Re: [gentoo-dev] Secure Gentoo

From: Nic Desjardins <nic_spam@yahoo.ca>
To: gentoo-dev@gentoo.org
Subject: Re: [gentoo-dev] Secure Gentoo
Date: Wed, 6 Mar 2002 16:24:04 -0500	[thread overview]
Message-ID: <20020306162404.1ebb3670.nic_spam@yahoo.ca> (raw)
In-Reply-To: <20020306195312.15f84b15.peter@pcswebdesign.nl>

On Wed, 6 Mar 2002 19:53:12 +0100
P.Gnodde <peter@pcswebdesign.nl> wrote:

> Hi all,
> 
> It has not been long ago since I've installed Gentoo, but at the moment it's running on my desktop, laptop and 1 of my servers (the other 2 run openbsd and slackware and I do not plan at replacing them :). I really like this distribution and am still learning new things about linux because of it :).
> 
> Back to the topic at hand ... I am just starting to get interested in security issues with linux. The company I work for has some sensative data of customers, so I used the kerneli patch to create an encrypted filesystem. And I like it. I've also been reading up on other issues, like random filehandles and stuff like that. I'd really like to learn more about it, so perhaps I can help in some ways with this Secure Gentoo project if it's needed (testing of beta patches/packages, etc.) (btw, I'm a coder, but I do not have much experience in kernelhacking or security related projects)
> 
> > * Make a kernel patch, probably based on the Gentoo kernel, but with
> > GrSecurity, kerneli, a few netfilter patches etc.
> At the moment I have the gentoo kernel running with the kerneli patch. The GrSecurity patch had a few failed hunks, I'm integrating them now. If your interested I could send you a patch after I'm done. I also have a ready to install package of util-linux, with the kerneli patch. I don't yet know if the combination is stable :).
> 
> > Will the Gentoo kernel use Andrea Arcangeli's VM or Rik van Riel's (-aa
> > or rmap)?
> I think rmap is pretty stable now and most problems have been solved, it's been good for Rik van Riel to have a little freedom in developing the VM :). Although I do know that Rik used to work for a (network) security company here in Holland :).
> 
> > How will this be done practically? I'm thinking in particular about the
> > freeze, and the proposed unstable branch.
> Perhaps start a new branch, so we have a 'stable', 'unstable' and 'secure' branch.
> 
> > How paranoid should it be? My first plan was to create ACLs for each and
> > every binary and deny almost everything else, but that might be too
> > paranoid for most people. What do you think? How about three security
> > levels (no ACLs, normal ACLs and very strict ACls)?
> The levels idea sounds like a nice idea, but it should be documented really good, so users can choose a good security level for their purposes.
> 

I must make a note here, usually with security levels its too, how can I say this... 'generic', I mean you could look at how buggy a daemon has been in the past and have it marked level 4 security and other stuff too, but I usually think of security as something the user sets up himself. I like it this way.
The other thing is, the user installs/starts the servers he wants, so there is no real need for security levels since the user will really do whatever he wants.

Nic D.

> Regards,
> 
> Peter Gnodde
> PCS Webdesign BV
> http://www.pcswebdesign.nl/
> _______________________________________________
> gentoo-dev mailing list
> gentoo-dev@gentoo.org
> http://lists.gentoo.org/mailman/listinfo/gentoo-dev