On Tue, Mar 16, 2010 at 2:15 PM, Alessandro Di Giuseppe < [email protected]> wrote:
> Hi Tim, > > Having dabbled in SELinux configuration, and running OSSEC for several > months now here is my advice: > start with OSSEC first, as it is easier to implement and IMHO provides far > more visibility, and therefore value. > So if this is the case, is there overlap between the two? Should I not consider SELinux or some other comparable technology? > SELinux requires careful testing to make sure it wont break > anything. Start gradually with "Permissive" mode (logging only - unlike the > "Enforcing" which blocks stuff ) and carefully analyze your logs before > considerring "Enforcing" mode. I also reccomend you use the "Targeted" > policy which will only act on daemons it knows, whereas "Strict" will block > anything it doesn't know. > This might answer my question above but I just wanted to be clear, it seems that ossec will pick up on these logs and alert? And thanks for the URL's
