[CentOS] SELinux - way of the future or good idea but !!!

Wed Dec 1 13:22:24 UTC 2010
Eero Volotinen <eero.volotinen at iki.fi>

2010/12/1 Nico Kadel-Garcia <nkadel at gmail.com>:

>> Anyone willing to contribute funds (or time) to such a study?  It would be
>> educational experience and good PR, at the least.
>
> Oh, I know the holes and which would be straightforward to get to.
> There's generally enough lower hanging fruit with NFS stored
> passwords, email with passwords, and poorly managed elevation via SSH
> keys as policies before I even got there that this protection is like
> putting a bike lock on a jello mold.

How about production like server:

- firewall installed
- selinux disabled
- all services except ssh and httpd disabled
-> sshd login enabled only with ssh keys and httpd protected via mod_security ?
- cis hardened fixes applied to os
- latest kernel patched applied

--
Eero