1 |
Hi there, |
2 |
|
3 |
I felt, I have to add my own ideas about this topic. |
4 |
|
5 |
Before I start I want to thank for all Hardened Gentoo developers for |
6 |
their valuable efforts.Keep it on guys, it worth it. |
7 |
|
8 |
Ed Wildgoose said: |
9 |
> |
10 |
>>Again, thanks for the long and thoughtful reply. From it, I think I |
11 |
>>discovered a part of my problem and that part lies with semantics. |
12 |
>>What I mean is this: when I see someone say Hardened Gentoo Project I |
13 |
>>have been thinking that this implicitly involves the SELinux |
14 |
>>subproject (not as one-and-the-same, but as an implicitly included |
15 |
>>subproject). After all, SELinux is clearly one of the subprojects of |
16 |
>>the Hardened Project and apparently a rather major one. From your |
17 |
>>last post, I now see that one can have a Hardened Gentoo System with |
18 |
>>SELinux or a Hardened Gentoo system without SELinux. Or at least, I |
19 |
>>think that's right. Could you confirm that? Can one also have a |
20 |
>>non-Hardened Gentoo system with SELinux? Is that what one gets by |
21 |
>>strictly following the SELinux install guide (no mention of special |
22 |
>>compiler or linker flags in there)? |
23 |
I begin from the roots, so here I quote some parts of the Hardened Gentoo |
24 |
Project's introduction page: |
25 |
"Hardened Gentoo |
26 |
|
27 |
1. Project Description |
28 |
Hardened Gentoo is a project which oversees the research, implementation, |
29 |
and maintainence of security oriented projects for Gentoo Linux. We are a |
30 |
team of very competent individuals dedicated to bringing advanced security |
31 |
to Gentoo with a number of subprojects." |
32 |
"4. Subprojects |
33 |
|
34 |
a. SELinux |
35 |
- Chris PeBenito |
36 |
SELinux is a system of mandatory access controls. SELinux can enforce |
37 |
the security policy over all processes and objects in the system. |
38 |
b. Propolice |
39 |
- pappy,solar |
40 |
Propolice is gcc Stack Smashing Protection that was written by Hiroaki |
41 |
Etoh of IBM. |
42 |
c. PaX/Grsecurity |
43 |
- Ned Ludd |
44 |
Grsecurity is a complete security solution providing such features as a |
45 |
MAC or RBAC system, Chroot restrictions, address space modification |
46 |
protection (via PaX), auditing features, randomization features, |
47 |
linking restrictions to prevent file race conditions, ipc protections |
48 |
and so much more. The hardened project provides examples of 1.9.x |
49 |
example MAC policies. |
50 |
d. Hardened GCC |
51 |
- Alexander Gabert |
52 |
Transparent implementation of PaX address space layout randomizations |
53 |
and stack smashing protections using ELF shared objects as executables. |
54 |
e. Hardened-Sources |
55 |
- Andrea Luzzardi |
56 |
A kernel which provides patches for hardened subprojects, and |
57 |
stability/security oriented patches. Includes Grsecurity or SELinux |
58 |
depending on USE flags. |
59 |
f. Hardened Stages |
60 |
- John P. Davis |
61 |
Complete x86 Gentoo Linux installation stages, enhanced with |
62 |
transparent Position Independent Executables and Propolice Stack |
63 |
Smashing Protection to take full advantage when used with PaX/Address |
64 |
Space Randomization Layouts" |
65 |
Comments: |
66 |
|
67 |
1. So "Hardened Gentoo" refers to the whole project including all kinds of |
68 |
subprojects, which are trying to enhance the security features of the |
69 |
distro. |
70 |
4.a. SELinux is a NSA project providing kernel space and user space |
71 |
modificaions of the system. This subproject is heading toward a state, |
72 |
when it will offer a working implementation of this a kind of access |
73 |
control. |
74 |
4.b. This subproject is about the pie/ssp (featuring solar, known well |
75 |
since 2.0.x times) stuff. The aim here is to provide enforced binaries, |
76 |
immune to stack smashing. |
77 |
4.c. This is based on a kernel patch and some user space utilities. The |
78 |
patch incorporates an other type of access control implementation totally |
79 |
different from SELinux, the PaX patch for kernel level stack smashing |
80 |
protection and many other security enhancements missing from other patches |
81 |
(read features list).PaX is a separate software project about stack smashing protection at |
82 |
kernel level. One can compile all binaries with support for it to make it |
83 |
more effective. Grsecurity is designed to include this beside many other |
84 |
improvements. |
85 |
4.d. Started to provide compile time support for stack-smashing protection |
86 |
and layout randomisation.It is a product of 4.b. on one hand and in conjunction with 4.c. on the |
87 |
other. |
88 |
4.e. Offers patches depending on the USE flag set. |
89 |
|
90 |
4.f. SELinux stages are separate from pie-ssp stages now. |
91 |
|
92 |
Theoretically it can be possible to combine these two, but practically |
93 |
these two need to be worked out at least separately.I suppose there will be another subproject about RSBAC, which is even |
94 |
another type of access control system for the kernel. It also provides |
95 |
unique features (eg. virus scanning). Visit their homepage or |
96 |
adamantix.org (Debian RSBAC/pie/ssp implementation initiative). It |
97 |
collides with Grsec and SELinux on the access controll level. But it can |
98 |
be applied in combination with PaX. |
99 |
When I asked for an optimal flagset on this list, my question was related |
100 |
to the pie/ssp stages installation. There are some quite exotic flags I've |
101 |
never seen before. |
102 |
For the future: I think every OS is about to incorporate built in |
103 |
protection for well known types of security issues (OpenBSD, upcoming |
104 |
NetBSD). Even WinXP SP2 is told to be equipped with some kind of |
105 |
hardening. As we can conclude base don open source experiences: it's quite |
106 |
easy to specify, but difficult to implement. SP2 seems to be late... I |
107 |
suspect "hardened" will be a default flag some time. |
108 |
Hardened flag will solve a lot of headaches, when it will be ready for use. |
109 |
|
110 |
Regards, |
111 |
Dw. |
112 |
|
113 |
>> |
114 |
>> |
115 |
>> |
116 |
> Think about "Hardened" with a big "H" meaning the overall project. And |
117 |
> "hardened" with a little "h" meaning something you can do to your |
118 |
> binaries! |
119 |
> |
120 |
> SELinux is a set of kernel patches to enforce ACL's on files. You |
121 |
> probably want this + the hardened gcc (ie "hardened" with a little |
122 |
> "h"). The only complication is this flux between how the hardened gcc |
123 |
> is used |
124 |
> |
125 |
> Actually I wonder if it might be easier to start with grsecurity in the |
126 |
> kernel rather than selinux...? At least for us dumbo's who can't read |
127 |
> the docs properly? I wonder if it is possible to have grsecurity in |
128 |
> the kernel and also selinux...? (especially under 2.6?) |
129 |
> |
130 |
>>But now may I ask: should I use these flags for doing an SELinux |
131 |
>>install? They are not mentioned in the SELinux install guide. But |
132 |
>>I'm trying to make this system as secure as reasonably possible right |
133 |
>>now (without compromising on stability) and so maybe I want a Hardened |
134 |
>>Gentoo system with SELinux. If so, should I set up these flags in |
135 |
>>make.conf before I run the bootstrap.sh script? |
136 |
>> |
137 |
>> |
138 |
> |
139 |
> Forget about selinux. This is independent to your gcc flags. The |
140 |
> other hardened is all about gcc flags. The flags you refer too are |
141 |
> "aparently" the old way to do hardened without the hardened-gcc |
142 |
> compiler... (See a previous thread a few days back where it was |
143 |
> explained to *me*). |
144 |
> |
145 |
> The suggestion I got was to upgrade to the latest stable gcc (3.3.2) |
146 |
> and add -fstack-protector to your CFLAGS. Once some time has passed |
147 |
> and |
148 |
> >=gcc-3.3.3r2 is in stable then you can remove that CFLAG item and |
149 |
> replace it with USE="hardened" instead. You could even do that today |
150 |
> apparently, but beware some problems with the not fully tested |
151 |
> gcc-3.3.3 |
152 |
> |
153 |
> So hardened and selinux appear to be complementary. The former refers |
154 |
> to how you build your binaries. The later is a kernel patch. |
155 |
> |
156 |
> I'm going to have to stop there though because I am a beginner like |
157 |
> yourself, and probably starting to give bogus advice if I go any |
158 |
> further. |
159 |
> |
160 |
> Good luck |
161 |
> |
162 |
> Ed W |
163 |
> |
164 |
> -- |
165 |
> gentoo-hardened@g.o mailing list |
166 |
|
167 |
|
168 |
-- |
169 |
dr Tóth Attila, Radiológus Rezidens, 06-30-5962-962 |
170 |
Attila Toth MD, Radiology Resident, +36-30-5962-962 |
171 |
|
172 |
|
173 |
|
174 |
-- |
175 |
gentoo-hardened@g.o mailing list |