Securing FC 4

[Paul Howarth]

On Sun, 2005-08-21 at 08:05 -0400, AragonX wrote:
> <quote who="Paul Howarth">
> > On Sat, 2005-08-20 at 10:59 -0400, AragonX wrote:
> > Security is not easy. IMHO SELinux is a worthwhile investment of effort.
> > It is also completely different from LIDS and performs a different
> > function. LIDS attempts to detect that an intrusion has happened.
> > SELinux tries to prevent the intrusion happening in the first place, and
> > to limit the damage that occurs if it does.
> 
> It may seem like that is the focus of LIDS but that is not the case.  LIDS
> primarily is a kernel patch that provides ACL (Access Control Lists).  It
> limits drastically root's (and any account's) ability to access files.
> 
> It does perform a very similar function to SELinux.  The real advantage
> for me is that it's configuration is extremely simple.  Much easier for me
> to work with than SELinux has been.  :/
> 
> >> I'm looking for more preventative measures.  It appears that LIDS and
> >> mod_security are the only ones in that role now.  Should I jail apache?
> >> Would that give me any benefits over what LIDS provides?
> >
> > Yes it would.
> 
> Since LIDS does something different than originally thought, is this
> statement still correct?

I'd still say so. Unless one "security feature" is complete subset of
another one, using that feature should enhance security (i.e. the more
layers of defences the better).

Regarding SELinux, I'd still try to get to grips with it if I was you
(if not now, as a longer-term project). It's actively supported in
Fedora and is only likely to get better and easier to manage as time
goes on. I found http://fedora.redhat.com/docs/selinux-apache-fc3/ to be
a very useful guide, including tips on customising policy.

Paul.
-- 
Paul Howarth <paul at city-fan.org>