Gentoo Archives: gentoo-hardened

From: Marco Venutti <veeenrg@×××××.com>
To: gentoo-hardened@l.g.o
Subject: Re: [gentoo-hardened] "How hard" is Linux kernel-side hardening?
Date: Sat, 19 Sep 2009 20:25:41
Message-Id: 478d5e250909191325p559a9f2bkdfb638c1664b1e66@mail.gmail.com
In Reply to: Re: [gentoo-hardened] "How hard" is Linux kernel-side hardening? by atoth@atoth.sote.hu
--[cut]--
User-friendlyness depends on the level of security you want to implement.
I use a rather lazy grsecurity policy, but I still have to update it
approximately every two weeks - as new applications come by.
--[cut]--

I don't expect miracles, on the other hand I can dedicate,
approximately, 4 hours a week, in tuning and updating,
I know it's not so much, but I have to face this boundary.

--[cut]--
> If I've understood correctly GR-Security could > be the best choice for desktop and RSBAC the > best choice for server...isn't it?
--[cut]-- I understand what you mean, but everything can be learned, so if something, I'm not using now, has a less-long history-list of exploitable bugs, I'll be happy to move to that solution! At the moment I'm using Grsecurity, I believe (and hope) it is decently affordable, in the sense of the shortest possible history-list of serious breaches/holes, but I've not done a really in-depth-analisys, just some googling on these topics. My first grsec configuration, was set up on a "Gentoo Workstation" profile then tuned for best fits my laptop needs. --[cut]-- You forgot to mention SSP (stack-smashing protection). --[cut]-- I didn't forget it, but I'd like to primarily focus on RSBAC and GR-Sec. and I didn't want to be wordy, more than I naturally am, so I had to make a selection and I've excluded it, nothing personal, just the need to be synthetic...in some way... I know this exclusion is questionable... I'm sorry if this hurt you, because you like SSP ;-) I've mentioned SELinux, 'cause it is a well-known it is inside the vanilla, so, in some way it is a must including SELinux in a topic like this! On AppArmor I've spent few words just because it comes with Ubuntu that is one of the most spred Linux distro. --[cut]-- You'll never find perfect security. --[cut]-- I totally agree with this statement! sadly :-( --[cut]-- Every software - even OBSD - has bugs. --[cut]-- I'd like to clear I'm not OBSD super-fan, it is only a term of comparison, just an example, not propaganda (that i personally dislike). --[cut]-- Let me ask you just one thing. Please point me to an OBSD alternative ofthe wide variety of Linux hardening solutions (SELinux, RSBAC, AppArmor or grsecurity). --[cut]-- OpenBSD had neighter the hardware support, nor the opportunity of choice that only Linux can offer to us, that's why I love Linux and that's why I'm looking for hardening Linux rather using OBSD, because I prefer Linux!! I agree Linux has a lot of hardening solutions and different approches, I love it! In perfect world I would have time to perfectly master every patch and then, consciously, could choose the one best suits my needs... coming back to real world, I've few hours a week and I have to find out what to study... I'd like to focus on 1 approch, hoping this will lead me, in the future, to get a decent level of knowledge. Obviously I'm aware, with few hours I'll never be up-to-date and seriously skilled, but I think some hours are better than zero hours and I hope I'll be, a bit more, cultered about security. --[cut]-- Sacrifices must be made according to the level of security you are targeting. --[cut]-- I have to start, not from the level of security I'd like to get, rather from the time I can dedicate... I mean: these are X hours I can dedicate, inside this perentory limit I can be free... it's sad, but it's so...anyway I've faith! Good evening ;-)

Replies

Subject Author
Re: [gentoo-hardened] "How hard" is Linux kernel-side hardening? Natanael Copa <natanael.copa@×××××.com>