Gentoo Archives: gentoo-hardened

From: "Javier J. Martínez Cabezón" <tazok.id0@×××××.com>
To: gentoo-hardened@l.g.o
Subject: Re: [gentoo-hardened] "How hard" is Linux kernel-side hardening?
Date: Sun, 20 Sep 2009 15:14:19
In Reply to: Re: [gentoo-hardened] "How hard" is Linux kernel-side hardening? by Marco Venutti
1 There is not a complete reference if not a lot of tips to close little
2 doors instead, for example, you can implement a trusted path execution
3 and forbid execution to nothing more that the common binaries and
4 libraries (/bin /sbin /usr/bin /lib etc) to avoid exploits, you could
5 restrict the interpretation of scripts (in the way of "perl
6", forbidding people to use perl to avoid the
7 TPE). You could restrict the missuse of TIOCSTI call to avoid fake
8 instructions insertion in "an privilege user tty" by a compromised
9 root (I don't know if this could be done in grsecurity).
11 Another question that I think grsec lacks is the control of which
12 SETUID binary could change to which uid (for example, permit only
13 login to change to the uid 1000 and not 80), or forbid setuid if the
14 user does not authenticate itself against the kernel (with a password
15 in for example sshd, so remote exploits which affect priviledge parts
16 of sshd only could change to uid 22 and not to root or those which
17 affect login could be controlated)
19 However there is a lot of questions to control a few documentation to it.
22 2009/9/20, Marco Venutti <veeenrg@×××××.com>:
23 > Hi,
24 >
25 > --[cut]--
26 > The jail bug were corrected long ago, and was limited to this module
27 > only (in rsbac petitions pass to all modules that are stacked, not
28 > only this one, and if only one module deny the request, is denied
29 > forever though jail don't work properly).
30 > --[cut]--
31 >
32 > Since I'm a recent Linux user and I'm not a security cultured,
33 > I've chosen GR-Security, as starting point,
34 > because of its user-friendliness, in fact you can enforce,
35 > the bare kernel, also if you are not deeply experienced
36 > in Linux security...
37 > this is my case, so I appreciate this opportunity!
38 >
39 > I've started from the "Gentoo Hardened Workstation"
40 > profile and, then, I've done some gradm experiments...
41 > these facts in the near past.
42 >
43 > I consider myself illiterate, in matter of security,
44 > but I'd like to load, a little-little-bit, my lacunas,
45 > just for the intellectual pleasure, I feel in satisfy
46 > my curiousity.
47 >
48 > I'm not a professional, thus I don't have
49 > servers to manage, just a couple of workstations,
50 > so my needs are, probably, easier to fit...
51 > no special high security enforcements are required;
52 > this should also be good because gives me
53 > the chance to start little, 'cause, in effect I've
54 > little needs!
55 >
56 > Today is Sunday and I can read some docs,
57 > I'm interested in RSBAC and I'm starting to read
58 > RSBAC handbook, but at the moment I'm
59 > using, yet, GR-Security beacuse of the previous
60 > concept.
61 >
62 > I'll be glad if there's anybody willing
63 > to indicate me any non-official-but-good how-to
64 > and/or any sort of tip useful to get done
65 > to "lock-down" my workstation about RSBAC,
66 > but I'll appreciate GR-Sec.'s.
67 > This section is intended to be a request of
68 > a little help and does not mean:
69 > "Is there anybody does my task, plese?"
70 > I've specified the sense of the statement,
71 > just to clear every possible ambiguity.
72 >
73 >
74 > I wish you a good sunday afternoon ;-)
75 >


Subject Author
Re: [gentoo-hardened] "How hard" is Linux kernel-side hardening? "Javier J. Martínez Cabezón" <tazok.id0@×××××.com>
Re: [gentoo-hardened] "How hard" is Linux kernel-side hardening? Marco Venutti <veeenrg@×××××.com>