this post was submitted on 20 Jul 2024
160 points (98.8% liked)

Asklemmy

43903 readers
1028 users here now

A loosely moderated place to ask open-ended questions

Search asklemmy 🔍

If your post meets the following criteria, it's welcome here!

  1. Open-ended question
  2. Not offensive: at this point, we do not have the bandwidth to moderate overtly political discussions. Assume best intent and be excellent to each other.
  3. Not regarding using or support for Lemmy: context, see the list of support communities and tools for finding communities below
  4. Not ad nauseam inducing: please make sure it is a question that would be new to most members
  5. An actual topic of discussion

Looking for support?

Looking for a community?

~Icon~ ~by~ ~@Double_[email protected]~

founded 5 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 0 points 4 months ago (1 children)

The problem with SELinux/nftables/cgroups is that they don't come with a centralised log aggregator, and they don't do much blocking beyond the defaults for 99% of deployments.

You must not have heard of (r)syslog.

Also, SELinux is a massive pain to set up (even compared to AppArmor), and setting it up correctly is even worse.

I beg to differ, I find SELinux easy to setup. But your mileage may vary, depending on one’s experience.

CrowdStrike does a lot of what SELinux does but it's easier to configure, works on every operating system, and comes with tools to roll out configuration across an organisation. There's nothing close to that in the open source world. Even if you set up something yourself, you'll need to continuously tweak your setup not to get in the way of employees and to prevent alert fatigue from all of the false positives. Apparently, recent events show it doesn’t work on every OS… 😜

When talking about ease of use… Configuration is configuration. If you do not take the time to learn how to use your product, the product you know will always be better than the one you don’t. I’ve used Crowdstrike. I’ve battled them to get their kernel modules signing certificate to be signed by RedHat. I’ve battled them to have the possibility to have the auto update disabled. So no, I am not impressed by the quality of their product. I’ll bet any day a vanilla RHEL with the correct security related software and the latest updates outperforms and outclasses Crowdstrike.

I think a preconfigured solution like Security Onion combined with tons of group policy and Ansible can form an open source alternative, but that only monitors, whereas CrowdStrike also blocks. To block behaviour, you'll need to write code for most platforms, and that's just as likely to take down your org as an auto update from CrowdStrike. I can’t speak of MS products, as I have not managed them for 20 years, but all of this is not needed on a decent Linux distro.