gentoo-hardened September 2009 archive
Main Archive Page > Month Archives  > gentoo-hardened archives
gentoo-hardened: Re: [gentoo-hardened] "How hard" is L

Re: [gentoo-hardened] "How hard" is Linux kernel-side hardening?

From: <atoth_at_nospam>
Date: Sat Sep 19 2009 - 17:30:21 GMT
To: gentoo-hardened@lists.gentoo.org


On Szo, Szeptember 19, 2009 18:13, Marco Venutti wrote:
> SELinux is included in the vanilla,
> this sounds good, but mastering
> SELinux is a long run
> (a lot of time to invest in it)

...
> AppArmor, recently included in the Ubuntu-family,
> seems to be something like SELinux, but more
> user-friendly. I mean both (SELinux and AppArmor)
> have the intention to limitate damages coming from
> a compromised service. If I'm wrong feel free to
> clear my error.

Some security solutions you've mentioned above use LSM included in vanilla. However not all security solutions keen on LSM: http://www.grsecurity.net/lsm.php
http://www.rsbac.org/documentation/why_rsbac_does_not_use_lsm

> RSBAC seems to be hard on first approach,
> but much more flexible than GR-Security;
> on the other hand GR-Security has a good
> appeal if we're looking for an easy and fast way
> to lock down a desktop or a laptop, since it
> is "user-friendly ;-)" to install and set up
> and grants a good level of security.

User-friendlyness depends on the level of security you want to implement. I use a rather lazy grsecurity policy, but I still have to update it approximately every two weeks - as new applications come by.

> If I've understood correctly GR-Security could
> be the best choice for desktop and RSBAC the
> best choice for server...isn't it?

I'm not deeply into RSBAC's magic, but I think the best choice is the tool you are more experienced in.

> What about overhead...I mean I see GRsec.
> has good performances, but I heard RSBAC
> is not so-light...have you experienced this
> slowlyness or it was, only present, in early
> releases?

Running my machine PaX enabled while grsecurity policies are active have a definite impact on my machine's performance. I guess it depends on the architecture (if you have NX-bit) and may be on how bulky your policy is. Mine is over 100k. Sometimes X don't like PaX & low-latency preemption combo (X pointer freezes). If I switch off preemption, it also slows it down a bit.

You forgot to mention SSP (stack-smashing protection). It's an application level protection, must be compiled in. It also has a performance impact. I prepare my presentations on my laptop, which runs an SSP-enabled OpenOffice. However I prefer to use a non-hardened machine for the actual performance. Flipping form one slide to another is considerably slower on my hardened machine, but I don't want to force my audience to sleep. For personal use I would never use an ordinary office suite. But I don't care about the machine the organizers make me available because I transfer my document only in one direction.

> Back to subject of my post:
> "How hard" is Linux...hardening?

It's not that easy and perhaps it depends on one's personal skills. However I think it's addictive.
My motto is: "If you go Hardened, you cant stop it."

> In the end, after long time tuning
> do, these tools, grant us an high level security?

You'll never find perfect security.

> I mean:
> Grsecurity had suffered of a return into libc exploit
> that bypassed its protection. Grsecurity had also
> a PaX-disabled bug in the past that expose
> machines to risks.

Every software - even OBSD - has bugs.

> Recently I've read something about a 2.6.30 bug
> which makes useless, enforcement like SELinux,
> AppArmor and so on...

Watch out for 2.6.31 perf_counter 0day:
http://www.youtube.com/watch?v=ShoAOdx0K7I

> so I'm wondering if it is possible to harden Linux
> the way you can leave it online with, approximately,
> the same (high) probability, it won't be compromised
> as OpenBSD does.

Let me ask you just one thing. Please point me to an OBSD alternative of the wide variety of Linux hardening solutions (SELinux, RSBAC, AppArmor or grsecurity). Like TrustedBSD has FLASK/SEBSD implemented, analogous to SELinux. Solaris has trusted extensions.

> I'm sure there are many skilled people, reading
> this mailing list, so I'll appreciate if someone
> will be patient and will enlighten me, giving some
> impartial inputs on what to study in my spare time.

I'm not a security expert.

Every system must be maintained to keep it up-to-date. If you think that you don't have to spare time on it: that is a false sense of security. Sacrifices must be made according to the level of security you are targeting.

Hardened Gentoo offers several possibilities to choose between. It's fun!

Regards:
Dw. -- dr Tóth Attila, Radiológus, 06-20-825-8057, 06-30-5962-962 Attila Toth MD, Radiologist, +36-20-825-8057, +36-30-5962-962