Gentoo Archives: gentoo-hardened

From: Marco Venutti <veeenrg@×××××.com>
To: gentoo-hardened@l.g.o
Subject: [gentoo-hardened] "How hard" is Linux kernel-side hardening?
Date: Sat, 19 Sep 2009 16:13:08
Hi folks,

---Who I am:---

I'm a recent-Linux-user and I love it.

I dedicate, a part, of my spare time
to study Unix-like for increasing
my comprehension of the IT world.

---Who I am not:---

I call myself Linux-user 'cause I'm:
-1- neither an I.T. professional,
-2- nor a seasoned "*Nix-like geek" (in the best sense of the term)


Since I'm not a security professional,
please forgive me if , sometime,  I
express myself in a rough way.

Since I'm not mother tongue English,
please be patient when my language
is poor.


It's a fact OpenBSD is a secure OS so,
if we put a OBSD-box online, we have
good chance it won't compromised, so
my question is the following:

"Is it possible to obtain, approximately,
a Linux-box secure as an OBSD-box?"

I know the intensive audit of OBSD and so on,
in fact I've written "approximately" and not "exactely".

My intention is, surely, not to provocate,
but to understand the actual state-of-art
of Linux security.

SELinux is included in the vanilla,
this sounds good, but mastering
SELinux is a long run
(a lot of time to invest in it)
Another issue is that if you are running a
non-Red-Hat-derivative you won't find
any good tool for managing your own rules.
There are also pre-built policies, disciplining
most common services, but as every all-purpose
stuff it fits not very good our needs!
Writing policies with GNU/Emacs takes
too much time...this is an objective fact;
the subjective analisys is that it requires
much more time than I can spend,
considering my spare time.

AppArmor, recently included in the Ubuntu-family,
seems to be something like SELinux, but more
user-friendly. I mean both (SELinux and AppArmor)
have the intention to limitate damages coming from
a compromised service. If I'm wrong feel free to
clear my error.

Since I like increased restriction to /proc /tmp and so on,
and I appreciate randomisation goodies, this leads me to
look at RSBAC and GR-Security, in fact both have these features.

RSBAC seems to be hard on first approach,
but much more flexible than GR-Security;
on the other hand GR-Security has a good
appeal if we're looking for an easy and fast way
to lock down a desktop or a laptop, since it
is "user-friendly ;-)" to install and set up
and grants a good level of security.
If I've understood correctly GR-Security could
be the best choice for desktop and RSBAC the
best choice for server...isn't it?

What about overhead...I mean I see GRsec.
has good performances, but I heard RSBAC
is not so-light...have you experienced this
slowlyness or it was, only present, in early

Back to subject of my post:
"How hard" is Linux...hardening?

In the end, after long time tuning
do, these tools, grant us an high level security?
I mean:
Grsecurity had suffered of a return into libc exploit
that bypassed its protection. Grsecurity had also
a PaX-disabled bug in the past that expose
machines to risks.

I heard RSBAC had problem with the jail solidity etc.

Recently I've read something about a 2.6.30 bug
which makes useless, enforcement like SELinux,
AppArmor and so on...

so I'm wondering if it is possible to harden Linux
the way you can leave it online with, approximately,
the same (high) probability, it won't be compromised
as OpenBSD does.

I repeat this post is not intended to be a provocation
or something similar, but it is intended to be didactic
in the sense I've surfed the web, but there's no clear
response to this question and I'm confused about it.

I'm sure there are many skilled people, reading
this mailing list, so I'll appreciate if someone
will be patient and will enlighten me, giving some
impartial inputs on what to study in my spare time.

Thank you in advance,

Good week-end ;-)


Subject Author
Re: [gentoo-hardened] "How hard" is Linux kernel-side hardening? atoth@××××××××××.hu
Re: [gentoo-hardened] "How hard" is Linux kernel-side hardening? "Javier J. Martínez Cabezón" <tazok.id0@×××××.com>
Re: [gentoo-hardened] "How hard" is Linux kernel-side hardening? Pavel Labushev <p.labushev@×××××.com>