" and
> "dmesg"), but apart from the network security patches it can all be done
> SE Linux configuration.
> SE Linux is much harder to configure than GRSec.  At the moment there is
> lack of documentation and a lack of sample files for the common cases.
> Expect to spend at least a week of full-time work if you want to get SE
> configured for your system!
> Also my packages of SE Linux programs are experimental and some of them
> things...
> --
> Signatures >4 lines are rude.  If you send email to me or to a mailing
> that I am subscribed to which has >4 lines of legalistic junk at the end
> then you are specifically authorizing me to do whatever I wish with the
> message (the sig won't be read).
> --
> To UNSUBSCRIBE, email to debian-isp-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact

Reply to: