Gentoo Archives: gentoo-hardened

From: Marco Venutti <veeenrg@×××××.com>
To: gentoo-hardened@l.g.o
Subject: [gentoo-hardened] "How hard" is Linux kernel-side hardening?
Date: Sat, 19 Sep 2009 16:13:08
Message-Id: 478d5e250909190913l57b39c6cwe27570c73fdb0a4b@mail.gmail.com
1 Hi folks,
2
3
4 ---Who I am:---
5
6 I'm a recent-Linux-user and I love it.
7
8 I dedicate, a part, of my spare time
9 to study Unix-like O.S.es for increasing
10 my comprehension of the IT world.
11
12
13 ---Who I am not:---
14
15 I call myself Linux-user 'cause I'm:
16 -1- neither an I.T. professional,
17 -2- nor a seasoned "*Nix-like geek" (in the best sense of the term)
18
19
20 ---Disclaimer:---
21
22 Since I'm not a security professional,
23 please forgive me if , sometime, I
24 express myself in a rough way.
25
26 Since I'm not mother tongue English,
27 please be patient when my language
28 is poor.
29
30
31 ---Question:---
32
33 It's a fact OpenBSD is a secure OS so,
34 if we put a OBSD-box online, we have
35 good chance it won't compromised, so
36 my question is the following:
37
38 "Is it possible to obtain, approximately,
39 a Linux-box secure as an OBSD-box?"
40
41 I know the intensive audit of OBSD and so on,
42 in fact I've written "approximately" and not "exactely".
43
44 My intention is, surely, not to provocate,
45 but to understand the actual state-of-art
46 of Linux security.
47
48 SELinux is included in the vanilla,
49 this sounds good, but mastering
50 SELinux is a long run
51 (a lot of time to invest in it)
52 Another issue is that if you are running a
53 non-Red-Hat-derivative you won't find
54 any good tool for managing your own rules.
55 There are also pre-built policies, disciplining
56 most common services, but as every all-purpose
57 stuff it fits not very good our needs!
58 Writing policies with GNU/Emacs takes
59 too much time...this is an objective fact;
60 the subjective analisys is that it requires
61 much more time than I can spend,
62 considering my spare time.
63
64 AppArmor, recently included in the Ubuntu-family,
65 seems to be something like SELinux, but more
66 user-friendly. I mean both (SELinux and AppArmor)
67 have the intention to limitate damages coming from
68 a compromised service. If I'm wrong feel free to
69 clear my error.
70
71 Since I like increased restriction to /proc /tmp and so on,
72 and I appreciate randomisation goodies, this leads me to
73 look at RSBAC and GR-Security, in fact both have these features.
74
75 RSBAC seems to be hard on first approach,
76 but much more flexible than GR-Security;
77 on the other hand GR-Security has a good
78 appeal if we're looking for an easy and fast way
79 to lock down a desktop or a laptop, since it
80 is "user-friendly ;-)" to install and set up
81 and grants a good level of security.
82 If I've understood correctly GR-Security could
83 be the best choice for desktop and RSBAC the
84 best choice for server...isn't it?
85
86 What about overhead...I mean I see GRsec.
87 has good performances, but I heard RSBAC
88 is not so-light...have you experienced this
89 slowlyness or it was, only present, in early
90 releases?
91
92 Back to subject of my post:
93 "How hard" is Linux...hardening?
94
95 In the end, after long time tuning
96 do, these tools, grant us an high level security?
97 I mean:
98 Grsecurity had suffered of a return into libc exploit
99 that bypassed its protection. Grsecurity had also
100 a PaX-disabled bug in the past that expose
101 machines to risks.
102
103 I heard RSBAC had problem with the jail solidity etc.
104
105 Recently I've read something about a 2.6.30 bug
106 which makes useless, enforcement like SELinux,
107 AppArmor and so on...
108
109 so I'm wondering if it is possible to harden Linux
110 the way you can leave it online with, approximately,
111 the same (high) probability, it won't be compromised
112 as OpenBSD does.
113
114 I repeat this post is not intended to be a provocation
115 or something similar, but it is intended to be didactic
116 in the sense I've surfed the web, but there's no clear
117 response to this question and I'm confused about it.
118
119 I'm sure there are many skilled people, reading
120 this mailing list, so I'll appreciate if someone
121 will be patient and will enlighten me, giving some
122 impartial inputs on what to study in my spare time.
123
124 Thank you in advance,
125
126 Good week-end ;-)

Replies

Subject Author
Re: [gentoo-hardened] "How hard" is Linux kernel-side hardening? atoth@××××××××××.hu
Re: [gentoo-hardened] "How hard" is Linux kernel-side hardening? "Javier J. Martínez Cabezón" <tazok.id0@×××××.com>
Re: [gentoo-hardened] "How hard" is Linux kernel-side hardening? Pavel Labushev <p.labushev@×××××.com>