1 |
Hi Ed, |
2 |
|
3 |
First, thank you very kindly for such a long and thoughtful reply. I |
4 |
really appreciate it. But I'm still not quite clear on a couple of |
5 |
things, so perhaps I can elaborate below? |
6 |
|
7 |
On Friday 30 April 2004 05:15, Ed Wildgoose wrote: |
8 |
> Hi Kevin, |
9 |
> |
10 |
> I'm just a beginner like you, but here is my take on things |
11 |
> |
12 |
> >That last sentence describes me, so I go there... |
13 |
> > |
14 |
> >So I follow the _Gentoo Hardened_ link which points to |
15 |
> >http://hardened.gentoo.org from which I get redirected to |
16 |
> >http://www.gentoo.org/proj/en/hardened/ |
17 |
> > |
18 |
> >Here I see a link: _SELinux x86 Install Guide_ which I followed. |
19 |
> |
20 |
> Yep, looking at the docs you came to reasonable conclusion. However, |
21 |
> the fact remains if you re-read that page closely and read the couple |
22 |
> of previous threads on this list (in the last few days). You can see |
23 |
> that the "Hardened" project (capital H) covers a host of technologies. |
24 |
|
25 |
Well, I saw that from the beginning. That page (above) lists all of those |
26 |
different technologies (or maybe most of them) as the subprojects of the |
27 |
Hardened Project. But knowing a little bit about how SELinux works, I |
28 |
figured that it was a fundamental part of the Hardened Project and that |
29 |
it needed to be integrated from the very beginning; during the install |
30 |
process. Plus, with SELinux being the first Subproject listed in the |
31 |
collection of Subprojects for Hardened, it lends credence to that |
32 |
impression (IMO). And under "6. Resources" on that page, I see an |
33 |
Install Guide for x86 architectures (only install guide there), so I used |
34 |
it, realizing that it was for only one subproject (SELinux) of the |
35 |
Hardened Project, but thinking that I could add in the other subprojects |
36 |
after getting a fully functional Gentoo box with SELinux support running. |
37 |
|
38 |
In responding to my first post in this thread, you initially wrote: |
39 |
On Thursday 29 April 2004 18:24, Ed Wildgoose wrote: |
40 |
> >after untarring the stage1 tarball |
41 |
> >(stage1-pentium4-pie-ssp-2004.0.tar.bz2), there is no |
42 |
> >directory /mnt/gentoo/selinux to use as a mountpoint for an selinuxfs |
43 |
> > (as |
44 |
> |
45 |
> I guess that is because you used the hardened stage 1, not the selinux |
46 |
> stage 1 ! I think hardened doesn't need selinux? As in they are not |
47 |
> equivalent (part of the same team though) |
48 |
|
49 |
But... |
50 |
|
51 |
The iso image that I downloaded in accordance with the Gentoo x86 SELinux |
52 |
Installation Guide |
53 |
(http://www.gentoo.org/proj/en/hardened/selinux/selinux-x86-install.xml) |
54 |
and then burned onto a CD comes right out and says something along the |
55 |
lines of: "Welcome to the Gentoo Hardened Project." I mean, I'm reading |
56 |
docs for SELinux (an apparently major subproject of the Hardened Project) |
57 |
which tell me to get an iso image, and after booting, I get a splash |
58 |
screen that states: Hardened Gentoo (cap H). |
59 |
|
60 |
So, if I understand correctly, I got a Hardened Gentoo iso image (or so it |
61 |
calls itself), I got a Hardened stage 1 tarball (found in |
62 |
http://gentoo.oregonstate.edu/releases/x86/2004.0/stages/x86/hardened/), |
63 |
and I'm reading the SELinux install guide to do this. Where would I find |
64 |
an SELinux iso image and an SELinux stage 1 tarball? |
65 |
|
66 |
I seem to need three different items that were designed to be used with |
67 |
each other: iso image, stage 1 tarball (docs say Hardened can only be |
68 |
built this way, not via stage2 or 3), and some documentation. Which ones |
69 |
do I use to do a Hardened install? Which ones do I use to just do an |
70 |
SELinux install? |
71 |
|
72 |
> Some are patches to gcc or the kernel to basically tackle "stack |
73 |
> overflows" (See Ned Ludd's links for a better description"), this means |
74 |
> hardened-gcc + a PaX kernel, ie grsecurity). The other side of |
75 |
> hardened is kernel level mandatory access controls, ie even root can't |
76 |
> do everything (this bring linux up to the security levels of a *well* |
77 |
> setup Windows machine, *dig, dig*) - this is the selinux part. |
78 |
> |
79 |
> So the hardened stages are compiled with a compiler that has added some |
80 |
> extra code to watch for the stack being trampled. Selinux stages refer |
81 |
> to using a kernel that has access controls *on every file*. |
82 |
> |
83 |
> Unfortunately you and I have arrived at a time when the gcc stuff is |
84 |
> being migrated from an old style way of doing things to a much more |
85 |
> gentoo and integrated way. In fact I get the impression that once this |
86 |
> is sorted, then the whole of gentoo will likely get the "hardened" |
87 |
> (little h) flag set by default...? However, right now, it's slightly |
88 |
> broken I think? |
89 |
> |
90 |
> >Um... I'm trying to build a production server here. Should I stay |
91 |
> > away from this stuff? It sounds like kinks and problems and |
92 |
> > documentation are still being worked out. If I want a Gentoo server |
93 |
> > and I want it to be providing public services on the Internet (albeit |
94 |
> > through a firewall), what plan should I be using here (ie, what |
95 |
> > combination of boot CD image, stage1 tarball, and documentation URL |
96 |
> > should I be using?)? |
97 |
> |
98 |
> Tough call really... Lets look at it this way. I haven't tried Suse, |
99 |
> but I am building my gentoo server to replace a Redhat webserver. I |
100 |
> really like the way it just stays up to date, no fiddling round with |
101 |
> packages and conf files every time you update. I have also never had a |
102 |
> problem with updating to later versions of packages either, which is |
103 |
> something that terrifies me on a production machine, and although I |
104 |
> have read stories of other people getting caught, it is really easy to |
105 |
> roll back to the older package if neccessary! |
106 |
> |
107 |
> However, the hardened project is taking some really complex stuff and |
108 |
> integrating it into the gentoo system so that you can just click a |
109 |
> button and have it work. This will be really worth having, but since |
110 |
> you are probably a busy sysadmin with little appetite to take risks on |
111 |
> a system right now, then I would suggest that you be cautious about |
112 |
> getting on the bleeding edge. |
113 |
|
114 |
Exactly what is it that's bleeding edge right now? I see "bleeding edge" |
115 |
and think, "not appropriate for production servers." Is that what you |
116 |
mean? So what's bleeding edge? SELinux? All of the Hardened |
117 |
subprojects? Just some of them? Which ones? |
118 |
|
119 |
> |
120 |
> Why not look to take the stage2-hardened build (if there is such a |
121 |
> thing). And ignore the selinux stuff for the time being? I'm in pretty |
122 |
|
123 |
From |
124 |
http://www.gentoo.org/proj/en/hardened/selinux/selinux-x86-install.xml: |
125 |
================================================ |
126 |
8. Stage tarballs and chroot |
127 |
|
128 |
Selecting the desired stage tarball |
129 |
|
130 |
Now, you need to decide which one you would like to use as a basis for the |
131 |
install if you have not already. |
132 |
|
133 |
Since we are compiling everything "from-scracth", as is currently required |
134 |
by the Gentoo SELinux install... ^^^^^^^^^^^^^^^^^^^^^^^ |
135 |
================================================ |
136 |
|
137 |
> much the same situation, but having 2 gentoo servers already I have a |
138 |
> bit more confidence. However, I am considering starting with a stage-x |
139 |
> hardened, (and then pretty much following the normal gentoo install) |
140 |
> |
141 |
> You need some confirmation from the experts, but with the hardened |
142 |
> builds, it is basically a normal install but with a different compiler, |
143 |
> and choose a pax kernel as well. You need confirmation though as to |
144 |
> whether: |
145 |
> |
146 |
> a) you stick with the hardened gcc ebuild which is now obselete |
147 |
> b) upgrade to gcc 3.3.2 which is stable, and add -fstack-protector to |
148 |
> your CFLAGS |
149 |
> c) Upgrade to gcc 3.3.3-r2 and how that none of the bugs bite (less |
150 |
> likely with a stage-2 or stage-3 build...?), and add USE="hardened" |
151 |
> |
152 |
> b) is the safest for a production machine, and worst case you will have |
153 |
> less protection that you wanted, but better than a standard build. |
154 |
> Everything should compile ok. |
155 |
> |
156 |
> >I've already |
157 |
> >uncovered a bug in the ebuild for the gs_sources kernel (involving the |
158 |
> >Device Mapper patch) which is supposedly for production servers. |
159 |
> |
160 |
> Bad luck. gs_sources is slightly unstable I think? Well, remember |
161 |
|
162 |
From the Gentoo Linux Kernel Guide |
163 |
(http://www.gentoo.org/doc/en/gentoo-kernel.xml): |
164 |
================================================ |
165 |
gs-sources |
166 |
|
167 |
For users to whom desktop interactive performance comes as a secondary |
168 |
priority to reliability and hardware support, we have the gs-sources. GS |
169 |
stands for Gentoo Stable (creative, aren't we?). This patch set is tuned |
170 |
and tested to provide the best support for the latest hardware and |
171 |
ensures that your mission critical servers will be up when you need them. |
172 |
================================================ |
173 |
|
174 |
|
175 |
> that it isn't a Linus kernel so it is going to be patches that haven't |
176 |
> been merged into stable yet.... I think it was just bad luck though, |
177 |
> you would presumably have the same problems if you took a stable kernel |
178 |
> and added your own patches... |
179 |
|
180 |
No, I recently patched a plain Linux kernel from kernel.org with the |
181 |
Device Mapper patch (and some others) myself and built it and am running |
182 |
it on one of my production servers in a SuSE distro. |
183 |
|
184 |
> Personally I prefer the 2.6 kernels, try |
185 |
> -MM for a bleeding edge that seems to be pretty stable. |
186 |
|
187 |
Well, I need to use OpenAFS for which there is currently no support in the |
188 |
2.6.x kernels. |
189 |
|
190 |
> |
191 |
> >I'm |
192 |
> >starting to get the impression that Gentoo is just not ready (with or |
193 |
> >without Hardened or SELinux) for production servers, |
194 |
> |
195 |
> Disagree, but in return for possibly finding a few bugs, you get a |
196 |
> lovely distribution. Redhat and Suse have plenty of gremlins in my |
197 |
> experience. You have been unfortunate to find a few in Gentoo. |
198 |
> |
199 |
> Personally, I found that all problems I ever found in gentoo were |
200 |
> fairly easy to fix, and I wouldn't class myself as much of a linux |
201 |
> expert. In contrast I can do a lot more with gentoo than with my |
202 |
> redhat machines. Well worth it in my experience. |
203 |
> |
204 |
> >and almost certainly |
205 |
> >not with Hardened or SELinux. |
206 |
> |
207 |
> Perhaps... I haven't used hardened enough to comment. But from what I |
208 |
> have seen, this time next year all linux builds will be "hardened" |
209 |
> (little h), and secure sites will use selinux. I can't see selinux |
210 |
> becoming mainstream for a good few years yet though. |
211 |
> |
212 |
> Consider trying selinux only via user-mode linux for now...? |
213 |
> |
214 |
> >Could someone give me the skinny on this? |
215 |
> >Am I barking up the wrong tree trying to use Gentoo to build a |
216 |
> > production server? Though I'm no developer, I am a reasonably |
217 |
> > sophisticated Linux geek with about 9 years doing sysadmin on Linux |
218 |
> > boxen, and I'm having real problems here. Should I go back to SuSE? |
219 |
> |
220 |
> Nah. You will find gentoo a piece of cake. |
221 |
|
222 |
Well, that's just it... About 2-3 months ago, I did my first Gentoo |
223 |
installation on a non-critical workstation and really liked everything |
224 |
about it. So, I am running Gentoo on a workstation I use frequently. I |
225 |
really liked the install process, I really liked all the features of |
226 |
portage... I mean, after doing that one Gentoo install, I think Gentoo is |
227 |
the Cat's Meow in Linux distros, but I'm having real trouble doing even a |
228 |
standard Gentoo install right now (2 months later) on this production |
229 |
server. I first reported problems with the gs-sources kernel to |
230 |
gentoo-user and gentoo-dev lists about a week ago, and John Nilsson on |
231 |
the dev list confirmed my problems with device mapper, and found a bug |
232 |
report documenting the same problem (Bugzilla Bug 48973 |
233 |
gs-sources-2.4.25_pre7-gss-r3 compile error). |
234 |
|
235 |
> |
236 |
> The situation is as clear as this. Gentoo has a dead easy installer, |
237 |
> but it is manual. ie you read the docs, type in all the commands in |
238 |
|
239 |
I'll agree that it is very easy when there are no bugs. It's wonderful. |
240 |
I have no problems with manual. Love it, in fact. |
241 |
|
242 |
> sequence, and you get a build out the other end. After that it takes |
243 |
> about 10 mins a month to keep it up and running. Other distros are |
244 |
> easier to get going, but to be honest, after I built the first few |
245 |
> machines I have absolutely no problem with the manual setup - agreed it |
246 |
> looks annoying the first time (Actually I think a small shell script |
247 |
|
248 |
Not really. |
249 |
|
250 |
> would just do the whole lot and I wonder why there aren't more basic |
251 |
> installers available..?) |
252 |
> |
253 |
> Suggest that if you have probs then just revert to a normal gentoo |
254 |
> build. Follow the install, perhaps with a stage-2 or 3 the first time, |
255 |
|
256 |
Well, see above... My first install I did a stage1 and no problems |
257 |
whatsoever. Now, I can't get gentoo-sources or gs-sources to build in a |
258 |
standard (normal) gentoo stage1 process. |
259 |
|
260 |
> and play with the finished machine. Then try again with hardened or |
261 |
> whatever. |
262 |
|
263 |
As far as I can tell, there is no hardened install guide other than the |
264 |
SELinux install guide. |
265 |
|
266 |
> The point is it is pretty easy when you have done it once, |
267 |
> and worth the effort |
268 |
|
269 |
As I said, I think Gentoo is excellent. That's why I'm working so hard to |
270 |
get it up on this server. But right now the effort is tremendous. I've |
271 |
been working on this for more than a week and I so far I haven't been |
272 |
able to get past the kernel build step because of bugs. |
273 |
|
274 |
What I really need is for someone with more experience than you or me to |
275 |
either say, "Hey Kev, Hardened Gentoo with SELinux and the other |
276 |
subprojects will work and this is how you do it: get this iso image, get |
277 |
this stage1 tarball, and read these docs (for there are so many of each |
278 |
of these three that it's quite difficult to figure out which are meant |
279 |
for which) and you'll have a perfectly sound and stable system that is |
280 |
fine for use in a production server." or... "Hey Kev, we're really still |
281 |
hashing out problems in the Hardened Gentoo project and/or several of the |
282 |
subprojects, so you might want to stay away from these subprojects for |
283 |
now unless you want to help us test them." |
284 |
|
285 |
Could some experienced Hardened Project folks say one or the other to me? |
286 |
Please? I really think Gentoo is great, and I don't mind investing the |
287 |
time to do it up front as long as I can feel somewhat confident that I |
288 |
will have a system that is appropriate for a production server when I'm |
289 |
done. I just need to know (a) if I am reasonable to have such |
290 |
confidence, and (b) how to get there if so. |
291 |
|
292 |
Ed, thanks again for the long reply. If this post sounds like a rant, |
293 |
then I'm sorry. The bottom line is that I'm delighted with everything |
294 |
Gentoo has to offer, and I don't mind putting up with minor bugs here and |
295 |
there, but I would like to know how to proceed with setting up Hardened |
296 |
or if I should even try doing so with a production server. |
297 |
|
298 |
Thanks to all who read this and apologies if it sounds rantish. |
299 |
|
300 |
-- |
301 |
-Kevin |
302 |
|
303 |
-- |
304 |
gentoo-hardened@g.o mailing list |