[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: LSM or GRSecurity



So long answer short... go with GRSec, because Russell says so *j/k*

So what would really need to be changed/modified to run GRSec on a Debian
system running testing distro? Not too much I hope....

----- Original Message -----
From: "Russell Coker" <russell@coker.com.au>
To: "Jason Lim" <maillist@jasonlim.com>; <debian-isp@lists.debian.org>
Sent: Monday, February 25, 2002 12:45 PM
Subject: Re: LSM or GRSecurity


> On Sat, 23 Feb 2002 20:30, Jason Lim wrote:
> > Okay... i'm not sure if there has ever been a "religious" flame war
> > between the two camps supporting either LSM or GRSecurity, so I stress
> > this is not my intention.
>
> I originally packaged the GR Security kernel patch for Debian and I'm
working
> on SE-Linux (which is one of the security modules for LSM).  I have not
been
> having religious arguements with myself.  ;)
>
> > However, which security model is more suited to an ISP/Webhosting
> > environment (anyone ever done a head-to-head comparison between the
two?
> > And which is easier to integrate with Debian, as such? I think Russell
was
> > working on something like this, so perhaps he could expand a bit (or
> > whomever is in charge of this).
>
> If you want a nice easy way of locking down chroot's then GRSec is what
you
> want.
>
> If you want a kernel patch that has a heap of different security
improvements
> that are easy to use then GRSec is what you want.
>
> If you want something that you can deploy on your server right now then
LSM
> is not an option.
>
> LSM is a modular security architecture that currently supports SE-Linux
and
> (in 2.5.5) LIDS.  It does not have some of the features of GRSec
(network
> security improvements, chroot lock-down, easy lock-down of "ps aux" and
> "dmesg"), but apart from the network security patches it can all be done
in
> SE Linux configuration.
>
> SE Linux is much harder to configure than GRSec.  At the moment there is
a
> lack of documentation and a lack of sample files for the common cases.
> Expect to spend at least a week of full-time work if you want to get SE
Linux
> configured for your system!
>
> Also my packages of SE Linux programs are experimental and some of them
break
> things...
>
> --
> Signatures >4 lines are rude.  If you send email to me or to a mailing
list
> that I am subscribed to which has >4 lines of legalistic junk at the end
> then you are specifically authorizing me to do whatever I wish with the
> message (the sig won't be read).
>
>
> --
> To UNSUBSCRIBE, email to debian-isp-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact
listmaster@lists.debian.org
>
>



Reply to: