this seems way complicated

Story: Improve Security with Linux PAMTotal Replies: 4
Author Content
tuxchick

Feb 29, 2008
7:50 AM EDT
Plus the article assumes you're not using SELinux. But if you're concerned enough about system security to mess with PAM, that doesn't seem like a good assumption.

The good news is The Linux-PAM System Administrators' Guide http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/Linu... is thorough and helpful. I remember way back when the old-style PAM was simple; a single, well-documented file. Then it was "improved." Those were the dark years. But the documentation finally caught up, hurrah!
herzeleid

Feb 29, 2008
9:17 AM EDT
> But if you're concerned enough about system security to mess with PAM, that doesn't seem like a good assumption.

It seems like an OK assumption to me. I'm pretty concerned about security, as are most SAs, but I don't used selinux. I suppose that all depends on what distros you use. The redhat folks use selinux, the suse and ubuntu folks use app armor.

The people I know who work with red hat servers have always ended up turning off selinux in frustration after struggling to get basic services e.g a website up and running.
tuxchick

Feb 29, 2008
9:51 AM EDT
Quoting: The people I know who work with red hat servers have always ended up turning off selinux in frustration after struggling to get basic services e.g a website up and running.


Me too, and I've spent a lot of time studying it. Ok then, never mind!
deepclutch

Mar 01, 2008
4:06 AM EDT
novell's apparmor any one tried :P even Ubuntu is bundling apparmor default in gutsy,

BTW SE linux -some easy configuration tool esp GUI should be provided in fedora distros :- JIMHO
herzeleid

Mar 01, 2008
9:05 AM EDT
> novell's apparmor any one tried

Sure, it's pretty simple to set up. There are pre-defined profiles for some common programs, and there is also a complain mode, which allows you to monitor a program in action, watch the apparmor complaints in the syslog, create a profile for it based on the actions reported, then switch it into enforce mode.

All in all, it's less frustrating to work with than selinux. Of course it is not the 100% answer to every possible security problem, no tool is, but it is quite useful

Posting in this forum is limited to members of the group: [ForumMods, SITEADMINS, MEMBERS.]

Becoming a member of LXer is easy and free. Join Us!