| 1 |
Hi there, |
| 2 |
|
| 3 |
I felt, I have to add my own ideas about this topic. |
| 4 |
|
| 5 |
Before I start I want to thank for all Hardened Gentoo developers for |
| 6 |
their valuable efforts.Keep it on guys, it worth it. |
| 7 |
|
| 8 |
Ed Wildgoose said: |
| 9 |
> |
| 10 |
>>Again, thanks for the long and thoughtful reply. From it, I think I |
| 11 |
>>discovered a part of my problem and that part lies with semantics. |
| 12 |
>>What I mean is this: when I see someone say Hardened Gentoo Project I |
| 13 |
>>have been thinking that this implicitly involves the SELinux |
| 14 |
>>subproject (not as one-and-the-same, but as an implicitly included |
| 15 |
>>subproject). After all, SELinux is clearly one of the subprojects of |
| 16 |
>>the Hardened Project and apparently a rather major one. From your |
| 17 |
>>last post, I now see that one can have a Hardened Gentoo System with |
| 18 |
>>SELinux or a Hardened Gentoo system without SELinux. Or at least, I |
| 19 |
>>think that's right. Could you confirm that? Can one also have a |
| 20 |
>>non-Hardened Gentoo system with SELinux? Is that what one gets by |
| 21 |
>>strictly following the SELinux install guide (no mention of special |
| 22 |
>>compiler or linker flags in there)? |
| 23 |
I begin from the roots, so here I quote some parts of the Hardened Gentoo |
| 24 |
Project's introduction page: |
| 25 |
"Hardened Gentoo |
| 26 |
|
| 27 |
1. Project Description |
| 28 |
Hardened Gentoo is a project which oversees the research, implementation, |
| 29 |
and maintainence of security oriented projects for Gentoo Linux. We are a |
| 30 |
team of very competent individuals dedicated to bringing advanced security |
| 31 |
to Gentoo with a number of subprojects." |
| 32 |
"4. Subprojects |
| 33 |
|
| 34 |
a. SELinux |
| 35 |
- Chris PeBenito |
| 36 |
SELinux is a system of mandatory access controls. SELinux can enforce |
| 37 |
the security policy over all processes and objects in the system. |
| 38 |
b. Propolice |
| 39 |
- pappy,solar |
| 40 |
Propolice is gcc Stack Smashing Protection that was written by Hiroaki |
| 41 |
Etoh of IBM. |
| 42 |
c. PaX/Grsecurity |
| 43 |
- Ned Ludd |
| 44 |
Grsecurity is a complete security solution providing such features as a |
| 45 |
MAC or RBAC system, Chroot restrictions, address space modification |
| 46 |
protection (via PaX), auditing features, randomization features, |
| 47 |
linking restrictions to prevent file race conditions, ipc protections |
| 48 |
and so much more. The hardened project provides examples of 1.9.x |
| 49 |
example MAC policies. |
| 50 |
d. Hardened GCC |
| 51 |
- Alexander Gabert |
| 52 |
Transparent implementation of PaX address space layout randomizations |
| 53 |
and stack smashing protections using ELF shared objects as executables. |
| 54 |
e. Hardened-Sources |
| 55 |
- Andrea Luzzardi |
| 56 |
A kernel which provides patches for hardened subprojects, and |
| 57 |
stability/security oriented patches. Includes Grsecurity or SELinux |
| 58 |
depending on USE flags. |
| 59 |
f. Hardened Stages |
| 60 |
- John P. Davis |
| 61 |
Complete x86 Gentoo Linux installation stages, enhanced with |
| 62 |
transparent Position Independent Executables and Propolice Stack |
| 63 |
Smashing Protection to take full advantage when used with PaX/Address |
| 64 |
Space Randomization Layouts" |
| 65 |
Comments: |
| 66 |
|
| 67 |
1. So "Hardened Gentoo" refers to the whole project including all kinds of |
| 68 |
subprojects, which are trying to enhance the security features of the |
| 69 |
distro. |
| 70 |
4.a. SELinux is a NSA project providing kernel space and user space |
| 71 |
modificaions of the system. This subproject is heading toward a state, |
| 72 |
when it will offer a working implementation of this a kind of access |
| 73 |
control. |
| 74 |
4.b. This subproject is about the pie/ssp (featuring solar, known well |
| 75 |
since 2.0.x times) stuff. The aim here is to provide enforced binaries, |
| 76 |
immune to stack smashing. |
| 77 |
4.c. This is based on a kernel patch and some user space utilities. The |
| 78 |
patch incorporates an other type of access control implementation totally |
| 79 |
different from SELinux, the PaX patch for kernel level stack smashing |
| 80 |
protection and many other security enhancements missing from other patches |
| 81 |
(read features list).PaX is a separate software project about stack smashing protection at |
| 82 |
kernel level. One can compile all binaries with support for it to make it |
| 83 |
more effective. Grsecurity is designed to include this beside many other |
| 84 |
improvements. |
| 85 |
4.d. Started to provide compile time support for stack-smashing protection |
| 86 |
and layout randomisation.It is a product of 4.b. on one hand and in conjunction with 4.c. on the |
| 87 |
other. |
| 88 |
4.e. Offers patches depending on the USE flag set. |
| 89 |
|
| 90 |
4.f. SELinux stages are separate from pie-ssp stages now. |
| 91 |
|
| 92 |
Theoretically it can be possible to combine these two, but practically |
| 93 |
these two need to be worked out at least separately.I suppose there will be another subproject about RSBAC, which is even |
| 94 |
another type of access control system for the kernel. It also provides |
| 95 |
unique features (eg. virus scanning). Visit their homepage or |
| 96 |
adamantix.org (Debian RSBAC/pie/ssp implementation initiative). It |
| 97 |
collides with Grsec and SELinux on the access controll level. But it can |
| 98 |
be applied in combination with PaX. |
| 99 |
When I asked for an optimal flagset on this list, my question was related |
| 100 |
to the pie/ssp stages installation. There are some quite exotic flags I've |
| 101 |
never seen before. |
| 102 |
For the future: I think every OS is about to incorporate built in |
| 103 |
protection for well known types of security issues (OpenBSD, upcoming |
| 104 |
NetBSD). Even WinXP SP2 is told to be equipped with some kind of |
| 105 |
hardening. As we can conclude base don open source experiences: it's quite |
| 106 |
easy to specify, but difficult to implement. SP2 seems to be late... I |
| 107 |
suspect "hardened" will be a default flag some time. |
| 108 |
Hardened flag will solve a lot of headaches, when it will be ready for use. |
| 109 |
|
| 110 |
Regards, |
| 111 |
Dw. |
| 112 |
|
| 113 |
>> |
| 114 |
>> |
| 115 |
>> |
| 116 |
> Think about "Hardened" with a big "H" meaning the overall project. And |
| 117 |
> "hardened" with a little "h" meaning something you can do to your |
| 118 |
> binaries! |
| 119 |
> |
| 120 |
> SELinux is a set of kernel patches to enforce ACL's on files. You |
| 121 |
> probably want this + the hardened gcc (ie "hardened" with a little |
| 122 |
> "h"). The only complication is this flux between how the hardened gcc |
| 123 |
> is used |
| 124 |
> |
| 125 |
> Actually I wonder if it might be easier to start with grsecurity in the |
| 126 |
> kernel rather than selinux...? At least for us dumbo's who can't read |
| 127 |
> the docs properly? I wonder if it is possible to have grsecurity in |
| 128 |
> the kernel and also selinux...? (especially under 2.6?) |
| 129 |
> |
| 130 |
>>But now may I ask: should I use these flags for doing an SELinux |
| 131 |
>>install? They are not mentioned in the SELinux install guide. But |
| 132 |
>>I'm trying to make this system as secure as reasonably possible right |
| 133 |
>>now (without compromising on stability) and so maybe I want a Hardened |
| 134 |
>>Gentoo system with SELinux. If so, should I set up these flags in |
| 135 |
>>make.conf before I run the bootstrap.sh script? |
| 136 |
>> |
| 137 |
>> |
| 138 |
> |
| 139 |
> Forget about selinux. This is independent to your gcc flags. The |
| 140 |
> other hardened is all about gcc flags. The flags you refer too are |
| 141 |
> "aparently" the old way to do hardened without the hardened-gcc |
| 142 |
> compiler... (See a previous thread a few days back where it was |
| 143 |
> explained to *me*). |
| 144 |
> |
| 145 |
> The suggestion I got was to upgrade to the latest stable gcc (3.3.2) |
| 146 |
> and add -fstack-protector to your CFLAGS. Once some time has passed |
| 147 |
> and |
| 148 |
> >=gcc-3.3.3r2 is in stable then you can remove that CFLAG item and |
| 149 |
> replace it with USE="hardened" instead. You could even do that today |
| 150 |
> apparently, but beware some problems with the not fully tested |
| 151 |
> gcc-3.3.3 |
| 152 |
> |
| 153 |
> So hardened and selinux appear to be complementary. The former refers |
| 154 |
> to how you build your binaries. The later is a kernel patch. |
| 155 |
> |
| 156 |
> I'm going to have to stop there though because I am a beginner like |
| 157 |
> yourself, and probably starting to give bogus advice if I go any |
| 158 |
> further. |
| 159 |
> |
| 160 |
> Good luck |
| 161 |
> |
| 162 |
> Ed W |
| 163 |
> |
| 164 |
> -- |
| 165 |
> gentoo-hardened@g.o mailing list |
| 166 |
|
| 167 |
|
| 168 |
-- |
| 169 |
dr Tóth Attila, Radiológus Rezidens, 06-30-5962-962 |
| 170 |
Attila Toth MD, Radiology Resident, +36-30-5962-962 |
| 171 |
|
| 172 |
|
| 173 |
|
| 174 |
-- |
| 175 |
gentoo-hardened@g.o mailing list |
Archives