Problem solve Get help with specific problems with your technologies, process and projects.

Bastille or SELinux?

If you had to choose between Bastille and SELinux, consider what you really need from a security program. A Linux expert explains the tradeoffs and benefits of each based on factors such as monitoring, ease of maintenance and range of coverage.

I've seen your answer regarding the difference between Bastille and SELinux. My question is: should you have to choose one or the other to secure a server, which one would you prefer?

This is a difficult question to answer because I don't know what your security requirements are or what you are trying to protect against. Bastille and SELinux perform two quite different functions. Bastille is a hardening tool that secures elements of Linux/Unix-based operating systems. It is generally run once or perhaps twice a month to ensure the hardening settings are maintained. As such it's a fairly low-maintenance control, but it only secures a limited set of configuration items.

Alternatively, SELinux is a mandatory access control tool that can monitor all processes on your host and block activities that are inappropriate, or outside a specified policy. It runs inside the kernel, and requires configuration and generally some ongoing management. It is a much more comprehensive and complex control with a correspondingly greater overhead. As a control, and if configured correctly, SELinux has the potential to be highly effective in blocking attackers' attempts to compromise your hosts.

So selecting which control to implement really depends on:
a) What your security requirements are, and b) What capacity and capability you have to implement and manage security controls.

Dig Deeper on Linux servers

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.