Re: [gentoo-hardened] New Server, considering hardened, need pointers to tfm...

[Kevin Chadwick <ma1l1ists@yahoo.co.uk>]

On Mon, 12 Dec 2011 18:38:28 +0100
Javier Juan Martínez Cabezón wrote:

> Now please tell me how under this circunstances could root to make nothing.

What are you asking?

The heart of the OS is the kernel. The OpenBSD kernel is more secure
and always will be full stop because that is their main aim. Think about
the exploits in the Linux kernel for all those years whilst they were
present someone could have been exploiting them and still untill the
next one is added and/or found, one of them can likely bypass RBAC.
Restrictions upon root on OpenBSD have been shown to be bypassable
locally on Pentium >2s via cpu management mode by a root user, it's
still difficult. Therefore I try to use certain hardware and will still
use chflags sappnd etc..

Your example about execution can be controlled via file permissions, if
someone allows arbitrary running as root, RBAC or not that is dumb.
Your daemons should be chrooted as normal users so for servers rbac
means very little to me but I would use it if I ran Linux servers and
am planning to use it on my Linux desktops and OpenBSD would likely code
it if they had many more developers and got lots of the other stuff they
want done and couldn't find any more bugs. They certainly wouldn't
refuse a working and well written patch. For desktops or more
exploitable systems rbac gains some weight, so does systrace but all
these tools are good things (don't mention the races in systrace
because I'm not interested and it's still useful) and RAWIO is off by
default on OpenBSD.

Perl can only execute binaries on the system that are there and some
will on a large install contain local exploits or bugs which can be
reduced and fixed but not those introduced by users which could be far
more easily exploited and you can't even hope to prevent that. If you
can exploit the system through perl then that is a perl bug. If perl
scripts are a problem chmod it 750 and/or systrace it or rbac it. Next
you'll be telling me about physical security and bios batteries, well
physical security can exist and lets stop now as it is all irrelevent
and I'm sure everyone here is bored to death of the OpenBSD vs RBAC or
PAX topic.

All of this comes down to more is better and noexec mounts are one of
those blanket tools possibly with effective grsec logging. Exec logging
is usually too much to handle.

Also many exploits only do one particular thing, so dismissal like this
is simply wrong and part of the problem. In fact I remember Linux being
criticised for execution on downloads, the best answer was noexec should
be used. There is also the possibility of users loading up limewire
etc..