1 |
On Szo, Szeptember 19, 2009 18:13, Marco Venutti wrote: |
2 |
> SELinux is included in the vanilla, |
3 |
> this sounds good, but mastering |
4 |
> SELinux is a long run |
5 |
> (a lot of time to invest in it) |
6 |
... |
7 |
> AppArmor, recently included in the Ubuntu-family, |
8 |
> seems to be something like SELinux, but more |
9 |
> user-friendly. I mean both (SELinux and AppArmor) |
10 |
> have the intention to limitate damages coming from |
11 |
> a compromised service. If I'm wrong feel free to |
12 |
> clear my error. |
13 |
|
14 |
Some security solutions you've mentioned above use LSM included in |
15 |
vanilla. However not all security solutions keen on LSM: |
16 |
http://www.grsecurity.net/lsm.php |
17 |
http://www.rsbac.org/documentation/why_rsbac_does_not_use_lsm |
18 |
|
19 |
> RSBAC seems to be hard on first approach, |
20 |
> but much more flexible than GR-Security; |
21 |
> on the other hand GR-Security has a good |
22 |
> appeal if we're looking for an easy and fast way |
23 |
> to lock down a desktop or a laptop, since it |
24 |
> is "user-friendly ;-)" to install and set up |
25 |
> and grants a good level of security. |
26 |
|
27 |
User-friendlyness depends on the level of security you want to implement. |
28 |
I use a rather lazy grsecurity policy, but I still have to update it |
29 |
approximately every two weeks - as new applications come by. |
30 |
|
31 |
> If I've understood correctly GR-Security could |
32 |
> be the best choice for desktop and RSBAC the |
33 |
> best choice for server...isn't it? |
34 |
|
35 |
I'm not deeply into RSBAC's magic, but I think the best choice is the tool |
36 |
you are more experienced in. |
37 |
|
38 |
> What about overhead...I mean I see GRsec. |
39 |
> has good performances, but I heard RSBAC |
40 |
> is not so-light...have you experienced this |
41 |
> slowlyness or it was, only present, in early |
42 |
> releases? |
43 |
|
44 |
Running my machine PaX enabled while grsecurity policies are active have a |
45 |
definite impact on my machine's performance. I guess it depends on the |
46 |
architecture (if you have NX-bit) and may be on how bulky your policy is. |
47 |
Mine is over 100k. Sometimes X don't like PaX & low-latency preemption |
48 |
combo (X pointer freezes). If I switch off preemption, it also slows it |
49 |
down a bit. |
50 |
|
51 |
You forgot to mention SSP (stack-smashing protection). It's an application |
52 |
level protection, must be compiled in. It also has a performance impact. |
53 |
I prepare my presentations on my laptop, which runs an SSP-enabled |
54 |
OpenOffice. However I prefer to use a non-hardened machine for the actual |
55 |
performance. Flipping form one slide to another is considerably slower on |
56 |
my hardened machine, but I don't want to force my audience to sleep. For |
57 |
personal use I would never use an ordinary office suite. But I don't care |
58 |
about the machine the organizers make me available because I transfer my |
59 |
document only in one direction. |
60 |
|
61 |
> Back to subject of my post: |
62 |
> "How hard" is Linux...hardening? |
63 |
|
64 |
It's not that easy and perhaps it depends on one's personal skills. |
65 |
However I think it's addictive. |
66 |
My motto is: "If you go Hardened, you cant stop it." |
67 |
|
68 |
> In the end, after long time tuning |
69 |
> do, these tools, grant us an high level security? |
70 |
|
71 |
You'll never find perfect security. |
72 |
|
73 |
> I mean: |
74 |
> Grsecurity had suffered of a return into libc exploit |
75 |
> that bypassed its protection. Grsecurity had also |
76 |
> a PaX-disabled bug in the past that expose |
77 |
> machines to risks. |
78 |
|
79 |
Every software - even OBSD - has bugs. |
80 |
|
81 |
> Recently I've read something about a 2.6.30 bug |
82 |
> which makes useless, enforcement like SELinux, |
83 |
> AppArmor and so on... |
84 |
|
85 |
Watch out for 2.6.31 perf_counter 0day: |
86 |
http://www.youtube.com/watch?v=ShoAOdx0K7I |
87 |
|
88 |
> so I'm wondering if it is possible to harden Linux |
89 |
> the way you can leave it online with, approximately, |
90 |
> the same (high) probability, it won't be compromised |
91 |
> as OpenBSD does. |
92 |
|
93 |
Let me ask you just one thing. Please point me to an OBSD alternative of |
94 |
the wide variety of Linux hardening solutions (SELinux, RSBAC, AppArmor or |
95 |
grsecurity). Like TrustedBSD has FLASK/SEBSD implemented, analogous to |
96 |
SELinux. Solaris has trusted extensions. |
97 |
|
98 |
> I'm sure there are many skilled people, reading |
99 |
> this mailing list, so I'll appreciate if someone |
100 |
> will be patient and will enlighten me, giving some |
101 |
> impartial inputs on what to study in my spare time. |
102 |
|
103 |
I'm not a security expert. |
104 |
|
105 |
Every system must be maintained to keep it up-to-date. If you think that |
106 |
you don't have to spare time on it: that is a false sense of security. |
107 |
Sacrifices must be made according to the level of security you are |
108 |
targeting. |
109 |
|
110 |
Hardened Gentoo offers several possibilities to choose between. It's fun! |
111 |
|
112 |
Regards: |
113 |
Dw. |
114 |
-- |
115 |
dr Tóth Attila, Radiológus, 06-20-825-8057, 06-30-5962-962 |
116 |
Attila Toth MD, Radiologist, +36-20-825-8057, +36-30-5962-962 |