[gentoo-dev] Secure Gentoo

[gentoo-dev] Secure Gentoo

[Joachim Blaabjerg]

Hi again, people,

If you don't have any further ideas/thoughts/objections/whatever, I'll
finally start working on Secure Gentoo (or whatever the name is) now.
I've had a few time problems lately, so I'm sorry I haven't got started
earlier.

What I'm going to do:
* Make a profile with a small (minimal) set of apps, and slowly expand
it as I get more packages done/patched.
* Make a kernel patch, probably based on the Gentoo kernel, but with
GrSecurity, kerneli, a few netfilter patches etc.
* Patch packages with patches from the Owl GNU/*/Linux project (of which
I am lucky to be a currently idling developer), and make ACLs for each
app.

My original intent was to use LIDS, but I've somewhat changed my mind.
The ACL system in grsec has matured greatly lately, and I'm trying it
out as we speak. Have any of you got any experiences or thoughts on this
you want to share?

I've got a few questions, too:
Will the Gentoo kernel use Andrea Arcangeli's VM or Rik van Riel's (-aa
or rmap)?
How will this be done practically? I'm thinking in particular about the
freeze, and the proposed unstable branch.
How paranoid should it be? My first plan was to create ACLs for each and
every binary and deny almost everything else, but that might be too
paranoid for most people. What do you think? How about three security
levels (no ACLs, normal ACLs and very strict ACls)?

Any other thoughts and ideas will be greatly appreciated :)

-- 
Joachim Blaabjerg
styx@SuxOS.org
www.SuxOS.org

Re: [gentoo-dev] Secure Gentoo

[Daniel Robbins]

On Wed, 2002-03-06 at 10:43, Joachim Blaabjerg wrote:

> I've got a few questions, too:
> Will the Gentoo kernel use Andrea Arcangeli's VM or Rik van Riel's (-aa
> or rmap)?

We tried an -aa kernel (2.4.18) and we didn't get good desktop
performance out of it.  We're planning to stick to -ac which includes
rmap.

-- 
Daniel Robbins                                  <drobbins@gentoo.org>
Chief Architect/President                       http://www.gentoo.org 
Gentoo Technologies, Inc.

Re: [gentoo-dev] Secure Gentoo

[P.Gnodde]

Hi all,

It has not been long ago since I've installed Gentoo, but at the moment it's running on my desktop, laptop and 1 of my servers (the other 2 run openbsd and slackware and I do not plan at replacing them :). I really like this distribution and am still learning new things about linux because of it :).

Back to the topic at hand ... I am just starting to get interested in security issues with linux. The company I work for has some sensative data of customers, so I used the kerneli patch to create an encrypted filesystem. And I like it. I've also been reading up on other issues, like random filehandles and stuff like that. I'd really like to learn more about it, so perhaps I can help in some ways with this Secure Gentoo project if it's needed (testing of beta patches/packages, etc.) (btw, I'm a coder, but I do not have much experience in kernelhacking or security related projects)

> * Make a kernel patch, probably based on the Gentoo kernel, but with
> GrSecurity, kerneli, a few netfilter patches etc.
At the moment I have the gentoo kernel running with the kerneli patch. The GrSecurity patch had a few failed hunks, I'm integrating them now. If your interested I could send you a patch after I'm done. I also have a ready to install package of util-linux, with the kerneli patch. I don't yet know if the combination is stable :).

> Will the Gentoo kernel use Andrea Arcangeli's VM or Rik van Riel's (-aa
> or rmap)?
I think rmap is pretty stable now and most problems have been solved, it's been good for Rik van Riel to have a little freedom in developing the VM :). Although I do know that Rik used to work for a (network) security company here in Holland :).

> How will this be done practically? I'm thinking in particular about the
> freeze, and the proposed unstable branch.
Perhaps start a new branch, so we have a 'stable', 'unstable' and 'secure' branch.

> How paranoid should it be? My first plan was to create ACLs for each and
> every binary and deny almost everything else, but that might be too
> paranoid for most people. What do you think? How about three security
> levels (no ACLs, normal ACLs and very strict ACls)?
The levels idea sounds like a nice idea, but it should be documented really good, so users can choose a good security level for their purposes.

Regards,

Peter Gnodde
PCS Webdesign BV
http://www.pcswebdesign.nl/

Re: [gentoo-dev] Secure Gentoo

[Sebastian Werner]

This is great really great. I have not really much time to play with this. But I 
could help you in parts of to do work. Contact me and we could do it.

I think it's enough to create acl's for the basesystem and some special
server apps. All these kde and gnome apps must not be installed on a real
server I think - so you need no acl's here.

Greetings

Sebastian

Am 06.03.2002 18:43:28, schrieb Joachim Blaabjerg <styx@SuxOS.org>:

>Hi again, people,
>
>If you don't have any further ideas/thoughts/objections/whatever, I'll
>finally start working on Secure Gentoo (or whatever the name is) now.
>I've had a few time problems lately, so I'm sorry I haven't got started
>earlier.
>
>What I'm going to do:
>* Make a profile with a small (minimal) set of apps, and slowly expand
>it as I get more packages done/patched.
>* Make a kernel patch, probably based on the Gentoo kernel, but with
>GrSecurity, kerneli, a few netfilter patches etc.
>* Patch packages with patches from the Owl GNU/*/Linux project (of which
>I am lucky to be a currently idling developer), and make ACLs for each
>app.
>
>My original intent was to use LIDS, but I've somewhat changed my mind.
>The ACL system in grsec has matured greatly lately, and I'm trying it
>out as we speak. Have any of you got any experiences or thoughts on this
>you want to share?
>
>I've got a few questions, too:
>Will the Gentoo kernel use Andrea Arcangeli's VM or Rik van Riel's (-aa
>or rmap)?
>How will this be done practically? I'm thinking in particular about the
>freeze, and the proposed unstable branch.
>How paranoid should it be? My first plan was to create ACLs for each and
>every binary and deny almost everything else, but that might be too
>paranoid for most people. What do you think? How about three security
>levels (no ACLs, normal ACLs and very strict ACls)?
>
>Any other thoughts and ideas will be greatly appreciated :)
>
>-- 
>Joachim Blaabjerg
>styx@SuxOS.org
>www.SuxOS.org
>
>_______________________________________________
>gentoo-dev mailing list
>gentoo-dev@gentoo.org
>http://lists.gentoo.org/mailman/listinfo/gentoo-dev
>

Re: [gentoo-dev] Secure Gentoo

[Joachim Blaabjerg]

On Wed, 2002-03-06 at 22:24, Nic Desjardins wrote:

> > > How paranoid should it be? My first plan was to create ACLs for each and
> > > every binary and deny almost everything else, but that might be too
> > > paranoid for most people. What do you think? How about three security
> > > levels (no ACLs, normal ACLs and very strict ACls)?
> > The levels idea sounds like a nice idea, but it should be documented really good, so users can choose a good security level for their purposes.
> > 
> 
> I must make a note here, usually with security levels its too, how can I say this... 'generic', I mean you could look at how buggy a daemon has been in the past and have it marked level 4 security and other stuff too, but I usually think of security as something the user sets up himself. I like it this way.
> The other thing is, the user installs/starts the servers he wants, so there is no real need for security levels since the user will really do whatever he wants.

Well, I tend to agree, but most users would want to have a starting
point somewhat close to what they're trying to achieve. The security
levels I'm speaking of, are simply levels of strictness (or, 'security'
if you will) in ACLs, not the entire system. Writing those ACLs is a
tedious process, and it involves a lot of debugging and strace'ing a
normal user in need of security simply wouldn't want to get into.

-- 
Joachim Blaabjerg
styx@SuxOS.org
www.SuxOS.org

Re: [gentoo-dev] Secure Gentoo

[Nic Desjardins]

On Wed, 6 Mar 2002 19:53:12 +0100
P.Gnodde <peter@pcswebdesign.nl> wrote:

> Hi all,
> 
> It has not been long ago since I've installed Gentoo, but at the moment it's running on my desktop, laptop and 1 of my servers (the other 2 run openbsd and slackware and I do not plan at replacing them :). I really like this distribution and am still learning new things about linux because of it :).
> 
> Back to the topic at hand ... I am just starting to get interested in security issues with linux. The company I work for has some sensative data of customers, so I used the kerneli patch to create an encrypted filesystem. And I like it. I've also been reading up on other issues, like random filehandles and stuff like that. I'd really like to learn more about it, so perhaps I can help in some ways with this Secure Gentoo project if it's needed (testing of beta patches/packages, etc.) (btw, I'm a coder, but I do not have much experience in kernelhacking or security related projects)
> 
> > * Make a kernel patch, probably based on the Gentoo kernel, but with
> > GrSecurity, kerneli, a few netfilter patches etc.
> At the moment I have the gentoo kernel running with the kerneli patch. The GrSecurity patch had a few failed hunks, I'm integrating them now. If your interested I could send you a patch after I'm done. I also have a ready to install package of util-linux, with the kerneli patch. I don't yet know if the combination is stable :).
> 
> > Will the Gentoo kernel use Andrea Arcangeli's VM or Rik van Riel's (-aa
> > or rmap)?
> I think rmap is pretty stable now and most problems have been solved, it's been good for Rik van Riel to have a little freedom in developing the VM :). Although I do know that Rik used to work for a (network) security company here in Holland :).
> 
> > How will this be done practically? I'm thinking in particular about the
> > freeze, and the proposed unstable branch.
> Perhaps start a new branch, so we have a 'stable', 'unstable' and 'secure' branch.
> 
> > How paranoid should it be? My first plan was to create ACLs for each and
> > every binary and deny almost everything else, but that might be too
> > paranoid for most people. What do you think? How about three security
> > levels (no ACLs, normal ACLs and very strict ACls)?
> The levels idea sounds like a nice idea, but it should be documented really good, so users can choose a good security level for their purposes.
> 

I must make a note here, usually with security levels its too, how can I say this... 'generic', I mean you could look at how buggy a daemon has been in the past and have it marked level 4 security and other stuff too, but I usually think of security as something the user sets up himself. I like it this way.
The other thing is, the user installs/starts the servers he wants, so there is no real need for security levels since the user will really do whatever he wants.

Nic D.

> Regards,
> 
> Peter Gnodde
> PCS Webdesign BV
> http://www.pcswebdesign.nl/
> _______________________________________________
> gentoo-dev mailing list
> gentoo-dev@gentoo.org
> http://lists.gentoo.org/mailman/listinfo/gentoo-dev

Re: [gentoo-dev] Secure Gentoo

[Karl Trygve Kalleberg]

I just have to throw in my "me too" post here. I think this is an
excellent idea.

It would be very nice if as you point out, one could merge a "secure"
profile that is reasonably bugfree and secure, where it was easy to
customize which services you want to run, with what kind of privilege,
etc.

Would a "sandboxing"/"playpen"/"virtual machine" feature where you could
put users into groups where users inside one group can see each other (w,
ps, who, id..) but not outside the group be possible ? I've noticed they
have something akin to that on login.sf.net and that grsecurity tries to
solve some of these problems.



Kind regards,

Karl T

Re: [gentoo-dev] Secure Gentoo

[mbutcher]

Can someone explain to me the difference between kerneli and the 
International Crypto API kernel modules? I'd really like to be able to use 
encrypted filesystems that use something a little stronger than DES.

Thanks,

Matt

On Wednesday 06 March 2002 02:24 pm, you wrote:
> On Wed, 6 Mar 2002 19:53:12 +0100
>
> P.Gnodde <peter@pcswebdesign.nl> wrote:
> > Hi all,
> >
> > It has not been long ago since I've installed Gentoo, but at the moment
> > it's running on my desktop, laptop and 1 of my servers (the other 2 run
> > openbsd and slackware and I do not plan at replacing them :). I really
> > like this distribution and am still learning new things about linux
> > because of it :).
> >
> > Back to the topic at hand ... I am just starting to get interested in
> > security issues with linux. The company I work for has some sensative
> > data of customers, so I used the kerneli patch to create an encrypted
> > filesystem. And I like it. I've also been reading up on other issues,
> > like random filehandles and stuff like that. I'd really like to learn
> > more about it, so perhaps I can help in some ways with this Secure Gentoo
> > project if it's needed (testing of beta patches/packages, etc.) (btw, I'm
> > a coder, but I do not have much experience in kernelhacking or security
> > related projects)
> >
> > > * Make a kernel patch, probably based on the Gentoo kernel, but with
> > > GrSecurity, kerneli, a few netfilter patches etc.
> >
> > At the moment I have the gentoo kernel running with the kerneli patch.
> > The GrSecurity patch had a few failed hunks, I'm integrating them now. If
> > your interested I could send you a patch after I'm done. I also have a
> > ready to install package of util-linux, with the kerneli patch. I don't
> > yet know if the combination is stable :).
> >
> > > Will the Gentoo kernel use Andrea Arcangeli's VM or Rik van Riel's (-aa
> > > or rmap)?
> >
> > I think rmap is pretty stable now and most problems have been solved,
> > it's been good for Rik van Riel to have a little freedom in developing
> > the VM :). Although I do know that Rik used to work for a (network)
> > security company here in Holland :).
> >
> > > How will this be done practically? I'm thinking in particular about the
> > > freeze, and the proposed unstable branch.
> >
> > Perhaps start a new branch, so we have a 'stable', 'unstable' and
> > 'secure' branch.
> >
> > > How paranoid should it be? My first plan was to create ACLs for each
> > > and every binary and deny almost everything else, but that might be too
> > > paranoid for most people. What do you think? How about three security
> > > levels (no ACLs, normal ACLs and very strict ACls)?
> >
> > The levels idea sounds like a nice idea, but it should be documented
> > really good, so users can choose a good security level for their
> > purposes.
>
> I must make a note here, usually with security levels its too, how can I
> say this... 'generic', I mean you could look at how buggy a daemon has been
> in the past and have it marked level 4 security and other stuff too, but I
> usually think of security as something the user sets up himself. I like it
> this way. The other thing is, the user installs/starts the servers he
> wants, so there is no real need for security levels since the user will
> really do whatever he wants.
>
> Nic D.
>
> > Regards,
> >
> > Peter Gnodde
> > PCS Webdesign BV
> > http://www.pcswebdesign.nl/
> > _______________________________________________
> > gentoo-dev mailing list
> > gentoo-dev@gentoo.org
> > http://lists.gentoo.org/mailman/listinfo/gentoo-dev
>
> _______________________________________________
> gentoo-dev mailing list
> gentoo-dev@gentoo.org
> http://lists.gentoo.org/mailman/listinfo/gentoo-dev

Re: [gentoo-dev] Secure Gentoo

[Joachim Blaabjerg]

On Thu, 2002-03-07 at 21:08, Karl Trygve Kalleberg wrote:

> Would a "sandboxing"/"playpen"/"virtual machine" feature where you could
> put users into groups where users inside one group can see each other (w,
> ps, who, id..) but not outside the group be possible ? I've noticed they
> have something akin to that on login.sf.net and that grsecurity tries to
> solve some of these problems.

I know grsecurity has some /proc restrictions, which are very nice.
Other than that, I'm not sure.

-- 
Joachim Blaabjerg
styx@SuxOS.org
www.SuxOS.org

Re: [gentoo-dev] Secure Gentoo

[Joachim Blaabjerg]

On Wed, 2002-03-06 at 19:53, Sebastian Werner wrote:
> This is great really great. I have not really much time to play with this. But I 
> could help you in parts of to do work. Contact me and we could do it.

Great, I need all the help I can get :)

> I think it's enough to create acl's for the basesystem and some special
> server apps. All these kde and gnome apps must not be installed on a real
> server I think - so you need no acl's here.

My thoughts exactly.

-- 
Joachim Blaabjerg
styx@SuxOS.org
www.SuxOS.org