| 1 |
On Tue, Jun 9, 2009 at 14:44, Jan Klod<janklodvan@×××××.com> wrote: |
| 2 |
> 1) how big are possible risks of hardened gentoo system compromise, if apache |
| 3 |
> is run normally, therefore a need of chrooting? |
| 4 |
|
| 5 |
Mildly less than that a non-hardened system. All the stack-smashing |
| 6 |
and memory protections in the world won't protect you against a |
| 7 |
poorly-configured system. A hardened system would reduce the |
| 8 |
probability of a remote Apache compromise, but does little to prevent |
| 9 |
damage once the compromise has been made. |
| 10 |
|
| 11 |
> 2) suppose I chroot Apache: what chances it still has to harm something in the |
| 12 |
> outside OS? My knowledge about various system capabilities, network etc is |
| 13 |
> too little, so enlighten me... And how big is an Apache chroot? |
| 14 |
|
| 15 |
Less chance if you've turned on the hardened kernel's chroot() |
| 16 |
protections (see http://www.grsecurity.net/features.php for the list). |
| 17 |
In a nutshell, said restrictions address the known set of jailbreak |
| 18 |
tricks, helping keep a chroot() really a chroot(). There's still the |
| 19 |
[very] outside chance that a kernel 0-day or previously unknown |
| 20 |
jailbreak may pop up, but your attack surface is definitely lessened. |
| 21 |
|
| 22 |
Size is variable - basically, you need the binary that's going to run, |
| 23 |
all its libraries, and the on-disk data it will need to access (static |
| 24 |
pages, etc.). I'm seeing 2.7M taken up by my basic apache-2.2.11 |
| 25 |
install, of which ~2.1M is the actual binaries, modules, etc. Add in |
| 26 |
the ~3.8M of objects the apache2 binary links against, various bits of |
| 27 |
configuration, and you're looking at roughly 6M for an unoptimized |
| 28 |
chroot. Look at one of the many chroot() preparation tools available |
| 29 |
in portage (emerge -S chroot) for easy ways to set up clean chroot() |
| 30 |
environments without any missing libraries. |
| 31 |
|
| 32 |
> And by the way, how big are the risks for sshd and ntpd to open up a way into |
| 33 |
> the hardened gentoo system? Can that recent ntp glsa be ignored, if its |
| 34 |
> hardened with memory protections? |
| 35 |
|
| 36 |
The NTP GLSA was a very specific one, addressing users that had not |
| 37 |
only compiled net-misc/ntp against OpenSSL, but had also configured |
| 38 |
the non-default 'autokey' authentication mechanism. I've not examined |
| 39 |
this particular compromise further to see whether the hardened stack |
| 40 |
would protect against it, but it has before in similar situations. |
| 41 |
SSH always increases your risk, but large portions of that may be |
| 42 |
mitigated with ACLs, strong authentication, and restrictive |
| 43 |
configurations. |
| 44 |
|
| 45 |
The suggestions of virtual machines are good, but are much more |
| 46 |
heavyweight solutions, resulting in good separation at the expense of |
| 47 |
resources. Even so, they cannot protect against poor configuration |
| 48 |
(nothing does) and may add complexity you're not willing to engage. |
| 49 |
|
| 50 |
SELinux (rather, a mandatory access control or MAC) is another option, |
| 51 |
but more augments chroot or virtualization mechanisms rather than |
| 52 |
replaces them. If you choose to pursue this route, I highly suggest |
| 53 |
at least looking at the grsecurity RBAC that is built into (and |
| 54 |
supported in) the hardened-sources kernel. |
Archives