Gentoo Logo
Gentoo Spaceship

Installation:
Gentoo Handbook
Installation Docs

Documentation:
Home
Listing
About Gentoo
Philosophy
Social Contract

Resources:
Bug Tracker
Developer List
Discussion Forums
Gentoo BitTorrents
Gentoo Linux Enhancement Proposals
IRC Channels
Mailing Lists
Mirrors
Name and Logo Guidelines
Online Package Database
Security Announcements
Staffing Needs
Supporting Vendors
View our CVS

Graphics:
Logos and themes
Icons
ScreenShots

Miscellaneous Resources:
Gentoo Linux Store
Gentoo-hosted projects
IBM dW/Intel article archive




List Archive: gentoo-hardened
Navigation:
Lists: gentoo-hardened: < Prev By Thread Next > < Prev By Date Next >
Headers:
To: gentoo-hardened@g.o
From: Marco Venutti <veeenrg@...>
Subject: Re: "How hard" is Linux kernel-side hardening?
Date: Sat, 19 Sep 2009 22:25:37 +0200
--[cut]--<br>User-friendlyness depends on the level of security you want to implement.<br>I use a rather lazy grsecurity policy, but I still have to update it<br>approximately every two weeks - as new applications come by.<br>
--[cut]--<br><div class="gmail_quote"><div class="im"><br>I don&#39;t expect miracles, on the other hand I can dedicate, <br>approximately, 4 hours a week, in tuning and updating,<br>I know it&#39;s not so much, but I have to face this boundary.<br>
 <br>--[cut]--<br>&gt; If I&#39;ve understood correctly GR-Security could<br>
&gt; be the best choice for desktop and RSBAC the<br>
&gt; best choice for server...isn&#39;t it?</div><div>--[cut]--<br><br></div><div>I understand what you mean, but everything can be learned, <br>so if something, I&#39;m not using now, has a less-long history-list <br>of exploitable bugs, I&#39;ll be happy to move to that solution!<br>
At the moment I&#39;m using Grsecurity, I believe (and hope) <br>it is decently affordable, in the sense of the shortest possible <br>history-list of serious breaches/holes, but I&#39;ve not done a really <br>in-depth-analisys, just some googling on these topics.<br>
</div><div>My first grsec configuration, was set up on a &quot;Gentoo Workstation&quot;<br>profile then tuned for best fits my laptop needs. <br><br>--[cut]--</div><div class="im"> You forgot to mention SSP (stack-smashing protection). <br>
--[cut]--<br><br>I didn&#39;t forget it, but I&#39;d like to primarily focus on <br>RSBAC and GR-Sec. and I didn&#39;t want to be wordy,<br>more than I naturally am, so I had to make a selection<br>and I&#39;ve excluded it, nothing personal, just the need<br>
to be synthetic...in some way...<br>I know this exclusion is questionable...<br>I&#39;m sorry if this hurt you, because you like SSP ;-)<br>I&#39;ve mentioned SELinux, &#39;cause it is a well-known <br>it is inside the vanilla, so, in some way it is a must <br>
including SELinux in a topic like this!<br>On AppArmor I&#39;ve spent few words just because<br>it comes with Ubuntu that is one of the most spred<br>Linux distro.<br><br>--[cut]--<br>You&#39;ll never find perfect security.<br>

--[cut]--<br><br>I totally agree with this statement! sadly :-( <br><br><br>--[cut]--<br>Every software - even OBSD - has bugs.<br>
--[cut]--<br><br>I&#39;d like to clear I&#39;m not OBSD super-fan,<br>it is only a term of comparison,<br>just an example, not propaganda <br>(that i personally dislike).<br><br>--[cut]--<br>
Let me ask you just one thing. Please point me to an OBSD alternative ofthe wide variety of Linux hardening solutions (SELinux, RSBAC, AppArmor or grsecurity). </div><div>
--[cut]--<br><br>OpenBSD had neighter the hardware support, <br>nor the opportunity of choice that only Linux<br>can offer to us, that&#39;s why I love Linux and <br>that&#39;s why I&#39;m looking for hardening Linux<br>
rather using OBSD, because I prefer Linux!!<br><br>I agree Linux has a lot of hardening solutions<br>and different approches, I love it!<br><br>In perfect world I would have time to perfectly <br>master every patch and then, consciously, <br>
could choose the one best suits my needs...<br><br>coming back to real world, I&#39;ve few hours a<br>week and I have to find out what to study...<br>I&#39;d like to focus on 1 approch, hoping this will<br>lead me, in the future, to get a decent level<br>
of knowledge. <br><br>Obviously I&#39;m aware, with few hours I&#39;ll never <br>be up-to-date and seriously skilled, but I think <br>some hours are better than zero hours and I<br>hope I&#39;ll be, a bit more, cultered about security.<br>
<br><br>--[cut]--<br>Sacrifices must be made according to the level of security you are targeting.<br>--[cut]--<br><br>I have to start, not from the level of security I&#39;d like to get,<br>rather from the time I can dedicate... <br>
<br>I mean: these are X hours I can dedicate,<br>inside this perentory limit I can be free...<br>it&#39;s sad, but it&#39;s so...anyway I&#39;ve faith!<br><br>Good evening ;-)<br></div></div><br>
Replies:
Re: "How hard" is Linux kernel-side hardening?
-- Natanael Copa
References:
"How hard" is Linux kernel-side hardening?
-- Marco Venutti
Re: "How hard" is Linux kernel-side hardening?
-- atoth
Navigation:
Lists: gentoo-hardened: < Prev By Thread Next > < Prev By Date Next >
Previous by thread:
Re: "How hard" is Linux kernel-side hardening?
Next by thread:
Re: "How hard" is Linux kernel-side hardening?
Previous by date:
Re: "How hard" is Linux kernel-side hardening?
Next by date:
Re: SELinux failure during emerge: setfscreatecon() takes exactly 1 argument


Updated Nov 22, 2009

Donate to support our development efforts.

Gentoo Centric Hosting: vr.org

VR Hosted

Tek Alchemy

Tek Alchemy

SevenL.net

SevenL.net

php|architect

php|architect

Copyright 2001-2007 Gentoo Foundation, Inc. Questions, Comments? Email www@gentoo.org.