[gentoo-hardened] ACL implementations

[gentoo-hardened] ACL implementations

[Joshua Brindle]

While we are pretty much set to use selinux for our MAC implementation we
still need a lighter weight, less intrusive ACL implementation.

natey has worked on systrace some, and we have a couple guys interested
in grsecurity. 

The problem is that we have limited resources and should really focus on having
1 really good ACL implementation (by this i mean concentrating on writing policies, 
maintaining, documenting and recommending a particular implementation.) this does
_not_ prohibit any number of acl systems being available in portage, but resources
mandate that we persue only one as a full blown subproject. The question is
which one. i was somewhat excited about systrace due to it's usability before i found
out that it is not possible to apply system wide acl's with it. grsecurity can do this
but isn't nearly as easy. are there others? does anyone have experience with 
any particular implementation, and have opinions on how easy to use, effective
and stable please share that information. 

note: please, please, for the sake of all the people on this list don't reply
if you don't have experience with acl implementations or just want to 
hear yourself talk, it doesn't help anything. Thanks everyone

Cheers

Joshua Brindle

Re: [gentoo-hardened] ACL implementations

[Nate Underwood]

On Sat, 22 Mar 2003 at 01:49:52 -0600, Joshua Brindle wrote:
> While we are pretty much set to use selinux for our MAC implementation we
> still need a lighter weight, less intrusive ACL implementation.
> 
> natey has worked on systrace some, and we have a couple guys interested
> in grsecurity. 
> 
> The problem is that we have limited resources and should really focus on having
> 1 really good ACL implementation (by this i mean concentrating on writing policies, 
> maintaining, documenting and recommending a particular implementation.) this does
> _not_ prohibit any number of acl systems being available in portage, but resources
> mandate that we persue only one as a full blown subproject. The question is
> which one. i was somewhat excited about systrace due to it's usability before i found
> out that it is not possible to apply system wide acl's with it. grsecurity can do this
> but isn't nearly as easy. are there others? does anyone have experience with 
> any particular implementation, and have opinions on how easy to use, effective
> and stable please share that information. 

Although I have been working on implementing systrace on Gentoo, and may
be a little biased, I do agree that one ACL subproject would better suit
the overall needs of the hardened-gentoo project.

For those who are unfamiliar with systrace, please see:
http://www.citi.umich.edu/u/provos/systrace/

Stability:

Systrace is currently integrated into both NetBSD and OpenBSD...which
implies that the *BSD version of the systrace code is stable enough to
meet the demands of those in the *BSD camp.  While the Linux code
is still in development, it is seemingly quite stable when kernel
patches are applied to a vanilla 2.4.20 kernel.  With the few problems
that we have found thus far, the systrace authors have been receptive
and fairly responsive.  I believe that the systrace Linux code stability 
will improve dramatically the more we test it and break it.

Usability:

Systrace is fairly easy to use...maybe not for the average user at
first, but with the gtk interactive policy frontend defining new
policies on the fly, it is relatively easy.

The concern that systrace is not enforcable system wide is one
that can be conquered in my opinion.  Currently any systrace'd program
must be started as "systrace -a /path/to/binary" ...the workaround is
to create wrapper scripts/programs for systrace on a system scale, ie. a
wrapper for eliminating the need for suid/sgid binaries through 
systrace priv elevation.

Addional arguments could be built into rc-update to start a systrace'd
daemon or listener, ie. "rc-update add sshd default -S"

Seamless and transparent integration of systrace *is* possible...but it
will require development time and energy to make it work as an
integrated part of the system.

Effectiveness:

Some of the possibilities with systrace are:

Application sandboxing/Virtual chroot'ing
Lightweight HIDS...policy violations are logged
Defined policies are enforced without user interaction...any system
calls not covered by a policy are denied and logged.
Privilege Elevation...enables nifty things like getting rid of suid/guid
binary reliance

Systrace is still fairly new...but the ease of use and effectiveness of
the the program (IMHO) are worth pursuing.  The problems of system wide
deployment is a developer specific issue (on Gentoo)...and advances we
make here can likely be offerend up to the systrace authors for possible
inclusion and enhancement.

My $0.02,

~Nate

> 
> note: please, please, for the sake of all the people on this list don't reply
> if you don't have experience with acl implementations or just want to 
> hear yourself talk, it doesn't help anything. Thanks everyone
> 
> Cheers
> 
> Joshua Brindle

--
gentoo-hardened@gentoo.org mailing list

Re: [gentoo-hardened] ACL implementations

[Gavin Vess]

Project "VITALITY" (~popularity) of leading projects relating to Linux ACL
======================================================
(Hit counts from Google for search terms below.)
24,300 selinux
23,000 LIDS Linux
21,100 LSM linux security  [I added 'security' since lsm matched many unrelated things]
8,090 grsecurity linux
4,770 systrace linux
3,590 WOLK linux [already in the portage tree under kernel sources]
2,790 linsec linux

Bulleted executive summaries for the above: http://www.rstack.org/oudot/rmll/slides/3/ksec_lsm.pdf (page 43+).  Popularity is obviously not direct evidence of  quality, *appropriateness* for Gentoo community, usability, etc., but might be correlated with these factors.  Younger projects might also be on the rise (not reflected above).  These products differ dramatically in features and purpose.  One line summaries, with URLs: http://www.linuxsecurity.com/feature_stories/feature_story-134.html#5

>From a security conference: 
http://216.239.33.100/search?q=cache:qLhr5OQLg_8C:www.rstack.org/oudot/rmll/+grsecurity+systrace+lids+se+selinux&hl=en&ie=UTF-8
(No highlighting: http://www.rstack.org/oudot/rmll/)

Cheers,
Gavin

More Comparisons
=================

systrace vs. LSM
- http://lwn.net/Articles/17170/
- rumors of a systrace module for LSM

grsecurity vs. lids:
- http://www.der-keiler.de/Mailing-Lists/linuxsecurity/2002-12/0032.html
- http://www.spinics.net/lists/security/msg01099.html

openwall
- excluded from this comparison since only a test release exists for 2.4 kernel

many more via Google

--
gentoo-hardened@gentoo.org mailing list

Re: [gentoo-hardened] ACL implementations

[Justin Heesemann]

On Saturday 22 March 2003 09:30, Nate Underwood wrote:

> Effectiveness:
>
> Some of the possibilities with systrace are:
>
> Application sandboxing/Virtual chroot'ing
> Lightweight HIDS...policy violations are logged
> Defined policies are enforced without user interaction...any system
> calls not covered by a policy are denied and logged.
> Privilege Elevation...enables nifty things like getting rid of suid/guid
> binary reliance
>
> Systrace is still fairly new...but the ease of use and effectiveness of
> the the program (IMHO) are worth pursuing.  The problems of system wide
> deployment is a developer specific issue (on Gentoo)...and advances we
> make here can likely be offerend up to the systrace authors for possible
> inclusion and enhancement.

Yes, I really like seeing other people being impressed by systrace too.

By now i have a virtual chrooted login shell (bash) which lets my users 
execute various programms (which I can define), access their home directory 
almost unrestricted (well they can't execute anything in it) and virtual 
chrooted sftp.

I've also systrace wrapped all cgi scripts (using a patched modiwrap, which is 
a suexec replacement)

Policy: /usr/bin/stcgiwrap, Emulation: linux
[some general stuff with reading /lib/ libraries + most basic system calls]
        linux-fsread: filename eq "/usr/lib/perl5/site_perl/5.6.1" then permit
	linux-fsread: filename match "$HOME/cgi-bin/*" then permit
        linux-execve: filename match "$HOME/cgi-bin/*" then permit[inherit]
        linux-fsread: filename eq "/proc/self/exe" then permit
        linux-fsread: filename eq "/etc/localtime" then permit
        linux-execve: filename eq "/usr/sbin/sendmail" then permit


Its config files are really easy to understand _and_ generate, as you can 
simply start any programm with  systrace -A /usr/bin/programm_i_want_to_test 
and you end with a "minimum" policy file in 
~/.systrace/usr_bin_programm_i_want_to_test
which you can copy to /etc/systrace (and chmod it 644).

It is also very easy to give different rights to different users (which is 
almost impossible with the current grsecurity acls, but is said to change in 
grsec 2.0, which will be role based)

But I agree: I don't think it is meant as a system default and according to 
the docs it isn't that speedy (also i'd love to see some realworld 
benchmarks, maybe systraced apache vs. normal). As the policies aren't 
compiled in any way but being parsed each time you run the programm, I at 
least expect a startup penalty, which might be avoided with some sort of 
systrace daemon.

IMHO the best way would be a combination of grsecurity acls for daemons and 
systrace (wrappers) for userland. 

Blurb: The one time I tried SELinux (which isn't ment to be the last time) I 
found it extremly difficult, complex and by no means comfortable. But I'm 
sure some of you got better results than I did.


-- 
Mit internetten Grüßen / Best Regards
---------------------------------------------------------------------------
Justin Heesemann                                        ionium Technologies
jh@ionium.org                                                www.ionium.org


--
gentoo-hardened@gentoo.org mailing list

Re: [gentoo-hardened] ACL implementations

[Joachim Blaabjerg]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Saturday 22 March 2003 08:49, Joshua Brindle wrote:
> While we are pretty much set to use selinux for our MAC implementation we
> still need a lighter weight, less intrusive ACL implementation.

Indeed. Unfortunately, I haven't got enough experience with selinux to say 
how intrusive and hard it is to use, so my statements here might be 
invalid. After some experience with systrace, I've found it very stable and 
easy to use (the stability point might be invalid, as I've only used it on 
OpenBSD). Bottom line: It's a simple consept that works, and I like it.

Still, I don't think it will be very good for system wide operation through 
wrappers and such. Wrappers are dirty, and shouldn't (IMO) be used or 
supported in a large extent by a major Linux distribution. A nicer solution 
would be to either ask someone central in systrace development (Niels or 
Marius, for instance) how hard it would be to enforce systrace on a 
system-wide basis natively in the kernel (and if they're willing to pursue 
such an idea... there might be a valid reason why they designed it this way 
in the first place).

However, as Nate demontrates, systrace works quite well when invoked through 
rc scripts. IMO, it would be very nice to provide default ACLs and a 
possibility to enforce systrace on daemons started through the rc scripts.

I do agree that selinux should be the main concern for developers in the 
startup phase, but setting up a framework for systrace in the rc scripts 
shouldn't be too demanding, and could probably be done without losing more 
than a couple of days worth of selinux work. Some people (including myself) 
would appreciate something lighter than selinux mostly for daemons. Light 
paranoia and security awareness vs. full paranoia, kind of :)

Regards,

- -- 
Joachim Blaabjerg
Gentoo Linux Security Developer
GPG key @ http://cvs.gentoo.org/~styx
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQE+fiU3FJKdDpq6hFsRAuZSAJ0aKyN72Q4JGi1cX6+NJ3uCNABYyQCghlsu
bfz+cMlX4fc50sNW8aGBLss=
=1nDh
-----END PGP SIGNATURE-----


--
gentoo-hardened@gentoo.org mailing list

[gentoo-hardened] ACL, WOLK, systrace, grsecurity

[Gavin Vess]

Justin wrote:
> Blurb: The one time I tried SELinux (which isn't ment to be the last time) I 
> found it extremly difficult, complex and by no means comfortable. But I'm 
> sure some of you got better results than I did.

Hmm .. I've seen similar opinions posted in various places on the web .. easy to find using Google.

Anyway, the WOLK kernel (also in the Gentoo portage tree) has integrated grsecurity, systrace, and several other interesting packages.  Are we duplicating effort?
http://sourceforge.net/forum/forum.php?forum_id=238622
http://stable.gentoo.org/browse?type=versions&category=sys-kernel&package=wolk-sources

David Nielsen (January 3, 2003 7:40 PM CET) wrote:
> General request for updated wolk ebuilds, for 3.8.1 and the 4.0 pre series.
> WOLK seems to be an ideal fit for Gentoo, if only we could enforce the special use flags like ALSA
> on this kernel it would be ideal... but since alsa is in kernel here, it might pose a problem..
> Infact the whole USE flags used to affect the kernel patches might be bad because it makes it hard
> to change to a none gentoo-source kernel.

-Gavin

--
gentoo-hardened@gentoo.org mailing list

Re: [gentoo-hardened] ACL, WOLK, systrace, grsecurity

[Joshua Brindle]

>Justin wrote:
>> Blurb: The one time I tried SELinux (which isn't ment to be the last time) I 
>> found it extremly difficult, complex and by no means comfortable. But I'm 
>> sure some of you got better results than I did.
>
>Hmm .. I've seen similar opinions posted in various places on the web .. easy to find using Google.

True, selinux has a tough learning curve, similarly gentoo is not a linux distribution for newbies,
however, please recognise that we are putting forth a concerted effort to make this easy 
to use for those who want to. We are providing policies for the base gentoo system, and
policies for hopefully a large part of the ebuilds in portage, we are writing stuff to deploy policies
when you install a particular app, we will have selinux GUI policy editors in portage, et al. 

the opinions you've seen on the web are from people trying to do this basically from scratch
on a system which does not provide this functionality natively like we are. Additionally we'll 
be putting together documentation for users to understand roles and using them effectively.

>
>Anyway, the WOLK kernel (also in the Gentoo portage tree) has integrated grsecurity, systrace, and several other interesting packages.  Are we duplicating effort?

not at all. I understand that wolk contains many (if not all) of the patches that we will provide, however, since wolk is a giant collection of patches, and since many patches don't show up in later releases after being in prior ones i am not going to rely on them to provide all the patches that we need

However, for those users which prefer the enhancements available in WOLK it will certainly still be available. For example, whomever want to use selinux can choose between selinux-sources, hardened-sources and wolk-(server)-sources.



Joshua Brindle

Re: [gentoo-hardened] ACL, WOLK, systrace, grsecurity

[Justin Heesemann]

On Sunday 23 March 2003 22:47, Gavin Vess wrote:
> Justin wrote:
> > Blurb: The one time I tried SELinux (which isn't ment to be the last
> > time) I found it extremly difficult, complex and by no means comfortable.
> > But I'm sure some of you got better results than I did.
>
> Hmm .. I've seen similar opinions posted in various places on the web ..
> easy to find using Google.
>
> Anyway, the WOLK kernel (also in the Gentoo portage tree) has integrated
> grsecurity, systrace, and several other interesting packages.  Are we
> duplicating effort? http://sourceforge.net/forum/forum.php?forum_id=238622
> http://stable.gentoo.org/browse?type=versions&category=sys-kernel&package=w
>olk-sources
>

I am using WOLK and I'm really happy with it. It's activly developed by a 
small community (and I sent a patch to mcp for systrace 1.1, as WOLK up to 
4.0s-rc3 only supported systrace 1.0)

-- 
Mit internetten Grüßen / Best Regards
---------------------------------------------------------------------------
Justin Heesemann                                        ionium Technologies
jh@ionium.org                                                www.ionium.org


--
gentoo-hardened@gentoo.org mailing list