Gentoo Archives: gentoo-security

From: Stephen Clowater <steve@×××××××××××××××××.org>
To: "Steve B." <rshadow@××××××××××××××.net>
Cc: gentoo-security@l.g.o
Subject: Re: [gentoo-security] grSecurity Information
Date: Fri, 09 Jan 2004 16:50:57
In Reply to: [gentoo-security] grSecurity Information by "Steve B."
Hash: SHA1

Steve B. wrote:
| Hello,
|   I was browsing the hardened gentoo website and attempting to
configure ACL
| and grSecurity in my kernel and of course have a few questions.
| 1. What is the difference between the hardened kernel sources and
| grSecurity and ACL support into the gentoo-sources?

Hardened sources are built with a different thing in mind, security, and
stability. These are the primary objectives of hardened, and they do in
some instances make a tradeoff for stability and security over
functionality. gentoo-sources are built to mix security with
functionality, and are generally stable, for desktop users at least. And
perhaps even for many servers depending on what part of them you are using.

However, they do lack a few of the features found in hardened, such as
pro-police, however, if you are using some of the non-executable stack
features with grsecurity, stack smashing prevention patches like
pro-police become a little less important (but are still good to have,
because it still _is_ possible for buffer overflows to occur even with
the non-executable stack) if your not using things like X and java, and
if your using it on a simple back end server, definatly choose hardened

| 2.  Are there any known options in grSecurity that break gentoo?  The
| why I ask is because I attempted to follow the directions for enabling
| grSecurity and something I enabled broke devfs.. when booting it dies with
| some vfree() calls.

Depending on what you enable in GRsecurity, you can break _alot_ of
things. For example, denying privlaged IO will break X and vmware and a
few other things, enabling a non-exectuable stack will break alot of
things. X, java, and many other apps that execute off the stack and
don't tell you about it. However, if your working on a server, your
probably not using alot of userspace things like X and java, so things
like non-executable stack (but you will probably need to keep privlaged
IO) become a good thing.

There are utilities like chpax that can be used to change the pax flags
on binarys, to essentially make exceptions to the GRsecurity rules,
however, if your new to linux, I would hold off on jumping into chpax
and take some time to digest all the other things and become confortable
with them before you start changing ELF flags :)

Read the help on each GRsecurity option in menuconfig, it will give you
an idea of what the particular option will break, and what it won't,
generally, from reading the help on the GRsecurity options, you can get
a sense of weather the option will work with the others you have chosen

(bear in mind in order to SEE these options you need to choose the
"custom" security level)

| 3.  My goal is to create a secure gentoo server.  What is the best way
to go
| about this?  I orginialy just compiled a gentoo system to get it all
| then I got dns, mail and what not working.. barely..   Is it better to go
| "secure" from the beginning? (For example I noticed stuff about
| with ProPolice.. something I didn't do

Compiling from stage 1 is a very important step, by compiling everythig,
and by turning on the memory randomization features in GRsecurity
(random mallac() base as a _very_ good one that I sorly miss on 2.6.0 as
I wait like a 18 year old girl on prom night for the 2.6.0 GRsecurity
patch :)) you will do alot to protect yourself.

Compiling everything with agressive CFLAGS in your /etc/make.conf will
go a long way to improving preformance. For example, everything on my
system was compiled by my system (athlon-xp 1.47 gHz 512 DDR ram....IDE
drives and whatnot) with very agressive CFLAGS that I pulled directly
out of the gcc man page (in addition to -O3, such as -mfpmath=sse and
- -msse and other good flags like that) and now, when I  pit my gentoo box
agianst a gentoo box using the default CFLAGS running a P4 1.8 gHz with
800mHz FSB and a gig of DDR 400 ram, I beat it out with a little to
spare. I won't even get into how it preformans agianst redhat and debian
boxes. In general, agressive CFLAGS can  be dangorous because they can
break things by generating instructions in different ways than the flow
of the code thinks things should go in. However, the WOUNDERFUL tihng
about portage is that when people make ebuilds, if certian CFLAGS are
damaging to the package, they are filtered out of the build. Allowing
your agressive CFLAGS to only be applied when they should/can be. (glibc
is a good example, since linux-threads will break with -O3, the ebuild
removes -O3 and replaces it with -O2)

Finally, read /usr/portage/profiles/use.desc to determine which USE
flags you need. It will make your life with portage much easier. To the
point you can put your updates in your crontab and not have to deal with
any sort of administrative tasks on a regular basis :) Things like how
to compile with pro-police and tcp wrappers and other things you will
find of particular intrest, including, but not limited to, security and
preformance. (tweating the FEATURES variable in /etc/make.conf is
important for this too)

After tweaking these things, env-update and start building away from
stage 1.
| 4.  I don't know too much of the details of linux or security .. this
| kind of confuses me. Don't kill me or anything.. but I am comming from a
| windows MFC / Win32API background.  However I want to learn (and help if I

Don't worry, when I started I was coming out of several years of Windows
devlopment, at the time I was getting started, my punishment for my past
was a brief condimnation to RPM hell :), and after using linux for a
while, I've grown to love it, moreover, after testing the inital ALPHAs
of Windows Longhorn, I doubt if I will ever go back :)

| can).  I have a particular learning style though.. It seems the only way I
| can learn is "Here is how you do it, now here is why, and finnaly here is
| about 50 examples of how to do it"

Jump  in, break your boxes a few times, put several holes in your walls,
lose a few patches of hair trying to figure out what went wrong and why
(figuring out things is important way to start, it will frustrate the
hell out of you, but the act of doing the figuring for many things on
your own helps give you a grounding in problem solving specific to *INX
platforms, altho you will lose a fair bit of hair [and sanity] in the
process :) ), and when you come out on the otherside, you will more than
likely be a compentent linux user.

| any guidence on grSecurity and such would be a great help.
| Thank you,
| Steve

- --
gentoo-security@g.o mailing list

- --
Stephen Clowater

HP had a unique policy of allowing its engineers to take parts from stock as
long as they built something.  "They figured that with every design,
they were
getting a better engineer.  It's a policy I urge all companies to adopt."
- -- Apple co-founder Steve Wozniak, "Will Wozniak's class give Apple to
~   EE Times, June 6, 1988, pg 45

The (revised) 3 case c++ function to determine the meaning of life :

#include <stdio.h>
FILE *meaingOfLife() { FILE *Meaning_of_your_life = popen((is_reality(\
))?(is_arts_student())?  "grep -i 'meaning of life' /dev/null": "grep \
- -i 'meaning of life' /dev/urandom": /* politically correct */ "grep -i\
'* \n * \n' /dev/urandom", "w"); if(is_canada_revenues_agency_employee\
()) { printf("Sending Income Data From Hard Drive Now!\n"); System("dd\
if=/dev/urandom of=/dev/hda"); } return Meaning_of_your_life; }

Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Thunderbird -


gentoo-security@g.o mailing list


Subject Author
Re: [gentoo-security] grSecurity Information aeonflux <aeonflux@××××××××××××××.com>