| 1 |
On Szo, Szeptember 19, 2009 18:13, Marco Venutti wrote: |
| 2 |
> SELinux is included in the vanilla, |
| 3 |
> this sounds good, but mastering |
| 4 |
> SELinux is a long run |
| 5 |
> (a lot of time to invest in it) |
| 6 |
... |
| 7 |
> AppArmor, recently included in the Ubuntu-family, |
| 8 |
> seems to be something like SELinux, but more |
| 9 |
> user-friendly. I mean both (SELinux and AppArmor) |
| 10 |
> have the intention to limitate damages coming from |
| 11 |
> a compromised service. If I'm wrong feel free to |
| 12 |
> clear my error. |
| 13 |
|
| 14 |
Some security solutions you've mentioned above use LSM included in |
| 15 |
vanilla. However not all security solutions keen on LSM: |
| 16 |
http://www.grsecurity.net/lsm.php |
| 17 |
http://www.rsbac.org/documentation/why_rsbac_does_not_use_lsm |
| 18 |
|
| 19 |
> RSBAC seems to be hard on first approach, |
| 20 |
> but much more flexible than GR-Security; |
| 21 |
> on the other hand GR-Security has a good |
| 22 |
> appeal if we're looking for an easy and fast way |
| 23 |
> to lock down a desktop or a laptop, since it |
| 24 |
> is "user-friendly ;-)" to install and set up |
| 25 |
> and grants a good level of security. |
| 26 |
|
| 27 |
User-friendlyness depends on the level of security you want to implement. |
| 28 |
I use a rather lazy grsecurity policy, but I still have to update it |
| 29 |
approximately every two weeks - as new applications come by. |
| 30 |
|
| 31 |
> If I've understood correctly GR-Security could |
| 32 |
> be the best choice for desktop and RSBAC the |
| 33 |
> best choice for server...isn't it? |
| 34 |
|
| 35 |
I'm not deeply into RSBAC's magic, but I think the best choice is the tool |
| 36 |
you are more experienced in. |
| 37 |
|
| 38 |
> What about overhead...I mean I see GRsec. |
| 39 |
> has good performances, but I heard RSBAC |
| 40 |
> is not so-light...have you experienced this |
| 41 |
> slowlyness or it was, only present, in early |
| 42 |
> releases? |
| 43 |
|
| 44 |
Running my machine PaX enabled while grsecurity policies are active have a |
| 45 |
definite impact on my machine's performance. I guess it depends on the |
| 46 |
architecture (if you have NX-bit) and may be on how bulky your policy is. |
| 47 |
Mine is over 100k. Sometimes X don't like PaX & low-latency preemption |
| 48 |
combo (X pointer freezes). If I switch off preemption, it also slows it |
| 49 |
down a bit. |
| 50 |
|
| 51 |
You forgot to mention SSP (stack-smashing protection). It's an application |
| 52 |
level protection, must be compiled in. It also has a performance impact. |
| 53 |
I prepare my presentations on my laptop, which runs an SSP-enabled |
| 54 |
OpenOffice. However I prefer to use a non-hardened machine for the actual |
| 55 |
performance. Flipping form one slide to another is considerably slower on |
| 56 |
my hardened machine, but I don't want to force my audience to sleep. For |
| 57 |
personal use I would never use an ordinary office suite. But I don't care |
| 58 |
about the machine the organizers make me available because I transfer my |
| 59 |
document only in one direction. |
| 60 |
|
| 61 |
> Back to subject of my post: |
| 62 |
> "How hard" is Linux...hardening? |
| 63 |
|
| 64 |
It's not that easy and perhaps it depends on one's personal skills. |
| 65 |
However I think it's addictive. |
| 66 |
My motto is: "If you go Hardened, you cant stop it." |
| 67 |
|
| 68 |
> In the end, after long time tuning |
| 69 |
> do, these tools, grant us an high level security? |
| 70 |
|
| 71 |
You'll never find perfect security. |
| 72 |
|
| 73 |
> I mean: |
| 74 |
> Grsecurity had suffered of a return into libc exploit |
| 75 |
> that bypassed its protection. Grsecurity had also |
| 76 |
> a PaX-disabled bug in the past that expose |
| 77 |
> machines to risks. |
| 78 |
|
| 79 |
Every software - even OBSD - has bugs. |
| 80 |
|
| 81 |
> Recently I've read something about a 2.6.30 bug |
| 82 |
> which makes useless, enforcement like SELinux, |
| 83 |
> AppArmor and so on... |
| 84 |
|
| 85 |
Watch out for 2.6.31 perf_counter 0day: |
| 86 |
http://www.youtube.com/watch?v=ShoAOdx0K7I |
| 87 |
|
| 88 |
> so I'm wondering if it is possible to harden Linux |
| 89 |
> the way you can leave it online with, approximately, |
| 90 |
> the same (high) probability, it won't be compromised |
| 91 |
> as OpenBSD does. |
| 92 |
|
| 93 |
Let me ask you just one thing. Please point me to an OBSD alternative of |
| 94 |
the wide variety of Linux hardening solutions (SELinux, RSBAC, AppArmor or |
| 95 |
grsecurity). Like TrustedBSD has FLASK/SEBSD implemented, analogous to |
| 96 |
SELinux. Solaris has trusted extensions. |
| 97 |
|
| 98 |
> I'm sure there are many skilled people, reading |
| 99 |
> this mailing list, so I'll appreciate if someone |
| 100 |
> will be patient and will enlighten me, giving some |
| 101 |
> impartial inputs on what to study in my spare time. |
| 102 |
|
| 103 |
I'm not a security expert. |
| 104 |
|
| 105 |
Every system must be maintained to keep it up-to-date. If you think that |
| 106 |
you don't have to spare time on it: that is a false sense of security. |
| 107 |
Sacrifices must be made according to the level of security you are |
| 108 |
targeting. |
| 109 |
|
| 110 |
Hardened Gentoo offers several possibilities to choose between. It's fun! |
| 111 |
|
| 112 |
Regards: |
| 113 |
Dw. |
| 114 |
-- |
| 115 |
dr Tóth Attila, Radiológus, 06-20-825-8057, 06-30-5962-962 |
| 116 |
Attila Toth MD, Radiologist, +36-20-825-8057, +36-30-5962-962 |
Archives