What do you generally think about the efforts of these projects, including EnGarde and SELinux?
Beale: Well, most of the security-enhanced distributions hinge on pretty deep kernel modifications. SELinux is primarily just NSA’s kernel mod. EnGarde uses the LIDS kernel patch. And WireX’s Immunix does this sort of thing too. In each case, the kernel modification primarily segments the system into pieces, such that someone breaking into one piece, say Apache, can’t modify the core system or any other piece, say, the SSH server. So even someone getting root on your system usually can’t actually do much, because they’ve only got root in the one piece of the system. They might be able to, at most, replace the Apache content, but they can’t create accounts or trojan your SSH daemon or any of that. It’s actually quite nice. On the other hand, any of this comes with much greater difficulty in system administration. I wouldn’t recommend almost anyone I know to run SELinux until they undergo some pretty significant training, self-training or otherwise. It’s just quite different to get used
