<quote who="Paul Howarth"> > On Sat, 2005-08-20 at 10:59 -0400, AragonX wrote: > Security is not easy. IMHO SELinux is a worthwhile investment of effort. > It is also completely different from LIDS and performs a different > function. LIDS attempts to detect that an intrusion has happened. > SELinux tries to prevent the intrusion happening in the first place, and > to limit the damage that occurs if it does. It may seem like that is the focus of LIDS but that is not the case. LIDS primarily is a kernel patch that provides ACL (Access Control Lists). It limits drastically root's (and any account's) ability to access files. It does perform a very similar function to SELinux. The real advantage for me is that it's configuration is extremely simple. Much easier for me to work with than SELinux has been. :/ >> I'm looking for more preventative measures. It appears that LIDS and >> mod_security are the only ones in that role now. Should I jail apache? >> Would that give me any benefits over what LIDS provides? > > Yes it would. Since LIDS does something different than originally thought, is this statement still correct? Thanks for the reply.
