Let's make it clear I'm not favouring any solution over the other since it depends on what you want to do, but if you for instance look at GRSecurity vs SELinux apart from noticing they're incompatible (can't patch kernel with both):
- GRS provides security-enhancing features out of the box (even without using it's RBAC) but doesn't provide UI tools to work with (but since most of those knobs are sysctl-controlled that's no problem), the only distro I know supports it is Gentoo (cool choice folks) and it's not for those seeking EAL-like assurance.
- SELinux has different modes making choice between all-out or securing specific applications easier, it's (the only) part of the official kernel LSM framework, policy problems can be hard to fix but there's some new tools available that (should) make policy making easier.
Has anybody got views about whether it is worth installing for a layered-paranoid approach to security for a desktop, with the caveat that I do not want to go down the complexity of SELinux.
(Maybe a thread split between here and the Linux Security forum could have helped people notice it.) I think what you should do is get a wider view of the products available (LIDS, RSBAC, GRSecurity, SELinux and AppArmor), make a checklists of the key security enhancing features of each of the products and order on 0) how much of the features you need are covered by the product, 1) effort needed, 2) learning curve steepness and 3) ease of maintenance.
The outcome you then know of in what ways it enhances your boxens security (effectivity, assurance, holes to cover with other tools), at what price (cost as in knowledge, loss of current usability, time from build to production ready) and if it's a durable one (developer and community support, maintainability).
Increase-your-Mana-tenfold notice: finding out yourself by reading about those products and posting an objective comparison on LQ should earn you eternal gratitude of the whole community, I am pretty sure.
|