<div dir="auto">The Center for Internet Security publishes some really good hardening guides for various operating systems, software, and devices. Their guide for Red Hat Enterprise Linux mandates the use of selinux.<div dir="auto"><br></div><div dir="auto"><a href="https://www.cisecurity.org/benchmark/red_hat_linux/">https://www.cisecurity.org/benchmark/red_hat_linux/</a><br></div></div><br><div class="gmail_quote"><div dir="ltr">On Mon, Oct 29, 2018, 10:51 AM Jim Kinney via Ale <<a href="mailto:ale@ale.org">ale@ale.org</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div style="text-align:left;direction:ltr"><div>AppArmour is the Debian tool. </div><div>It similar to selinux in that it hardens application processes to accessing only the sockets and files they need to function (blocking 0-day privilege escalations). It does NOT support anything like MLS (multi-level security) or MGS (Multi-Group Security) that enforces user, group, process, file, and application communication based on defined relationships and enforced access control and logging of all access and data movement.</div><div><br></div><div>On Mon, 2018-10-29 at 10:40 -0400, Simba via Ale wrote:</div><blockquote type="cite" style="margin:0 0 0 .8ex;border-left:2px #729fcf solid;padding-left:1ex"><pre>That's been true for years but I think it's less so these days. Debian</pre><pre>has a lot of support in the commercial sector. Like I said it's got</pre><pre>something similar to SELinux but I don't recall, someone in #debian on</pre><pre>freenode explained it to me like a year ago.</pre><pre><br></pre><pre>Personally, I really dislike when someone in the commercial sector</pre><pre>believes they have to use RHEL because it's "the secure one", and I try</pre><pre>to encourage them to use Debian instead, because the stable branch is</pre><pre>plenty secure.</pre><pre><br></pre><pre>of course I realize I'm saying this right after a vulnerability was</pre><pre>spotted in SystemD but it's been patched at the source and i'm confident</pre><pre>a fix will be coming down the pipe soon.</pre><pre><br></pre><pre><a href="https://security-tracker.debian.org/tracker/CVE-2018-15688" target="_blank" rel="noreferrer">https://security-tracker.debian.org/tracker/CVE-2018-15688</a></pre><pre><br></pre><pre>We could argue forever over which distro is most secure.. who's got the</pre><pre>time.</pre><pre><br></pre><pre><br></pre><pre>Simba Lion - <a href="https://tailpuff.net" target="_blank" rel="noreferrer">https://tailpuff.net</a></pre><pre><a href="https://keybase.io/simbalion" target="_blank" rel="noreferrer">https://keybase.io/simbalion</a></pre><pre><br></pre><pre>"Why is a raven like a writing desk?"</pre><pre>On 10/29/18 10:26 AM, James Taylor via Ale wrote:</pre><pre><blockquote type="cite" style="margin:0 0 0 .8ex;border-left:2px #729fcf solid;padding-left:1ex"></blockquote></pre><pre>Just an added note about meeting DoD requirements.</pre><pre>SUSE and redHat spend a lot of time upfront baking DoD security</pre><pre>specifications into each of their releases before they are allowed out</pre><pre>the door.</pre><pre>Government, and most commercial customers care about that. </pre><pre>I don’t always use commercial versions of linux for customer solutions,</pre><pre>but when I'm working with clients in to regulated spaces, that doesn’t</pre><pre>fly far.</pre><pre>-jt</pre><pre> </pre><pre><br></pre><pre><blockquote type="cite" style="margin:0 0 0 .8ex;border-left:2px #729fcf solid;padding-left:1ex"></blockquote></pre><pre>On Oct 29, 2018, at 9:33 AM, Beddingfield, Allen via Ale <<a href="mailto:ale@ale.org" target="_blank" rel="noreferrer">ale@ale.org</a></pre><pre><mailto:<a href="mailto:ale@ale.org" target="_blank" rel="noreferrer">ale@ale.org</a>>> wrote:</pre><pre><br></pre><pre>Oh, and I forgot to mention: Support for LONG term releases,</pre><pre>backporting of fixes, and rigid change control.</pre><pre>For example: Want to upgrade from version 12.2 to version 12.3?</pre><pre> Better start the approval process a year early... document your</pre><pre>testing plan, provide a tested backout plan, have adequate testing</pre><pre>documented and verified by the proper people, pass the change control</pre><pre>approval process to go into a limited subset of test systems....wait</pre><pre>the required time for full deployment to test systems....wait the</pre><pre>required time for production rollout.</pre><pre>Or: Want to apply an in-the-wild zero day exploit patch? Follow a</pre><pre>slightly faster variation of the above process.</pre><pre><br></pre><pre>The Debian or Ubuntu model will not pass the change control</pre><pre>requirements. These are the reasons that SUSE and Red Hat backport</pre><pre>fixes into an old version of a package for seven+ years, instead of</pre><pre>incrementing the version. That is why SUSE is still patching PHP</pre><pre>5.3.x on SLES 11 SP4.</pre><pre><br></pre><pre>Allen B.</pre><pre></pre><pre><br></pre><pre><br></pre><pre>_______________________________________________</pre><pre>Ale mailing list</pre><pre><a href="mailto:Ale@ale.org" target="_blank" rel="noreferrer">Ale@ale.org</a></pre><pre><a href="https://mail.ale.org/mailman/listinfo/ale" target="_blank" rel="noreferrer">https://mail.ale.org/mailman/listinfo/ale</a></pre><pre>See JOBS, ANNOUNCE and SCHOOLS lists at</pre><pre><a href="http://mail.ale.org/mailman/listinfo" target="_blank" rel="noreferrer">http://mail.ale.org/mailman/listinfo</a></pre><pre><br></pre><pre></pre><pre>_______________________________________________</pre><pre>Ale mailing list</pre><pre><a href="mailto:Ale@ale.org" target="_blank" rel="noreferrer">Ale@ale.org</a></pre><pre><a href="https://mail.ale.org/mailman/listinfo/ale" target="_blank" rel="noreferrer">https://mail.ale.org/mailman/listinfo/ale</a></pre><pre>See JOBS, ANNOUNCE and SCHOOLS lists at</pre><pre><a href="http://mail.ale.org/mailman/listinfo" target="_blank" rel="noreferrer">http://mail.ale.org/mailman/listinfo</a></pre><pre><br></pre></blockquote><div><span><pre><pre>-- <br></pre>James P. Kinney III
Every time you stop a school, you will have to build a jail. What you
gain at one end you lose at the other. It's like feeding a dog on his
own tail. It won't fatten the dog.
- Speech 11/23/1900 Mark Twain
<a href="http://heretothereideas.blogspot.com/" target="_blank" rel="noreferrer">http://heretothereideas.blogspot.com/</a>
</pre></span></div></div>
_______________________________________________<br>
Ale mailing list<br>
<a href="mailto:Ale@ale.org" target="_blank" rel="noreferrer">Ale@ale.org</a><br>
<a href="https://mail.ale.org/mailman/listinfo/ale" rel="noreferrer noreferrer" target="_blank">https://mail.ale.org/mailman/listinfo/ale</a><br>
See JOBS, ANNOUNCE and SCHOOLS lists at<br>
<a href="http://mail.ale.org/mailman/listinfo" rel="noreferrer noreferrer" target="_blank">http://mail.ale.org/mailman/listinfo</a><br>
</blockquote></div>