DEMYSTIFY: The Choice Between SELinux or AppArmor
HTML-код
- Опубликовано: 14 июн 2024
- Overwhelmed by security options for your Linux system? SELinux and AppArmor are both powerful contenders, but which one is the best choice?
This video gives you the information to decide tbetween SELinux and AppArmor. I'll break down their functionalities, complexity, and how to choose the right one for you.
AI Thumbnail Image: SELinux and AppArmor comparison
Red Hat: Using SELinux: access.redhat.com/documentati...
Mastering Linux Security and Hardening: amzn.to/3VgWFQo
This is a comprehensive book covering most the the common areas of Linux to secure and harden
Canonical AppArmor Wiki: wiki.ubuntu.com/AppArmor
Chapters
00:00 - Intro
00:41 - Linux Security Modules
01:57 - What is SeLinux and AppArmor?
03:28 - Core Differences
05:27 - Which one do you choose?
06:44 - Final Thoughts
Support me on Patreon: / djware
Follow me:
Twitter @djware55
Facebook: / don.ware.7758
Gitlab: gitlab.com/djware27 - Наука
AppArmor for home. SELinux for professional deployments.
During the configuration period, prior to connecting to the internet, where you are assuming a network compromise by an advanced persistent actor, you harden with whatever is available. The intent being to roll into SELinux. If that isn't happening because you lack the experience or you just don't care enough about the system, then you use things like snap and app armor.
And Tails OS and Tor for the dark web.
My favorite documentation about SELinux is that "SELinux coloring book" Red Hat themselves put out a while back, lol
That sounds more interesting that the pdf haha...and I do not remember that one probably about the time I moved off of RedHat back in early 2002
❤ Great video as always. Perhaps a video on configuring App Amour ... SeLinux seems scary haha.
Thx! Am new-ish(5yrs of exploring the vastness) to the *nix world & realms. Your vids help choices to be made quite easier. Much appreciated 👍
Thanks for reminding me that i still need to secure my Arch Box
These are the major thing I don't really do currently.
I've set up disk encryption (obviously), Firewalls (naturally), secure boot with kernel lockdown, and even the annoying (at least on KDE where there isn't a GUI applet) usbguard.
But MAC is as of yet missing.
I'd like to add one other consideration to your points. And that is compatibility.
At least Arch Linux doesn't officially support SELinux, and if you want to use it, you have to get core system tools from the AUR.
Meanwhile with something like Fedora, it's obviously already set up. All you have to do is live with it (it can certainly mess things up sometimes, at least if you develop software that plugs into the system).
Good points and oh yeah you sure can mess things up, I do have selinux running on Arch and yep i had to go to the AUR. AppArmor was present but its version 3.0, the AUR has the latest version 4.0+
@@CyberGizmo btw, while looking around out of interest, I found that the Gentoo Linux Wiki has an nice explanation of SELinux, even with graphics. It's a subpage called Quick introduction.
Perhaps you want to add that to the links. While redhat is a major contributor and probably better as reference, the Gentoo wiki seems better at explaining the idea to me.
firejail your browser and user-space too .. lockdown .. lockdown .. :D
fascinating to watch and difficult to follow . I love this channel
Thank you!
This was an interesting discussion and you covered a topic I’ve been interested in delving into. I’ve have been curious about differences between AppArmor and SELinux, I’m running Fedora server on older desktop as home lab. Sometimes with SELinux feel it is too complex for me but I’m interested in learning it. I may switch to Debian Server or Ubuntu Server and take my time learning AppArmor and keep Fedora Server within VM and test it out. I’m infosec student that’s trying to understand learn about various security measures to protect my systems.
might also be important to some that SELinux is developed by the NSA
Not quite, the NSA developed FLASK/TE and SELinux is based on that, but I believe Red Hat developed SELinux. Close though
@@CyberGizmo NSA still has some whitepapers out there from 2002, but at that time if was actually on the main nsa.gov website and I was watching it closely and at that time there were no linux flavors I could try it out on. Not sure when or how red-hat got the right to say they developed it, but the current wiki article shows red-hat as the developer. I just did a search for NSA SELinux and found 3 or the old whitepapers still out there and available
They wouldn't release code connected to them with known vulnerabilities and backdoors. Other high level actors would roast them and it would degrade their professional esteem and erode public confidence which is not a worthwhile trade off when their are scores of other vulnerabilities they have no connection or official connection with. @@CyberGizmo
how are they applicable for home lab, workstation, the computers that only one person use? needed? or overkill?
If they are connected to the internet I would recommend checking into one of two
Setting up an AppArmor profile for Firefox, along with a sane firewall policy, is absolutely a good idea if you ever venture off "big tech" when on the web. Sometimes I need to find obscure technical PDFs that the manufacturer, for whatever reason, don't feel like making available any more. It goes without saying that quite a lot of the sites that hosts old PDFs are A) Not the epitome of security, and B) Inclined to monetize via "less traditional avenues".
The odds that any given site to have a zero-day exploit for Firefox injected/installed are low.... But never zero. The more random sites you visit, the more those "never zero" starts stacking up against you. For that reason my personal opinion is that a web browser is like promiscuous sex: "Never do it unprotected. Never take anything at face value. Always expect others to be in it for their own gratification".
WDTNTV I hope, look at this 25 min video titled; Butler Co. sheriff addresses what he learned at conference where all the sheriff's from all over the US went to DC Jan 2024 IIRC and talks about Cyber Sec. This has been going on a very, very long time. Why I'm in the process of building a pfSense box that can also handle other VM's and containers, have 64GB of RAM so we'll see, 13th Gen Intel. Wish I would of waited and just gotten that Minisforum MS-01 i9-13... I think. Oops, forgot. Thanks for the vid !!
Where do you download SELinux? I did a search a few days ago and I received info that indicated the OS was no longer updated...
if you are using Arch, you will find it in the AUR, any others its ia package. On Fedora and RedHat its already installed and configured for you. Hope that helps
Interesting video, other good topics could be seccomp or linux capabilities
I thought about including seccomp in this video, but decided to keep it simple and talk about the two I thought people might have heard about. And that does give me another topic to cover in the future.
Is this ai generated video title art?
Partially, I always put the fact that I use AI for the thumbnail in my video description, I do it as a rememberance of what Byte Magazine used to do with their cover art (except they did it with real artists) and I do it with AI because I can not afford to hire a real artist.
wow