[gentoo-hardened] What's been done so far?

[gentoo-hardened] What's been done so far?

[Matt Rickard]

Just saw this list in the weekly newsletter, and I'm curious as to what
has been done (or what is being planned) so far?

I've implemented ProPolice in Gentoo
<http://frogger974.homelinux.org/gentoo_propolice.html> and I've created
a chrooted apache script (not yet in ebuild form... will be there when I
get time).  

I see that the newletter mentions an SELinux kernel in this hardened
Gentoo.  SELinux is something that I've had a bit of a look at, but
haven't actually used yet.  Currently I'm using a GRSec patched kernel. 
I'm curious as to what the rest of you feel regarding using either GRSec
or SELinux?  They both seem similar in their goals and their features.

I really like the chroot restrictions GRSec offers -- does SELinux provide
similar functionality?  Chrooted daemons plus these restrictions provides
for very secure services.

Just trying to get a feel for where this project is headed.  Any input is
appreciated.

-Matt

--
gentoo-hardened@gentoo.org mailing list

Re: [gentoo-hardened] What's been done so far?

[Sven Vermeulen]

[-- Attachment #1: Type: text/plain, Size: 1032 bytes --]

On Tue, Mar 18, 2003 at 03:03:05AM -0500, Matt Rickard wrote:
> I'm curious as to what the rest of you feel regarding using either GRSec
> or SELinux?  They both seem similar in their goals and their features.
> 
> I really like the chroot restrictions GRSec offers -- does SELinux provide
> similar functionality?  Chrooted daemons plus these restrictions provides
> for very secure services.

When we talk about Mandatory Access Control, SELinux is much more advanced
than GRSecurity. IIRC GRSecurity uses a process-based, single select (not
very flexible)  MAC implementation. SELinux is much more flexible (but also
more difficult). SELinux has policy-driven control over:
	- Processes
	- Files
	- Sockets

However, GRSecurity has other patches that aren't included in SELinux, maybe
because SELinux is developed with MAC in mind, and GRSecurity more with the
OpenBSD kernel in mind...

Well, that's what I've heard of it :)

Wkr,
	Sven Vermeulen
-- 
	Fighting for peace is like fucking for virginity.

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-hardened] What's been done so far?

[nick anderson]

what about the lids project?

--
gentoo-hardened@gentoo.org mailing list

Re: [gentoo-hardened] What's been done so far?

[Sven Vermeulen]

[-- Attachment #1: Type: text/plain, Size: 725 bytes --]

On Tue, Mar 18, 2003 at 11:44:32AM -0600, nick anderson wrote:
> what about the lids project?

Hmmm, from their website:

"""
2.4 series development version LIDS 1.0.9 for 2.4.5 is out.
Fri Jun 1 09:31:52 CST 2001
"""

So it's not very actively developed. Furthermore I think that LIDS is more of
a kernelpatch to integrate easier with the daemons that the project provides,
and it is, as the name sais, an Intrusion Detection System.

But don't forget what gentoo-hardened is all about: it's not solely
implementing SELinux in Gentoo, it's all about security, so having
LIDS-support (and others) isn't out of the question.

Wkr,
	Sven Vermeulen

-- 
	Fighting for peace is like fucking for virginity.

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-hardened] What's been done so far?

[nick anderson]

does this project have a homepage?
im wondering if this will be a fork or just set a use flag to enable the
extra security features.  

--
gentoo-hardened@gentoo.org mailing list

Re: [gentoo-hardened] What's been done so far?

[Sven Vermeulen]

[-- Attachment #1: Type: text/plain, Size: 313 bytes --]

On Tue, Mar 18, 2003 at 11:59:13AM -0600, nick anderson wrote:
> does this project have a homepage?

cvs.gentoo.org/~method

BTW, my LIDS-quote is based on an outdated mirror, LIDS is alive and kicking,
so my apologies...

Wkr,
	Sven Vermeulen

-- 
	Fighting for peace is like fucking for virginity.

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-hardened] What's been done so far?

[Joachim Blaabjerg]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Tuesday 18 March 2003 18:53, Sven Vermeulen wrote:
> On Tue, Mar 18, 2003 at 11:44:32AM -0600, nick anderson wrote:
> > what about the lids project?
>
> Hmmm, from their website:
>
> """
> 2.4 series development version LIDS 1.0.9 for 2.4.5 is out.
> Fri Jun 1 09:31:52 CST 2001
> """
>
> So it's not very actively developed. Furthermore I think that LIDS is
> more of a kernelpatch to integrate easier with the daemons that the
> project provides, and it is, as the name sais, an Intrusion Detection
> System.

I'd have to disagree. First of all - the latest news aren't on the bottom of 
the page ;)

Second - which daemons are you talking about? I've been working pretty 
closely with the LIDS devels for a while, and the last time I checked it 
was a MAC system which didn't ship with any daemons. Are you sure you 
aren't thinking of a different project?

My biggest concern with LIDS is its design. It's still inode based, right? 
IMO, systrace and grsecurity ACLs solve the same problems as LIDS in a much 
more elegant fashion.

> But don't forget what gentoo-hardened is all about: it's not solely
> implementing SELinux in Gentoo, it's all about security, so having
> LIDS-support (and others) isn't out of the question.

Indeed, if someone's willing to do the hard work :)

- -- 
Joachim Blaabjerg
Gentoo Linux Security Developer
GPG key @ http://cvs.gentoo.org/~styx
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQE+d19qFJKdDpq6hFsRAl+lAJwK3x64v3bH/P8STVD7X6ve0EcnMACfU+ze
hzWUs4ofv7SEct2cv9Gyjms=
=3ogB
-----END PGP SIGNATURE-----


--
gentoo-hardened@gentoo.org mailing list