Mailing List Archive


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [tlug] Unix's 40th Birthday



Curt Sampson wrote:
> Edward Middleton wrote:
> 
>> Well if security is a priority over ease of use Hardened Gentoo offers
>> a number of pretty good combinations. I have used PAX hardened SELinux
>> installs on servers....
> 
> See my previous post for why SELinux is more likely, for most people, to
> reduce than increase your security.
> 
> (How well have you audited your SELinux configuration?)

Sufficiently for the application they were being applied.  SELinux (like
any other MAC[1] systems) can be complicated and requires tuning for the
particular application.  They are also only a component of a secure
system which is why I used hardened Gentoo which comes with stack
smashing protection[2], PAX[3] (i.e. PAX_KERNEXEC).

The "AllowPasswords no" issue is pretty stupid, but it is in the
OpenSSH configuration file (a part of the OpenSSH application) not PAM.
Perhaps you should create a serious secure distribution without ssh ;)

Edward

1. http://en.wikipedia.org/wiki/Mandatory_access_control
2. http://en.wikipedia.org/wiki/Stack-smashing_protection
3. http://en.wikipedia.org/wiki/PaX




Home | Main Index | Thread Index

Home Page Mailing List Linux and Japan TLUG Members Links