Someone compile and setup to box 2.4.27-grsec with "High" mode and say me that i can use it for productions system without enabling RBAC.
Can anyone give me short describe what we will loss when we not enable RBAC? We will have 10% of security or 50% or 90%
?
We use Grsec for hosting server , so i think we need very wide acl rules which can work with mysql, posgress, apache and many other scripts, application.
If enabling RBAC really needed for above case, what is the stragegy with generating rules we must select? I think that just using full learn mode not help to us. Any ACL system need in good architecure of its' stucture and this is impossible by robot.
BTW. Per quick start guide usual practic for creating ACL is begin with rule deny ALL and then open required process, objects and etc. But, what about reverse order? When i need disallow only few processes may be will more easy - allow ALL and then denied only process which i really need denied?