On 11 Mar 2005, JM wrote:
>> Footnotes:
>> [1] To the best of my knowledge, at least. Last time I checked you had
>> to replace many core tools with SELinux versions, which are not
>> officially part of Debian yet.
>
> Yes, so far many packages would have to be replaced. selinux.lemuria.org
> has some debian depositories (and a guide to setup selinux for debian) for
> those packages, but one would have to use pinning to give preference to
> those packages.
*nod* So, basically, SELinux on Debian is not impossible, but not easy
or supported by mainline developers, so any bugs from it are your
problem.
I would consider running that on my own systems, to develop knowledge,
but not recommend it to other people -- neither my clients, or on the
Internet -- because it is much to easy to get problems that very few
Debian people can help with. :)
OTOH, I /do/ hope that SELinux support moves into the Debian mainline
after this release, since Fedora have already broken the back of the
software compatibility effort required to make it work. Thanks, in this
case, to RedHat for paying that cost for us all.
> There is a so called debian-hardened project that uses a "hardened-kernel"
> For sarge, the kernel is based on release 2.6.7. Also has some
> repositories. As far as I can see, it looks very promising and has many
> features. I tried one of the kernel-images and it works real well.
When you say you tried it, how did you test?
After all, a "hardened" kernel image that doesn't fall over under normal
use is all well and good, but what about the security aspects:
Can you identify any specific, real world situation where it has helped?
Has it caused problems with any software, or people, or whatever?
This isn't a question aimed at making problems for you, or insulting the
people who are, no doubt, working very hard on the hardening project.
I really want to know, because I don't have time (currently) to test it
myself, but would happily deploy it to client sites if I could be sure
it would actually achieve anything to improve matters.
Also, I recall some months ago that some Debian hardening toolkit had
made a miserable mess of the systems of a couple of people on the Debian
lists, by going in and screwing around with various configuration files
for them.
IIRC, it was some sort of "education about security" package; is this
the same project, or am I thinking of something else?
Daniel
--
The secret of happiness is this: Let your interests be as wide as
possible, and let your reactions to the things and persons that
interest you be as far as possible friendly rather than hostile.
-- Bertrand Russell