Yes, but if you use the linux-grsec kernel, RBAC is available. More details here and here. I haven't tried it yet but I'm going to play with it today to see how it goes
Just started to try RBAC but failed When I entered Code: gradm -P admin or Code: gradm -F -L /etc/grsec/learning.log as root I got: @0strodamus: Did you have the same problem?
Sorry, but I don't recall. Because I have to compile to get TOMOYO back, I've been spending time learning how to optimize the kernel for my system. I'll post back when I find time to try grsecurity again.
I must correct myself. gradm works now - I simply had forgotten to execute sudo grub-mkconfig -o /boot/grub/grub.cfg I'm getting senile ...
I would just like to inform you that I ditched Kubuntu and been running Arch for about 3 weeks. I didn't install it with Fu-rch but with the help of the excellent Beginner's Guide in the Arch wiki without big problems. I chose KDE as my DE, of course Everything is running very well so far, including, e.g., Virtualbox, Wine and dnscrypt-proxy (with dnsmasq). The system is lean and fast. What else? Ah yes - AppArmor is missing. I've installed the linux-grsec kernel instead but, unfortunately, can't use it as I'm unable to start any Virtualbox VM nor a specific application in Wine. (That's why I haven't even tried RBAC.) Oh well - I like AppArmor and it's always been nice to have but I think my system is safe enough without it (besides, it's broken in Ubuntu 14.04, too). I short, I think I will stay with Arch - unless something goes terribly wrong ...
AppArmor was disabled in the default Arch kernel a short time ago. You'll need to compile a custom kernel to get it back. Another option is to use the linux-lts kernel. I opted to do the custom kernel to re-enable TOMOYO and remove a bunch of stuff I don't need.
I know. But I don't want to do this - too time-consuming. Yes, but the reasoning for dropping AppArmor, SELinux, Tomoyo support was that "we don't support the userspace for any of those." So I'm not sure if using the lts kernel makes really sense if the userspace tools are not properly maintained.
I can't blame you. It is time-consuming - especially at the beginning. Now that I've done it enough times to think I know what I'm doing it's not too bad. About 10 minutes to gather and update the official package files with my changes, then about another 10 minutes to compile. For me, that's time well-spent to be able to continue using my favorite Linux security tool. The TOMOYO 2.x userspace tool was being well maintained in the AUR. The AUR maintainer immediately updated the userspace package after it was broken by the kernel change - that's how I learned why TOMOYO had stopped working on my system. I don't know how well AppArmor was being maintained though because I never used it. I wish the Arch devs had decided to officially support the userspace tools, instead of dropping everything.
hi It's turning quite ouf the toppic, but there is various ways to harden an Arch desktop without special MAC packages... As the Arch community is active, i can suggest for tlu a try of an Arch dedicated AppArmor package https://github.com/seletskiy/arch-apparmor From Canada to Africa, also a good guide of Arch classic install in French http://frederic.bezies.free.fr/blog/?p=11143 rgds
Thanks, I had already noticed that. I will look into it. Although linux-grsec with RBAC is probably the better solution - if it only would work with Virtualbox ...
It's now called Evolution, and I used it earlier today to install Arch over a network connection. What an incredibly painless and time saving way to Install Arch
I'm not sure what I did wrong but this came with no installed browser and some of the settings were grayed out. Probably something I missed in the install.
Maybe, although Arch is generally a very lean installation upon completion, especially depending on the desktop environment you chose. I went with xfce + Extras but I still needed to add quite a few packages to get it tailored for my needs. Why some settings were grayed out you, I don't know. I take it you have sudo rights? BTW, I had the online guide open and followed it during installation. It helped me a lot.
Apparmor, PIE, many other out of box protection in Ubuntu along with stable packages which are backported as per needs is the hallmark of Ubuntu. I use both Ubuntu and Arch but for my mass deployment machines and work machines, its strictly Ubuntu LTS, I don't bother with the other Ubuntu releases either. You can see many of the newer kernel features dealing with hardware and other enhancements backported from upstream, same with files. Apparmor has some features from version 3.0 in LTS Ubuntu. https://wiki.ubuntu.com/Security/Features Also AUR is not the same as PPA which gets matched packages for particular version of distro which prevents library errors. Also developers put up their PPA unlike AUR which is ported by some user, therefore the dev and Ubuntu team PPAs are way more securer, safer and stable.
It's now called Architect Linux and is also mentioned in the Arch Linux wiki. You'll find their forum here.
There is also the Arch DeveloperWiki:Security page which explains which security features are implemented in Arch. I haven't looked into the details very deeply so I don't really know how it compares with Ubuntu. Regarding AppArmor, it's a pity that the Arch kernel no longer supports it. If you compile your own kernel the AUR apparmor package works very well. However, I don't use it anymore but I have sandboxed many critical applications with Firejail. But aside from this, there are other security aspects if you compare different distros. I haven't tried Ubuntu for a long time but am running Debian Jessie in a VM. Now most people would argue, Debian Stable means old packages but no worry - you'll get security updates/patches for them. However, this is only partially true. I installed the debian-security-support package (which isn't installed by default - why not?) and executed check-support-status. I got this list of packages which don't receive security updates anymore: I guess that Ubuntu will also be affected. And you can never be sure that all the (possibly security-relevant) packages you're using from universe will be maintained till the end of life of your LTS version. You certainly won't run into such a problem with Arch. The first argument is not really relevant, IMHO, as there is no "particular version" of Arch (aside from different DEs and default and LTS kernel). Your second argument is also dubious: Many or even most PPAs are not put up by developers, and most users are not aware of this. On the other hand, the PKBUILD file for an AUR package is more transparent so every user can see what the AUR packager is doing.
LWN tested Arch and found that it was slow on certain security patches and also some security patches were dependent on the availability of new packages. Since you have not read the security wiki of Ubuntu in details, many of the features built in need total reprogramming of entire binaries from Arch to implement them. All those can only be done on Gentoo but with full knowledge so not for regular folks. As for your argument, I guess Ubuntu and Red Hat which are deployed in mission critical scenarios like CERN, Tianhae-2 et al are under risk? Unless Arch gets funding, its not just possible for a thirty member team to keep up with masses of package testing, regressions and security. Allan McCrae when confronted years back with lack of Arch package signing made an irresponsible statement in which he claimed that he can't be responsible for it as he would need $1000 an hour to work full time with Arch for security work. So thats the attitude here, if **** happens, we never told you to use ARCH. Secondly, all major program PPAs like Libreoffice, VLC, Open Shot, Blender, WINE, Graphics drivers from nvidia, Transmission and many more are DEVELOPER ones. Show me one such developer doing AUR? Again its not Arch vs Ubuntu, its all about Linux, your priorities, your preference and of course, the freedom of choice and thats why we do LINUX. I enjoy both Ubuntu LTS and cutting edge ARCh.
