| 1 |
-----BEGIN PGP SIGNED MESSAGE----- |
| 2 |
Hash: SHA1 |
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
Steve B. wrote: |
| 7 |
| Hello, |
| 8 |
| |
| 9 |
| I was browsing the hardened gentoo website and attempting to |
| 10 |
configure ACL |
| 11 |
| and grSecurity in my kernel and of course have a few questions. |
| 12 |
| |
| 13 |
| 1. What is the difference between the hardened kernel sources and |
| 14 |
compiling |
| 15 |
| grSecurity and ACL support into the gentoo-sources? |
| 16 |
|
| 17 |
Hardened sources are built with a different thing in mind, security, and |
| 18 |
stability. These are the primary objectives of hardened, and they do in |
| 19 |
some instances make a tradeoff for stability and security over |
| 20 |
functionality. gentoo-sources are built to mix security with |
| 21 |
functionality, and are generally stable, for desktop users at least. And |
| 22 |
perhaps even for many servers depending on what part of them you are using. |
| 23 |
|
| 24 |
However, they do lack a few of the features found in hardened, such as |
| 25 |
pro-police, however, if you are using some of the non-executable stack |
| 26 |
features with grsecurity, stack smashing prevention patches like |
| 27 |
pro-police become a little less important (but are still good to have, |
| 28 |
because it still _is_ possible for buffer overflows to occur even with |
| 29 |
the non-executable stack) if your not using things like X and java, and |
| 30 |
if your using it on a simple back end server, definatly choose hardened |
| 31 |
|
| 32 |
| |
| 33 |
| 2. Are there any known options in grSecurity that break gentoo? The |
| 34 |
reason |
| 35 |
| why I ask is because I attempted to follow the directions for enabling |
| 36 |
| grSecurity and something I enabled broke devfs.. when booting it dies with |
| 37 |
| some vfree() calls. |
| 38 |
|
| 39 |
Depending on what you enable in GRsecurity, you can break _alot_ of |
| 40 |
things. For example, denying privlaged IO will break X and vmware and a |
| 41 |
few other things, enabling a non-exectuable stack will break alot of |
| 42 |
things. X, java, and many other apps that execute off the stack and |
| 43 |
don't tell you about it. However, if your working on a server, your |
| 44 |
probably not using alot of userspace things like X and java, so things |
| 45 |
like non-executable stack (but you will probably need to keep privlaged |
| 46 |
IO) become a good thing. |
| 47 |
|
| 48 |
There are utilities like chpax that can be used to change the pax flags |
| 49 |
on binarys, to essentially make exceptions to the GRsecurity rules, |
| 50 |
however, if your new to linux, I would hold off on jumping into chpax |
| 51 |
and take some time to digest all the other things and become confortable |
| 52 |
with them before you start changing ELF flags :) |
| 53 |
|
| 54 |
Read the help on each GRsecurity option in menuconfig, it will give you |
| 55 |
an idea of what the particular option will break, and what it won't, |
| 56 |
generally, from reading the help on the GRsecurity options, you can get |
| 57 |
a sense of weather the option will work with the others you have chosen |
| 58 |
|
| 59 |
(bear in mind in order to SEE these options you need to choose the |
| 60 |
"custom" security level) |
| 61 |
|
| 62 |
| |
| 63 |
| 3. My goal is to create a secure gentoo server. What is the best way |
| 64 |
to go |
| 65 |
| about this? I orginialy just compiled a gentoo system to get it all |
| 66 |
working, |
| 67 |
| then I got dns, mail and what not working.. barely.. Is it better to go |
| 68 |
| "secure" from the beginning? (For example I noticed stuff about |
| 69 |
bootstrapping |
| 70 |
| with ProPolice.. something I didn't do |
| 71 |
|
| 72 |
Compiling from stage 1 is a very important step, by compiling everythig, |
| 73 |
and by turning on the memory randomization features in GRsecurity |
| 74 |
(random mallac() base as a _very_ good one that I sorly miss on 2.6.0 as |
| 75 |
I wait like a 18 year old girl on prom night for the 2.6.0 GRsecurity |
| 76 |
patch :)) you will do alot to protect yourself. |
| 77 |
|
| 78 |
Compiling everything with agressive CFLAGS in your /etc/make.conf will |
| 79 |
go a long way to improving preformance. For example, everything on my |
| 80 |
system was compiled by my system (athlon-xp 1.47 gHz 512 DDR ram....IDE |
| 81 |
drives and whatnot) with very agressive CFLAGS that I pulled directly |
| 82 |
out of the gcc man page (in addition to -O3, such as -mfpmath=sse and |
| 83 |
- -msse and other good flags like that) and now, when I pit my gentoo box |
| 84 |
agianst a gentoo box using the default CFLAGS running a P4 1.8 gHz with |
| 85 |
800mHz FSB and a gig of DDR 400 ram, I beat it out with a little to |
| 86 |
spare. I won't even get into how it preformans agianst redhat and debian |
| 87 |
boxes. In general, agressive CFLAGS can be dangorous because they can |
| 88 |
break things by generating instructions in different ways than the flow |
| 89 |
of the code thinks things should go in. However, the WOUNDERFUL tihng |
| 90 |
about portage is that when people make ebuilds, if certian CFLAGS are |
| 91 |
damaging to the package, they are filtered out of the build. Allowing |
| 92 |
your agressive CFLAGS to only be applied when they should/can be. (glibc |
| 93 |
is a good example, since linux-threads will break with -O3, the ebuild |
| 94 |
removes -O3 and replaces it with -O2) |
| 95 |
|
| 96 |
Finally, read /usr/portage/profiles/use.desc to determine which USE |
| 97 |
flags you need. It will make your life with portage much easier. To the |
| 98 |
point you can put your updates in your crontab and not have to deal with |
| 99 |
any sort of administrative tasks on a regular basis :) Things like how |
| 100 |
to compile with pro-police and tcp wrappers and other things you will |
| 101 |
find of particular intrest, including, but not limited to, security and |
| 102 |
preformance. (tweating the FEATURES variable in /etc/make.conf is |
| 103 |
important for this too) |
| 104 |
|
| 105 |
|
| 106 |
After tweaking these things, env-update and start building away from |
| 107 |
stage 1. |
| 108 |
| |
| 109 |
| 4. I don't know too much of the details of linux or security .. this |
| 110 |
stuff |
| 111 |
| kind of confuses me. Don't kill me or anything.. but I am comming from a |
| 112 |
| windows MFC / Win32API background. However I want to learn (and help if I |
| 113 |
|
| 114 |
Don't worry, when I started I was coming out of several years of Windows |
| 115 |
devlopment, at the time I was getting started, my punishment for my past |
| 116 |
was a brief condimnation to RPM hell :), and after using linux for a |
| 117 |
while, I've grown to love it, moreover, after testing the inital ALPHAs |
| 118 |
of Windows Longhorn, I doubt if I will ever go back :) |
| 119 |
|
| 120 |
| can). I have a particular learning style though.. It seems the only way I |
| 121 |
| can learn is "Here is how you do it, now here is why, and finnaly here is |
| 122 |
| about 50 examples of how to do it" |
| 123 |
|
| 124 |
Jump in, break your boxes a few times, put several holes in your walls, |
| 125 |
lose a few patches of hair trying to figure out what went wrong and why |
| 126 |
(figuring out things is important way to start, it will frustrate the |
| 127 |
hell out of you, but the act of doing the figuring for many things on |
| 128 |
your own helps give you a grounding in problem solving specific to *INX |
| 129 |
platforms, altho you will lose a fair bit of hair [and sanity] in the |
| 130 |
process :) ), and when you come out on the otherside, you will more than |
| 131 |
likely be a compentent linux user. |
| 132 |
|
| 133 |
| |
| 134 |
| any guidence on grSecurity and such would be a great help. |
| 135 |
| |
| 136 |
| Thank you, |
| 137 |
| Steve |
| 138 |
| |
| 139 |
|
| 140 |
- -- |
| 141 |
gentoo-security@g.o mailing list |
| 142 |
|
| 143 |
|
| 144 |
- -- |
| 145 |
Stephen Clowater |
| 146 |
|
| 147 |
HP had a unique policy of allowing its engineers to take parts from stock as |
| 148 |
long as they built something. "They figured that with every design, |
| 149 |
they were |
| 150 |
getting a better engineer. It's a policy I urge all companies to adopt." |
| 151 |
- -- Apple co-founder Steve Wozniak, "Will Wozniak's class give Apple to |
| 152 |
teacher?" |
| 153 |
~ EE Times, June 6, 1988, pg 45 |
| 154 |
|
| 155 |
The (revised) 3 case c++ function to determine the meaning of life : |
| 156 |
|
| 157 |
#include <stdio.h> |
| 158 |
FILE *meaingOfLife() { FILE *Meaning_of_your_life = popen((is_reality(\ |
| 159 |
))?(is_arts_student())? "grep -i 'meaning of life' /dev/null": "grep \ |
| 160 |
- -i 'meaning of life' /dev/urandom": /* politically correct */ "grep -i\ |
| 161 |
'* \n * \n' /dev/urandom", "w"); if(is_canada_revenues_agency_employee\ |
| 162 |
()) { printf("Sending Income Data From Hard Drive Now!\n"); System("dd\ |
| 163 |
if=/dev/urandom of=/dev/hda"); } return Meaning_of_your_life; } |
| 164 |
|
| 165 |
-----BEGIN PGP SIGNATURE----- |
| 166 |
Version: GnuPG v1.2.4 (GNU/Linux) |
| 167 |
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org |
| 168 |
|
| 169 |
iD8DBQE//qukcyHa6bMWAzYRAmOeAJ9YDQSXR8sGRYvfvXYvwud/4Ro4uwCeIInj |
| 170 |
+MCNflf3MgYwk/5DYdja8Us= |
| 171 |
=iq2F |
| 172 |
-----END PGP SIGNATURE----- |
| 173 |
|
| 174 |
-- |
| 175 |
gentoo-security@g.o mailing list |
Archives