1 |
Hi folks, |
2 |
|
3 |
|
4 |
---Who I am:--- |
5 |
|
6 |
I'm a recent-Linux-user and I love it. |
7 |
|
8 |
I dedicate, a part, of my spare time |
9 |
to study Unix-like O.S.es for increasing |
10 |
my comprehension of the IT world. |
11 |
|
12 |
|
13 |
---Who I am not:--- |
14 |
|
15 |
I call myself Linux-user 'cause I'm: |
16 |
-1- neither an I.T. professional, |
17 |
-2- nor a seasoned "*Nix-like geek" (in the best sense of the term) |
18 |
|
19 |
|
20 |
---Disclaimer:--- |
21 |
|
22 |
Since I'm not a security professional, |
23 |
please forgive me if , sometime, I |
24 |
express myself in a rough way. |
25 |
|
26 |
Since I'm not mother tongue English, |
27 |
please be patient when my language |
28 |
is poor. |
29 |
|
30 |
|
31 |
---Question:--- |
32 |
|
33 |
It's a fact OpenBSD is a secure OS so, |
34 |
if we put a OBSD-box online, we have |
35 |
good chance it won't compromised, so |
36 |
my question is the following: |
37 |
|
38 |
"Is it possible to obtain, approximately, |
39 |
a Linux-box secure as an OBSD-box?" |
40 |
|
41 |
I know the intensive audit of OBSD and so on, |
42 |
in fact I've written "approximately" and not "exactely". |
43 |
|
44 |
My intention is, surely, not to provocate, |
45 |
but to understand the actual state-of-art |
46 |
of Linux security. |
47 |
|
48 |
SELinux is included in the vanilla, |
49 |
this sounds good, but mastering |
50 |
SELinux is a long run |
51 |
(a lot of time to invest in it) |
52 |
Another issue is that if you are running a |
53 |
non-Red-Hat-derivative you won't find |
54 |
any good tool for managing your own rules. |
55 |
There are also pre-built policies, disciplining |
56 |
most common services, but as every all-purpose |
57 |
stuff it fits not very good our needs! |
58 |
Writing policies with GNU/Emacs takes |
59 |
too much time...this is an objective fact; |
60 |
the subjective analisys is that it requires |
61 |
much more time than I can spend, |
62 |
considering my spare time. |
63 |
|
64 |
AppArmor, recently included in the Ubuntu-family, |
65 |
seems to be something like SELinux, but more |
66 |
user-friendly. I mean both (SELinux and AppArmor) |
67 |
have the intention to limitate damages coming from |
68 |
a compromised service. If I'm wrong feel free to |
69 |
clear my error. |
70 |
|
71 |
Since I like increased restriction to /proc /tmp and so on, |
72 |
and I appreciate randomisation goodies, this leads me to |
73 |
look at RSBAC and GR-Security, in fact both have these features. |
74 |
|
75 |
RSBAC seems to be hard on first approach, |
76 |
but much more flexible than GR-Security; |
77 |
on the other hand GR-Security has a good |
78 |
appeal if we're looking for an easy and fast way |
79 |
to lock down a desktop or a laptop, since it |
80 |
is "user-friendly ;-)" to install and set up |
81 |
and grants a good level of security. |
82 |
If I've understood correctly GR-Security could |
83 |
be the best choice for desktop and RSBAC the |
84 |
best choice for server...isn't it? |
85 |
|
86 |
What about overhead...I mean I see GRsec. |
87 |
has good performances, but I heard RSBAC |
88 |
is not so-light...have you experienced this |
89 |
slowlyness or it was, only present, in early |
90 |
releases? |
91 |
|
92 |
Back to subject of my post: |
93 |
"How hard" is Linux...hardening? |
94 |
|
95 |
In the end, after long time tuning |
96 |
do, these tools, grant us an high level security? |
97 |
I mean: |
98 |
Grsecurity had suffered of a return into libc exploit |
99 |
that bypassed its protection. Grsecurity had also |
100 |
a PaX-disabled bug in the past that expose |
101 |
machines to risks. |
102 |
|
103 |
I heard RSBAC had problem with the jail solidity etc. |
104 |
|
105 |
Recently I've read something about a 2.6.30 bug |
106 |
which makes useless, enforcement like SELinux, |
107 |
AppArmor and so on... |
108 |
|
109 |
so I'm wondering if it is possible to harden Linux |
110 |
the way you can leave it online with, approximately, |
111 |
the same (high) probability, it won't be compromised |
112 |
as OpenBSD does. |
113 |
|
114 |
I repeat this post is not intended to be a provocation |
115 |
or something similar, but it is intended to be didactic |
116 |
in the sense I've surfed the web, but there's no clear |
117 |
response to this question and I'm confused about it. |
118 |
|
119 |
I'm sure there are many skilled people, reading |
120 |
this mailing list, so I'll appreciate if someone |
121 |
will be patient and will enlighten me, giving some |
122 |
impartial inputs on what to study in my spare time. |
123 |
|
124 |
Thank you in advance, |
125 |
|
126 |
Good week-end ;-) |