On lun., 2016-02-01 at 07:35 -0800, Kevin Gallagher wrote: > Compared to AppArmor, which one trains on specific processes, > Grsecurity's RBAC is the first to provide full system learning that can > automatically generate least-privilege policies covering the entire > system, without manual configuration.
That sounds a bit like an advertisement. Could you explain a bit more? > Enabling AppArmor in Debian currently requires installing (sometimes > even building) some software, adding some boot parameters to the Linux > kernel through GRUB, and rebooting. Then you need to fiddle with the > profiles you want, set them to complain/enforce, etc. > > If I have RBAC enabled in my grsec kernel, then the /dev/grsec device is > present and I can start using it right away (as long as gradm is installed). Yeah so you need to enable it in the kernel (or “not disable it, OK), then install some piece of software. I honestly don't buy the argument (but I don't think it's relevant anyway). In every case, it's really not that hard to have the thing enabled. > > Finally, since I'm already in the habit of quoting from grsecurity.net, > there is much that Grsecurity is able to do through not being reliant on > the Linux Security Modules framework: Well, I don't need a quote from grsecurity.net (or AppArmor.net or SELinux.nsa.gov or whatever), because obviously none will say bad things about themselves. Again, I'm not definitely against enabling RBAC, but I'd like something a bit more convincing… -- Yves-Alexis
signature.asc
Description: This is a digitally signed message part
