Hi Tim, Having dabbled in SELinux configuration, and running OSSEC for several months now here is my advice: start with OSSEC first, as it is easier to implement and IMHO provides far more visibility, and therefore value.
SELinux requires careful testing to make sure it wont break anything. Start gradually with "Permissive" mode (logging only - unlike the "Enforcing" which blocks stuff ) and carefully analyze your logs before considerring "Enforcing" mode. I also reccomend you use the "Targeted" policy which will only act on daemons it knows, whereas "Strict" will block anything it doesn't know. See these links for more info on SELinux: http://www.cyberciti.biz/tips/enable-permissive-mode-for-selinux-troubleshooting-purpose.html http://www.crypt.gen.nz/selinux/disable_selinux.html FYI: I've been burned by CentOS updates which mangle SELinux rules, and where Enforcing/Targeted mode was enabled systems stopped working...YMMV. The production CentOS systems I manage run OSSEC and SELinux in Permissive/Targeted configuration; this way, OSSEC can report on any alerts SELinux generates, without the risk of denial of service. (A good compromise in my book.) My two cents... hope it helps you out. Alessandro ________________________________ From: Tim Price <[email protected]> To: ossec-list <[email protected]> Sent: Tue, March 16, 2010 12:52:47 PM Subject: [ossec-list] ossec and selinux General question from a newbee.. Having not dealt with either of these and not currently running either of these, which one do I tackle first? It seems that I am better off going the SELinux route first and then installing and turning ossec? Also, based on some reading, it seems that both of these together provide the highest security, for web farms and databases? Any thoughts on this? __________________________________________________________________ Looking for the perfect gift? Give the gift of Flickr! http://www.flickr.com/gift/
