Gentoo Archives: gentoo-hardened

From: "Javier J. Martínez Cabezón" <tazok.id0@×××××.com>
To: gentoo-hardened@l.g.o
Subject: Re: [gentoo-hardened] "How hard" is Linux kernel-side hardening?
Date: Sun, 20 Sep 2009 11:24:44
In Reply to: [gentoo-hardened] "How hard" is Linux kernel-side hardening? by Marco Venutti
2009/9/19, Marco Venutti <veeenrg@×××××.com>:

> > ---Question:--- > > It's a fact OpenBSD is a secure OS so, > if we put a OBSD-box online, we have > good chance it won't compromised, so > my question is the following:
It's a fact that OpenBSD is a C2 capable security system (orange book), that is, is not a trusted OS because it lacks of MAC solutions
> "Is it possible to obtain, approximately, > a Linux-box secure as an OBSD-box?" > > I know the intensive audit of OBSD and so on, > in fact I've written "approximately" and not "exactely". >
It's possible to obtain a B1 (orange book) system under gnu/linux, so a trusted OS.
> SELinux is included in the vanilla, > this sounds good, but mastering > SELinux is a long run > (a lot of time to invest in it)
I think (maybe I'm wrong) Brad Spender published a bug that disabled SELinux because the LSM weakness
> Another issue is that if you are running a > non-Red-Hat-derivative you won't find > any good tool for managing your own rules. > There are also pre-built policies, disciplining > most common services, but as every all-purpose > stuff it fits not very good our needs! > Writing policies with GNU/Emacs takes > too much time...this is an objective fact; > the subjective analisys is that it requires > much more time than I can spend, > considering my spare time. >
Well, this is the true problem, making policies is one "do it yourself" question, to many things to control and the problem is that not everybody knows what to control.
> AppArmor, recently included in the Ubuntu-family, > seems to be something like SELinux, but more > user-friendly. I mean both (SELinux and AppArmor) > have the intention to limitate damages coming from > a compromised service. If I'm wrong feel free to > clear my error. >
Both works under LSM:
> Since I like increased restriction to /proc /tmp and so on, > and I appreciate randomisation goodies, this leads me to > look at RSBAC and GR-Security, in fact both have these features. > > RSBAC seems to be hard on first approach, > but much more flexible than GR-Security; > on the other hand GR-Security has a good > appeal if we're looking for an easy and fast way > to lock down a desktop or a laptop, since it > is "user-friendly ;-)" to install and set up > and grants a good level of security. > If I've understood correctly GR-Security could > be the best choice for desktop and RSBAC the > best choice for server...isn't it? >
I agree with these
> What about overhead...I mean I see GRsec. > has good performances, but I heard RSBAC > is not so-light...have you experienced this > slowlyness or it was, only present, in early > releases? >
Overhead depends of what do you control. RSBAC is light too for me, the problem is that if you want log all READ_OPEN calls ( for example to log all open(O_RDONLY)) calls) the overhead would be high.
> Back to subject of my post: > "How hard" is Linux...hardening? > > In the end, after long time tuning > do, these tools, grant us an high level security? > I mean: > Grsecurity had suffered of a return into libc exploit > that bypassed its protection. Grsecurity had also > a PaX-disabled bug in the past that expose > machines to risks.
I think the main problem (I could be wrong) is that pax flags are marked in binaries (in userspace) in grsecurity.
> > I heard RSBAC had problem with the jail solidity etc. > > Recently I've read something about a 2.6.30 bug > which makes useless, enforcement like SELinux, > AppArmor and so on... > > so I'm wondering if it is possible to harden Linux > the way you can leave it online with, approximately, > the same (high) probability, it won't be compromised > as OpenBSD does.
The jail bug were corrected long ago, and was limited to this module only (in rsbac petitions pass to all modules that are stacked, not only this one, and if only one module deny the request, is denied forever though jail don't work properly).


Subject Author
Re: [gentoo-hardened] "How hard" is Linux kernel-side hardening? Marco Venutti <veeenrg@×××××.com>