Skip to main content

AppArmor vs SELinux vs Grsecurity

AppArmor learns the behaviors of applications through established access controls (for monitoring and reporting) and enforces application security policies.
Security-Enhanced Linux (SELinux) uses rule-based policy enforcement to restrict the functionality of users and services.
Grsecurity uses Linux Security Modules to enhance security of the Linux kernel.

Features AppArmor SELinux Grsecurity
Allow/Deny Policy Yes Yes Yes
Hierarchical Domains Yes Yes Yes
Object Types Yes Yes Yes
Data Types No No No
Account Management No Yes Yes
Service Management No Yes Yes
Network Management No* Yes Yes
Access Control Lists Yes Yes Yes
Role-Based Access Control Yes Yes Yes
Security Context No Yes No
Linux Kernel Module Yes Yes Yes
Language No Yes Yes
Unified Configuration Yes No No
Doesn't Prohibit Other Applications & Tools Yes No No
No Installation No No No
Few Dependencies Yes No Yes
Automated Execution Yes Yes Yes
Learning Mode Yes No Yes
Self-Managed (no framework, no user interaction) Yes No No
Self-Healing (restorative, no user interaction) No No No
Application Programming Interface No Yes No
Remote Access Control No No No
Intrusion Detection System Yes Yes Yes
Logging Yes Yes Yes
Report Generation Yes Yes No
Intrusion Prevention System Yes No No
Malware Protection Yes Yes+ Yes+
Updated Signature Scanning & Analysis No No No
Deep Packet Inspection (DPI) No No No

+ Software supports only blacklisting.

Do you have a suggestion about how to improve this blog? Let's talk about it. Contact me at David.Brenner.Jr@Gmail.com or 720-584-5229.

Comments

Popular posts from this blog

The meaning of time in reinforcement learning

Reinforcement learning (RL) is one of three basic machine learning paradigms, alongside supervised learning and unsupervised learning. Reinforcement learning is concerned with how software agents ought to take actions in an environment in order to maximize the notion of cumulative reward through the process of trial and error. In reinforcement learning an agent starts at an empty state then analyzes the available datasets according to a policy of positive states and negative states. Rather than being explicitly taught as in supervised learning the correct set of actions for performing a task, reinforcement learning uses rewards as signals for positive states and punishments as signals for negative states. The agent obtains the best path to a desirable reward as a cumulation of positive states and negative states. As compared to unsupervised learning, reinforcement learning is different in terms of goals. While the goal in unsupervised learning is to find similarities and differences...

Threat hunting polymorphic malware in Linux with Python

You can investigate suspicious activity that could be polymorphic malware by collecting relevant machine data from your endpoint. You can use the machine data to create your own analysis. Before you start your investigation you will need to determine normal activity on your endpoint. Normal activity is the scope of functionality of the software on your endpoint during periods of low activity and high activity. You will need some kind of software that periodically collects specific machine data from your endpoint like my software developed in Python that's available for free download at https://github.com/davidbrennerjr/server-stats-collector Ingest one or more of the following machine data from Category #1. Ingest one or more of the following machine data from Category #2. And ingest one or more of the following machine data from Category #3. Category #1 General system-wide error messages from /var/log/syslog Auditing logs of application rule...

Counter-offensive solutions to machine learning

In January 2020 I learned about the results of a contest at DEFCON 2019 where hackers were challenged to come up with counter-offensive solutions to machine learning. One prize winner proved that machine learning could be 100% evaded by mimicking the behaviors of software that produce whitelisted events, and further proved that any whitelisting in machine learning is a vulnerability. Simply removing the capability to perform whitelisting on an endpoint usually doesn't change the base code of software that uses machine learning since whitelisting (or ignoring patterns found in machine data from an endpoint) is done prior to ingesting machine data used for training. Alternatively I would argue that any kind of function that ignores input or filters input (like regex) from a user is whitelisting. Do you have a suggestion about how to improve this blog? Let's talk about it. Contact me at DavidBrennerJr@Gmail.com or 720-584-5229.