So long answer short... go with GRSec, because Russell says so *j/k* So what would really need to be changed/modified to run GRSec on a Debian system running testing distro? Not too much I hope....
----- Original Message ----- From: "Russell Coker" <[EMAIL PROTECTED]> To: "Jason Lim" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> Sent: Monday, February 25, 2002 12:45 PM Subject: Re: LSM or GRSecurity > On Sat, 23 Feb 2002 20:30, Jason Lim wrote: > > Okay... i'm not sure if there has ever been a "religious" flame war > > between the two camps supporting either LSM or GRSecurity, so I stress > > this is not my intention. > > I originally packaged the GR Security kernel patch for Debian and I'm working > on SE-Linux (which is one of the security modules for LSM). I have not been > having religious arguements with myself. ;) > > > However, which security model is more suited to an ISP/Webhosting > > environment (anyone ever done a head-to-head comparison between the two? > > And which is easier to integrate with Debian, as such? I think Russell was > > working on something like this, so perhaps he could expand a bit (or > > whomever is in charge of this). > > If you want a nice easy way of locking down chroot's then GRSec is what you > want. > > If you want a kernel patch that has a heap of different security improvements > that are easy to use then GRSec is what you want. > > If you want something that you can deploy on your server right now then LSM > is not an option. > > LSM is a modular security architecture that currently supports SE-Linux and > (in 2.5.5) LIDS. It does not have some of the features of GRSec (network > security improvements, chroot lock-down, easy lock-down of "ps aux" and > "dmesg"), but apart from the network security patches it can all be done in > SE Linux configuration. > > SE Linux is much harder to configure than GRSec. At the moment there is a > lack of documentation and a lack of sample files for the common cases. > Expect to spend at least a week of full-time work if you want to get SE Linux > configured for your system! > > Also my packages of SE Linux programs are experimental and some of them break > things... > > -- > Signatures >4 lines are rude. If you send email to me or to a mailing list > that I am subscribed to which has >4 lines of legalistic junk at the end > then you are specifically authorizing me to do whatever I wish with the > message (the sig won't be read). > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > > -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
