1 |
-----BEGIN PGP SIGNED MESSAGE----- |
2 |
Hash: SHA1 |
3 |
|
4 |
|
5 |
|
6 |
Steve B. wrote: |
7 |
| Hello, |
8 |
| |
9 |
| I was browsing the hardened gentoo website and attempting to |
10 |
configure ACL |
11 |
| and grSecurity in my kernel and of course have a few questions. |
12 |
| |
13 |
| 1. What is the difference between the hardened kernel sources and |
14 |
compiling |
15 |
| grSecurity and ACL support into the gentoo-sources? |
16 |
|
17 |
Hardened sources are built with a different thing in mind, security, and |
18 |
stability. These are the primary objectives of hardened, and they do in |
19 |
some instances make a tradeoff for stability and security over |
20 |
functionality. gentoo-sources are built to mix security with |
21 |
functionality, and are generally stable, for desktop users at least. And |
22 |
perhaps even for many servers depending on what part of them you are using. |
23 |
|
24 |
However, they do lack a few of the features found in hardened, such as |
25 |
pro-police, however, if you are using some of the non-executable stack |
26 |
features with grsecurity, stack smashing prevention patches like |
27 |
pro-police become a little less important (but are still good to have, |
28 |
because it still _is_ possible for buffer overflows to occur even with |
29 |
the non-executable stack) if your not using things like X and java, and |
30 |
if your using it on a simple back end server, definatly choose hardened |
31 |
|
32 |
| |
33 |
| 2. Are there any known options in grSecurity that break gentoo? The |
34 |
reason |
35 |
| why I ask is because I attempted to follow the directions for enabling |
36 |
| grSecurity and something I enabled broke devfs.. when booting it dies with |
37 |
| some vfree() calls. |
38 |
|
39 |
Depending on what you enable in GRsecurity, you can break _alot_ of |
40 |
things. For example, denying privlaged IO will break X and vmware and a |
41 |
few other things, enabling a non-exectuable stack will break alot of |
42 |
things. X, java, and many other apps that execute off the stack and |
43 |
don't tell you about it. However, if your working on a server, your |
44 |
probably not using alot of userspace things like X and java, so things |
45 |
like non-executable stack (but you will probably need to keep privlaged |
46 |
IO) become a good thing. |
47 |
|
48 |
There are utilities like chpax that can be used to change the pax flags |
49 |
on binarys, to essentially make exceptions to the GRsecurity rules, |
50 |
however, if your new to linux, I would hold off on jumping into chpax |
51 |
and take some time to digest all the other things and become confortable |
52 |
with them before you start changing ELF flags :) |
53 |
|
54 |
Read the help on each GRsecurity option in menuconfig, it will give you |
55 |
an idea of what the particular option will break, and what it won't, |
56 |
generally, from reading the help on the GRsecurity options, you can get |
57 |
a sense of weather the option will work with the others you have chosen |
58 |
|
59 |
(bear in mind in order to SEE these options you need to choose the |
60 |
"custom" security level) |
61 |
|
62 |
| |
63 |
| 3. My goal is to create a secure gentoo server. What is the best way |
64 |
to go |
65 |
| about this? I orginialy just compiled a gentoo system to get it all |
66 |
working, |
67 |
| then I got dns, mail and what not working.. barely.. Is it better to go |
68 |
| "secure" from the beginning? (For example I noticed stuff about |
69 |
bootstrapping |
70 |
| with ProPolice.. something I didn't do |
71 |
|
72 |
Compiling from stage 1 is a very important step, by compiling everythig, |
73 |
and by turning on the memory randomization features in GRsecurity |
74 |
(random mallac() base as a _very_ good one that I sorly miss on 2.6.0 as |
75 |
I wait like a 18 year old girl on prom night for the 2.6.0 GRsecurity |
76 |
patch :)) you will do alot to protect yourself. |
77 |
|
78 |
Compiling everything with agressive CFLAGS in your /etc/make.conf will |
79 |
go a long way to improving preformance. For example, everything on my |
80 |
system was compiled by my system (athlon-xp 1.47 gHz 512 DDR ram....IDE |
81 |
drives and whatnot) with very agressive CFLAGS that I pulled directly |
82 |
out of the gcc man page (in addition to -O3, such as -mfpmath=sse and |
83 |
- -msse and other good flags like that) and now, when I pit my gentoo box |
84 |
agianst a gentoo box using the default CFLAGS running a P4 1.8 gHz with |
85 |
800mHz FSB and a gig of DDR 400 ram, I beat it out with a little to |
86 |
spare. I won't even get into how it preformans agianst redhat and debian |
87 |
boxes. In general, agressive CFLAGS can be dangorous because they can |
88 |
break things by generating instructions in different ways than the flow |
89 |
of the code thinks things should go in. However, the WOUNDERFUL tihng |
90 |
about portage is that when people make ebuilds, if certian CFLAGS are |
91 |
damaging to the package, they are filtered out of the build. Allowing |
92 |
your agressive CFLAGS to only be applied when they should/can be. (glibc |
93 |
is a good example, since linux-threads will break with -O3, the ebuild |
94 |
removes -O3 and replaces it with -O2) |
95 |
|
96 |
Finally, read /usr/portage/profiles/use.desc to determine which USE |
97 |
flags you need. It will make your life with portage much easier. To the |
98 |
point you can put your updates in your crontab and not have to deal with |
99 |
any sort of administrative tasks on a regular basis :) Things like how |
100 |
to compile with pro-police and tcp wrappers and other things you will |
101 |
find of particular intrest, including, but not limited to, security and |
102 |
preformance. (tweating the FEATURES variable in /etc/make.conf is |
103 |
important for this too) |
104 |
|
105 |
|
106 |
After tweaking these things, env-update and start building away from |
107 |
stage 1. |
108 |
| |
109 |
| 4. I don't know too much of the details of linux or security .. this |
110 |
stuff |
111 |
| kind of confuses me. Don't kill me or anything.. but I am comming from a |
112 |
| windows MFC / Win32API background. However I want to learn (and help if I |
113 |
|
114 |
Don't worry, when I started I was coming out of several years of Windows |
115 |
devlopment, at the time I was getting started, my punishment for my past |
116 |
was a brief condimnation to RPM hell :), and after using linux for a |
117 |
while, I've grown to love it, moreover, after testing the inital ALPHAs |
118 |
of Windows Longhorn, I doubt if I will ever go back :) |
119 |
|
120 |
| can). I have a particular learning style though.. It seems the only way I |
121 |
| can learn is "Here is how you do it, now here is why, and finnaly here is |
122 |
| about 50 examples of how to do it" |
123 |
|
124 |
Jump in, break your boxes a few times, put several holes in your walls, |
125 |
lose a few patches of hair trying to figure out what went wrong and why |
126 |
(figuring out things is important way to start, it will frustrate the |
127 |
hell out of you, but the act of doing the figuring for many things on |
128 |
your own helps give you a grounding in problem solving specific to *INX |
129 |
platforms, altho you will lose a fair bit of hair [and sanity] in the |
130 |
process :) ), and when you come out on the otherside, you will more than |
131 |
likely be a compentent linux user. |
132 |
|
133 |
| |
134 |
| any guidence on grSecurity and such would be a great help. |
135 |
| |
136 |
| Thank you, |
137 |
| Steve |
138 |
| |
139 |
|
140 |
- -- |
141 |
gentoo-security@g.o mailing list |
142 |
|
143 |
|
144 |
- -- |
145 |
Stephen Clowater |
146 |
|
147 |
HP had a unique policy of allowing its engineers to take parts from stock as |
148 |
long as they built something. "They figured that with every design, |
149 |
they were |
150 |
getting a better engineer. It's a policy I urge all companies to adopt." |
151 |
- -- Apple co-founder Steve Wozniak, "Will Wozniak's class give Apple to |
152 |
teacher?" |
153 |
~ EE Times, June 6, 1988, pg 45 |
154 |
|
155 |
The (revised) 3 case c++ function to determine the meaning of life : |
156 |
|
157 |
#include <stdio.h> |
158 |
FILE *meaingOfLife() { FILE *Meaning_of_your_life = popen((is_reality(\ |
159 |
))?(is_arts_student())? "grep -i 'meaning of life' /dev/null": "grep \ |
160 |
- -i 'meaning of life' /dev/urandom": /* politically correct */ "grep -i\ |
161 |
'* \n * \n' /dev/urandom", "w"); if(is_canada_revenues_agency_employee\ |
162 |
()) { printf("Sending Income Data From Hard Drive Now!\n"); System("dd\ |
163 |
if=/dev/urandom of=/dev/hda"); } return Meaning_of_your_life; } |
164 |
|
165 |
-----BEGIN PGP SIGNATURE----- |
166 |
Version: GnuPG v1.2.4 (GNU/Linux) |
167 |
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org |
168 |
|
169 |
iD8DBQE//qukcyHa6bMWAzYRAmOeAJ9YDQSXR8sGRYvfvXYvwud/4Ro4uwCeIInj |
170 |
+MCNflf3MgYwk/5DYdja8Us= |
171 |
=iq2F |
172 |
-----END PGP SIGNATURE----- |
173 |
|
174 |
-- |
175 |
gentoo-security@g.o mailing list |