1 |
Hi Kevin, |
2 |
|
3 |
I'm just a beginner like you, but here is my take on things |
4 |
|
5 |
>That last sentence describes me, so I go there... |
6 |
> |
7 |
>So I follow the _Gentoo Hardened_ link which points to |
8 |
>http://hardened.gentoo.org from which I get redirected to |
9 |
>http://www.gentoo.org/proj/en/hardened/ |
10 |
> |
11 |
>Here I see a link: _SELinux x86 Install Guide_ which I followed. |
12 |
> |
13 |
> |
14 |
|
15 |
Yep, looking at the docs you came to reasonable conclusion. However, |
16 |
the fact remains if you re-read that page closely and read the couple of |
17 |
previous threads on this list (in the last few days). You can see that |
18 |
the "Hardened" project (capital H) covers a host of technologies. Some |
19 |
are patches to gcc or the kernel to basically tackle "stack overflows" |
20 |
(See Ned Ludd's links for a better description"), this means |
21 |
hardened-gcc + a PaX kernel, ie grsecurity). The other side of hardened |
22 |
is kernel level mandatory access controls, ie even root can't do |
23 |
everything (this bring linux up to the security levels of a *well* setup |
24 |
Windows machine, *dig, dig*) - this is the selinux part. |
25 |
|
26 |
So the hardened stages are compiled with a compiler that has added some |
27 |
extra code to watch for the stack being trampled. Selinux stages refer |
28 |
to using a kernel that has access controls *on every file*. |
29 |
|
30 |
Unfortunately you and I have arrived at a time when the gcc stuff is |
31 |
being migrated from an old style way of doing things to a much more |
32 |
gentoo and integrated way. In fact I get the impression that once this |
33 |
is sorted, then the whole of gentoo will likely get the "hardened" |
34 |
(little h) flag set by default...? However, right now, it's slightly |
35 |
broken I think? |
36 |
|
37 |
|
38 |
>Um... I'm trying to build a production server here. Should I stay away |
39 |
>from this stuff? It sounds like kinks and problems and documentation are |
40 |
>still being worked out. If I want a Gentoo server and I want it to be |
41 |
>providing public services on the Internet (albeit through a firewall), |
42 |
>what plan should I be using here (ie, what combination of boot CD image, |
43 |
>stage1 tarball, and documentation URL should I be using?)? |
44 |
> |
45 |
|
46 |
Tough call really... Lets look at it this way. I haven't tried Suse, |
47 |
but I am building my gentoo server to replace a Redhat webserver. I |
48 |
really like the way it just stays up to date, no fiddling round with |
49 |
packages and conf files every time you update. I have also never had a |
50 |
problem with updating to later versions of packages either, which is |
51 |
something that terrifies me on a production machine, and although I have |
52 |
read stories of other people getting caught, it is really easy to roll |
53 |
back to the older package if neccessary! |
54 |
|
55 |
However, the hardened project is taking some really complex stuff and |
56 |
integrating it into the gentoo system so that you can just click a |
57 |
button and have it work. This will be really worth having, but since |
58 |
you are probably a busy sysadmin with little appetite to take risks on a |
59 |
system right now, then I would suggest that you be cautious about |
60 |
getting on the bleeding edge. |
61 |
|
62 |
Why not look to take the stage2-hardened build (if there is such a |
63 |
thing). And ignore the selinux stuff for the time being? I'm in pretty |
64 |
much the same situation, but having 2 gentoo servers already I have a |
65 |
bit more confidence. However, I am considering starting with a stage-x |
66 |
hardened, (and then pretty much following the normal gentoo install) |
67 |
|
68 |
You need some confirmation from the experts, but with the hardened |
69 |
builds, it is basically a normal install but with a different compiler, |
70 |
and choose a pax kernel as well. You need confirmation though as to |
71 |
whether: |
72 |
|
73 |
a) you stick with the hardened gcc ebuild which is now obselete |
74 |
b) upgrade to gcc 3.3.2 which is stable, and add -fstack-protector to |
75 |
your CFLAGS |
76 |
c) Upgrade to gcc 3.3.3-r2 and how that none of the bugs bite (less |
77 |
likely with a stage-2 or stage-3 build...?), and add USE="hardened" |
78 |
|
79 |
b) is the safest for a production machine, and worst case you will have |
80 |
less protection that you wanted, but better than a standard build. |
81 |
Everything should compile ok. |
82 |
|
83 |
>I've already |
84 |
>uncovered a bug in the ebuild for the gs_sources kernel (involving the |
85 |
>Device Mapper patch) which is supposedly for production servers. |
86 |
> |
87 |
|
88 |
Bad luck. gs_sources is slightly unstable I think? Well, remember that |
89 |
it isn't a Linus kernel so it is going to be patches that haven't been |
90 |
merged into stable yet.... I think it was just bad luck though, you |
91 |
would presumably have the same problems if you took a stable kernel and |
92 |
added your own patches... Personally I prefer the 2.6 kernels, try -MM |
93 |
for a bleeding edge that seems to be pretty stable. |
94 |
|
95 |
>I'm |
96 |
>starting to get the impression that Gentoo is just not ready (with or |
97 |
>without Hardened or SELinux) for production servers, |
98 |
> |
99 |
|
100 |
Disagree, but in return for possibly finding a few bugs, you get a |
101 |
lovely distribution. Redhat and Suse have plenty of gremlins in my |
102 |
experience. You have been unfortunate to find a few in Gentoo. |
103 |
|
104 |
Personally, I found that all problems I ever found in gentoo were fairly |
105 |
easy to fix, and I wouldn't class myself as much of a linux expert. In |
106 |
contrast I can do a lot more with gentoo than with my redhat machines. |
107 |
Well worth it in my experience. |
108 |
|
109 |
>and almost certainly |
110 |
>not with Hardened or SELinux. |
111 |
> |
112 |
|
113 |
Perhaps... I haven't used hardened enough to comment. But from what I |
114 |
have seen, this time next year all linux builds will be "hardened" |
115 |
(little h), and secure sites will use selinux. I can't see selinux |
116 |
becoming mainstream for a good few years yet though. |
117 |
|
118 |
Consider trying selinux only via user-mode linux for now...? |
119 |
|
120 |
>Could someone give me the skinny on this? |
121 |
>Am I barking up the wrong tree trying to use Gentoo to build a production |
122 |
>server? Though I'm no developer, I am a reasonably sophisticated Linux |
123 |
>geek with about 9 years doing sysadmin on Linux boxen, and I'm having |
124 |
>real problems here. Should I go back to SuSE? |
125 |
> |
126 |
|
127 |
Nah. You will find gentoo a piece of cake. |
128 |
|
129 |
The situation is as clear as this. Gentoo has a dead easy installer, |
130 |
but it is manual. ie you read the docs, type in all the commands in |
131 |
sequence, and you get a build out the other end. After that it takes |
132 |
about 10 mins a month to keep it up and running. Other distros are |
133 |
easier to get going, but to be honest, after I built the first few |
134 |
machines I have absolutely no problem with the manual setup - agreed it |
135 |
looks annoying the first time (Actually I think a small shell script |
136 |
would just do the whole lot and I wonder why there aren't more basic |
137 |
installers available..?) |
138 |
|
139 |
Suggest that if you have probs then just revert to a normal gentoo |
140 |
build. Follow the install, perhaps with a stage-2 or 3 the first time, |
141 |
and play with the finished machine. Then try again with hardened or |
142 |
whatever. The point is it is pretty easy when you have done it once, |
143 |
and worth the effort |
144 |
|
145 |
Ed W |
146 |
|
147 |
-- |
148 |
gentoo-hardened@g.o mailing list |