| 1 |
Hi Kevin, |
| 2 |
|
| 3 |
I'm just a beginner like you, but here is my take on things |
| 4 |
|
| 5 |
>That last sentence describes me, so I go there... |
| 6 |
> |
| 7 |
>So I follow the _Gentoo Hardened_ link which points to |
| 8 |
>http://hardened.gentoo.org from which I get redirected to |
| 9 |
>http://www.gentoo.org/proj/en/hardened/ |
| 10 |
> |
| 11 |
>Here I see a link: _SELinux x86 Install Guide_ which I followed. |
| 12 |
> |
| 13 |
> |
| 14 |
|
| 15 |
Yep, looking at the docs you came to reasonable conclusion. However, |
| 16 |
the fact remains if you re-read that page closely and read the couple of |
| 17 |
previous threads on this list (in the last few days). You can see that |
| 18 |
the "Hardened" project (capital H) covers a host of technologies. Some |
| 19 |
are patches to gcc or the kernel to basically tackle "stack overflows" |
| 20 |
(See Ned Ludd's links for a better description"), this means |
| 21 |
hardened-gcc + a PaX kernel, ie grsecurity). The other side of hardened |
| 22 |
is kernel level mandatory access controls, ie even root can't do |
| 23 |
everything (this bring linux up to the security levels of a *well* setup |
| 24 |
Windows machine, *dig, dig*) - this is the selinux part. |
| 25 |
|
| 26 |
So the hardened stages are compiled with a compiler that has added some |
| 27 |
extra code to watch for the stack being trampled. Selinux stages refer |
| 28 |
to using a kernel that has access controls *on every file*. |
| 29 |
|
| 30 |
Unfortunately you and I have arrived at a time when the gcc stuff is |
| 31 |
being migrated from an old style way of doing things to a much more |
| 32 |
gentoo and integrated way. In fact I get the impression that once this |
| 33 |
is sorted, then the whole of gentoo will likely get the "hardened" |
| 34 |
(little h) flag set by default...? However, right now, it's slightly |
| 35 |
broken I think? |
| 36 |
|
| 37 |
|
| 38 |
>Um... I'm trying to build a production server here. Should I stay away |
| 39 |
>from this stuff? It sounds like kinks and problems and documentation are |
| 40 |
>still being worked out. If I want a Gentoo server and I want it to be |
| 41 |
>providing public services on the Internet (albeit through a firewall), |
| 42 |
>what plan should I be using here (ie, what combination of boot CD image, |
| 43 |
>stage1 tarball, and documentation URL should I be using?)? |
| 44 |
> |
| 45 |
|
| 46 |
Tough call really... Lets look at it this way. I haven't tried Suse, |
| 47 |
but I am building my gentoo server to replace a Redhat webserver. I |
| 48 |
really like the way it just stays up to date, no fiddling round with |
| 49 |
packages and conf files every time you update. I have also never had a |
| 50 |
problem with updating to later versions of packages either, which is |
| 51 |
something that terrifies me on a production machine, and although I have |
| 52 |
read stories of other people getting caught, it is really easy to roll |
| 53 |
back to the older package if neccessary! |
| 54 |
|
| 55 |
However, the hardened project is taking some really complex stuff and |
| 56 |
integrating it into the gentoo system so that you can just click a |
| 57 |
button and have it work. This will be really worth having, but since |
| 58 |
you are probably a busy sysadmin with little appetite to take risks on a |
| 59 |
system right now, then I would suggest that you be cautious about |
| 60 |
getting on the bleeding edge. |
| 61 |
|
| 62 |
Why not look to take the stage2-hardened build (if there is such a |
| 63 |
thing). And ignore the selinux stuff for the time being? I'm in pretty |
| 64 |
much the same situation, but having 2 gentoo servers already I have a |
| 65 |
bit more confidence. However, I am considering starting with a stage-x |
| 66 |
hardened, (and then pretty much following the normal gentoo install) |
| 67 |
|
| 68 |
You need some confirmation from the experts, but with the hardened |
| 69 |
builds, it is basically a normal install but with a different compiler, |
| 70 |
and choose a pax kernel as well. You need confirmation though as to |
| 71 |
whether: |
| 72 |
|
| 73 |
a) you stick with the hardened gcc ebuild which is now obselete |
| 74 |
b) upgrade to gcc 3.3.2 which is stable, and add -fstack-protector to |
| 75 |
your CFLAGS |
| 76 |
c) Upgrade to gcc 3.3.3-r2 and how that none of the bugs bite (less |
| 77 |
likely with a stage-2 or stage-3 build...?), and add USE="hardened" |
| 78 |
|
| 79 |
b) is the safest for a production machine, and worst case you will have |
| 80 |
less protection that you wanted, but better than a standard build. |
| 81 |
Everything should compile ok. |
| 82 |
|
| 83 |
>I've already |
| 84 |
>uncovered a bug in the ebuild for the gs_sources kernel (involving the |
| 85 |
>Device Mapper patch) which is supposedly for production servers. |
| 86 |
> |
| 87 |
|
| 88 |
Bad luck. gs_sources is slightly unstable I think? Well, remember that |
| 89 |
it isn't a Linus kernel so it is going to be patches that haven't been |
| 90 |
merged into stable yet.... I think it was just bad luck though, you |
| 91 |
would presumably have the same problems if you took a stable kernel and |
| 92 |
added your own patches... Personally I prefer the 2.6 kernels, try -MM |
| 93 |
for a bleeding edge that seems to be pretty stable. |
| 94 |
|
| 95 |
>I'm |
| 96 |
>starting to get the impression that Gentoo is just not ready (with or |
| 97 |
>without Hardened or SELinux) for production servers, |
| 98 |
> |
| 99 |
|
| 100 |
Disagree, but in return for possibly finding a few bugs, you get a |
| 101 |
lovely distribution. Redhat and Suse have plenty of gremlins in my |
| 102 |
experience. You have been unfortunate to find a few in Gentoo. |
| 103 |
|
| 104 |
Personally, I found that all problems I ever found in gentoo were fairly |
| 105 |
easy to fix, and I wouldn't class myself as much of a linux expert. In |
| 106 |
contrast I can do a lot more with gentoo than with my redhat machines. |
| 107 |
Well worth it in my experience. |
| 108 |
|
| 109 |
>and almost certainly |
| 110 |
>not with Hardened or SELinux. |
| 111 |
> |
| 112 |
|
| 113 |
Perhaps... I haven't used hardened enough to comment. But from what I |
| 114 |
have seen, this time next year all linux builds will be "hardened" |
| 115 |
(little h), and secure sites will use selinux. I can't see selinux |
| 116 |
becoming mainstream for a good few years yet though. |
| 117 |
|
| 118 |
Consider trying selinux only via user-mode linux for now...? |
| 119 |
|
| 120 |
>Could someone give me the skinny on this? |
| 121 |
>Am I barking up the wrong tree trying to use Gentoo to build a production |
| 122 |
>server? Though I'm no developer, I am a reasonably sophisticated Linux |
| 123 |
>geek with about 9 years doing sysadmin on Linux boxen, and I'm having |
| 124 |
>real problems here. Should I go back to SuSE? |
| 125 |
> |
| 126 |
|
| 127 |
Nah. You will find gentoo a piece of cake. |
| 128 |
|
| 129 |
The situation is as clear as this. Gentoo has a dead easy installer, |
| 130 |
but it is manual. ie you read the docs, type in all the commands in |
| 131 |
sequence, and you get a build out the other end. After that it takes |
| 132 |
about 10 mins a month to keep it up and running. Other distros are |
| 133 |
easier to get going, but to be honest, after I built the first few |
| 134 |
machines I have absolutely no problem with the manual setup - agreed it |
| 135 |
looks annoying the first time (Actually I think a small shell script |
| 136 |
would just do the whole lot and I wonder why there aren't more basic |
| 137 |
installers available..?) |
| 138 |
|
| 139 |
Suggest that if you have probs then just revert to a normal gentoo |
| 140 |
build. Follow the install, perhaps with a stage-2 or 3 the first time, |
| 141 |
and play with the finished machine. Then try again with hardened or |
| 142 |
whatever. The point is it is pretty easy when you have done it once, |
| 143 |
and worth the effort |
| 144 |
|
| 145 |
Ed W |
| 146 |
|
| 147 |
-- |
| 148 |
gentoo-hardened@g.o mailing list |
Archives