1 |
On Tue, Jun 9, 2009 at 14:44, Jan Klod<janklodvan@×××××.com> wrote: |
2 |
> 1) how big are possible risks of hardened gentoo system compromise, if apache |
3 |
> is run normally, therefore a need of chrooting? |
4 |
|
5 |
Mildly less than that a non-hardened system. All the stack-smashing |
6 |
and memory protections in the world won't protect you against a |
7 |
poorly-configured system. A hardened system would reduce the |
8 |
probability of a remote Apache compromise, but does little to prevent |
9 |
damage once the compromise has been made. |
10 |
|
11 |
> 2) suppose I chroot Apache: what chances it still has to harm something in the |
12 |
> outside OS? My knowledge about various system capabilities, network etc is |
13 |
> too little, so enlighten me... And how big is an Apache chroot? |
14 |
|
15 |
Less chance if you've turned on the hardened kernel's chroot() |
16 |
protections (see http://www.grsecurity.net/features.php for the list). |
17 |
In a nutshell, said restrictions address the known set of jailbreak |
18 |
tricks, helping keep a chroot() really a chroot(). There's still the |
19 |
[very] outside chance that a kernel 0-day or previously unknown |
20 |
jailbreak may pop up, but your attack surface is definitely lessened. |
21 |
|
22 |
Size is variable - basically, you need the binary that's going to run, |
23 |
all its libraries, and the on-disk data it will need to access (static |
24 |
pages, etc.). I'm seeing 2.7M taken up by my basic apache-2.2.11 |
25 |
install, of which ~2.1M is the actual binaries, modules, etc. Add in |
26 |
the ~3.8M of objects the apache2 binary links against, various bits of |
27 |
configuration, and you're looking at roughly 6M for an unoptimized |
28 |
chroot. Look at one of the many chroot() preparation tools available |
29 |
in portage (emerge -S chroot) for easy ways to set up clean chroot() |
30 |
environments without any missing libraries. |
31 |
|
32 |
> And by the way, how big are the risks for sshd and ntpd to open up a way into |
33 |
> the hardened gentoo system? Can that recent ntp glsa be ignored, if its |
34 |
> hardened with memory protections? |
35 |
|
36 |
The NTP GLSA was a very specific one, addressing users that had not |
37 |
only compiled net-misc/ntp against OpenSSL, but had also configured |
38 |
the non-default 'autokey' authentication mechanism. I've not examined |
39 |
this particular compromise further to see whether the hardened stack |
40 |
would protect against it, but it has before in similar situations. |
41 |
SSH always increases your risk, but large portions of that may be |
42 |
mitigated with ACLs, strong authentication, and restrictive |
43 |
configurations. |
44 |
|
45 |
The suggestions of virtual machines are good, but are much more |
46 |
heavyweight solutions, resulting in good separation at the expense of |
47 |
resources. Even so, they cannot protect against poor configuration |
48 |
(nothing does) and may add complexity you're not willing to engage. |
49 |
|
50 |
SELinux (rather, a mandatory access control or MAC) is another option, |
51 |
but more augments chroot or virtualization mechanisms rather than |
52 |
replaces them. If you choose to pursue this route, I highly suggest |
53 |
at least looking at the grsecurity RBAC that is built into (and |
54 |
supported in) the hardened-sources kernel. |