Hi folks,<br><br><br>---Who I am:---<br><br>I'm a recent-Linux-user and I love it.<br><br>I dedicate, a part, of my spare time <br>to study Unix-like <a href="http://O.S.es">O.S.es</a> for increasing<br>my comprehension of the IT world.<br>
<br><br>
---Who I am not:---<br><br>I call myself Linux-user 'cause I'm:<br>-1- neither an I.T. professional,<br>-2- nor a seasoned "*Nix-like geek" (in the best sense of the term)<br><br><br>---Disclaimer:---<br>
<br>Since I'm not a security professional, <br>please forgive me if , sometime, I <br>express myself in a rough way.<br><br>Since I'm not mother tongue English,<br>please be patient when my language<br>is poor.<br>
<br><br>---Question:---<br><br>It's a fact OpenBSD is a secure OS so,<br>if we put a OBSD-box online, we have <br>good chance it won't compromised, so<br>my question is the following:<br><br>"Is it possible to obtain, approximately,<br>
a Linux-box secure as an OBSD-box?"<br><br>I know the intensive audit of OBSD and so on,<br>in fact I've written "approximately" and not "exactely".<br><br>My intention is, surely, not to provocate, <br>
but to understand the actual state-of-art<br>of Linux security.<br><br>SELinux is included in the vanilla,<br>this sounds good, but mastering <br>SELinux is a long run <br>(a lot of time to invest in it)<br>Another issue is that if you are running a <br>
non-Red-Hat-derivative you won't find<br>any good tool for managing your own rules.<br>There are also pre-built policies, disciplining <br>most common services, but as every all-purpose <br>stuff it fits not very good our needs!<br>
Writing policies with GNU/Emacs takes <br>too much time...this is an objective fact;<br>the subjective analisys is that it requires <br>much more time than I can spend, <br>considering my spare time. <br><br>AppArmor, recently included in the Ubuntu-family,<br>
seems to be something like SELinux, but more<br>user-friendly. I mean both (SELinux and AppArmor)<br>have the intention to limitate damages coming from<br>a compromised service. If I'm wrong feel free to <br>clear my error.<br>
<br>Since I like increased restriction to /proc /tmp and so on,<br>and I appreciate randomisation goodies, this leads me to <br>look at RSBAC and GR-Security, in fact both have these features.<br><br>RSBAC seems to be hard on first approach,<br>
but much more flexible than GR-Security;<br>on the other hand GR-Security has a good<br>appeal if we're looking for an easy and fast way<br>to lock down a desktop or a laptop, since it<br>is "user-friendly ;-)" to install and set up<br>
and grants a good level of security.<br>If I've understood correctly GR-Security could<br>be the best choice for desktop and RSBAC the<br>best choice for server...isn't it?<br><br>What about overhead...I mean I see GRsec.<br>
has good performances, but I heard RSBAC<br>is not so-light...have you experienced this<br>slowlyness or it was, only present, in early<br>releases?<br><br>Back to subject of my post:<br>"How hard" is Linux...hardening?<br>
<br>In the end, after long time tuning<br>do, these tools, grant us an high level security?<br>I mean:<br>Grsecurity had suffered of a return into libc exploit<br>that bypassed its protection. Grsecurity had also <br>a PaX-disabled bug in the past that expose <br>
machines to risks.<br><br>I heard RSBAC had problem with the jail solidity etc.<br><br>Recently I've read something about a 2.6.30 bug <br>which makes useless, enforcement like SELinux,<br>AppArmor and so on...<br><br>
so I'm wondering if it is possible to harden Linux<br>the way you can leave it online with, approximately,<br>the same (high) probability, it won't be compromised<br>as OpenBSD does.<br><br>I repeat this post is not intended to be a provocation<br>
or something similar, but it is intended to be didactic<br>in the sense I've surfed the web, but there's no clear <br>response to this question and I'm confused about it.<br><br>I'm sure there are many skilled people, reading<br>
this mailing list, so I'll appreciate if someone <br>will be patient and will enlighten me, giving some <br>impartial inputs on what to study in my spare time.<br><br>Thank you in advance,<br><br>Good week-end ;-)<br>
|
