Alan Dayley wrote:
Thanks for all the responses to my remote desktop login question. I'm pretty sure we will deploy FreeNX for that function.This question has to do with the same server. A tech savvy manager says we should use "NSA Linux" on the remote desktop host server. What he means is use the SELinux security features. Now, I don't have lots of experience with setup and maintainence of SELinux. I hAve read that it is painful and requires more administration than just "set and forget." A similar technology is the AppArmor profiles for applications. Said to be easier to use than SELinux but provides much the same benefits. Then a third camp seems to think that both of these are overkill and a headache for the benefits gained. They feel that, configured correctly, standard user security on a Linux box is secure enough for most business applications. Where do any of you stand on this argument? Is SELinux really a pain to setup and use? Is AppArmor interesting but not worth it? Given the function of the server as I previously described in that other thread (http://lists.plug.phoenix.az.us/lurker/thread/20081030.230820.05346d48.en.html#20081030.230820.05346d48), What security extensions would you deploy and why?
Full disclaimer: I work for Red Hat, so I'm prolly biased. I prefer SELinux. It's got a long, proven track record, it is highly granular, very configurable, and very secure. Although it was certainly not easy to configure when we first released it with Red Hat Enterprise Linux 4, it's come a looooong way since then. It's very easy to get SELinux configured with tools like sealert, audit2why, audit2allow, and semanage.I just delivered an intro SELinux presentation at the Colorado Software Summit two weeks ago. The presentation, titled "SELinux for Mere Mortals" is available at:
http://people.redhat.com/tcameron Have a look at it and see if it makes sense. TC
signature.asc
Description: OpenPGP digital signature
--------------------------------------------------- PLUG-discuss mailing list - [email protected] To subscribe, unsubscribe, or to change your mail settings: http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
