[gentoo-hardened] Profile switch: hardened to non-hardened?

[gentoo-hardened] Profile switch: hardened to non-hardened?

[Grant]

Can I switch my laptop's profile from a hardened one to a non-hardened
one?  I thought this was impossible without a complete reinstall but
folks on the gentoo-user list seem to think it's not a problem.

- Grant

Re: [gentoo-hardened] Profile switch: hardened to non-hardened?

[Ned Ludd]

On Tue, 2008-12-23 at 13:23 -0800, Grant wrote:
> Can I switch my laptop's profile from a hardened one to a non-hardened
> one?  I thought this was impossible without a complete reinstall but
> folks on the gentoo-user list seem to think it's not a problem.
> 
> - Grant
> 

yes

Re: [gentoo-hardened] Profile switch: hardened to non-hardened?

[Marc Lemaire]

[-- Attachment #1: Type: text/plain, Size: 720 bytes --]

I've been able to do so; basically I switched over to the standard 
profile, disabled selinux in the kernel, and re-emerged system for new 
use flags. There were some other details but overall the process was 
pretty painless, anyone ambitious enough to configure a hardened system 
can probably handle the switch without much problem. Not that I'm 
encouraging you to drop hardened (especially on a laptop that could be 
exposed to random wifi networks ;-)

Grant wrote, On 12/23/08 16:23:
> Can I switch my laptop's profile from a hardened one to a non-hardened
> one?  I thought this was impossible without a complete reinstall but
> folks on the gentoo-user list seem to think it's not a problem.
>
> - Grant
>
>   

[-- Attachment #2: S/MIME Cryptographic Signature --]
[-- Type: application/x-pkcs7-signature, Size: 3254 bytes --]

Re: [gentoo-hardened] Profile switch: hardened to non-hardened?

[Grant]

> I've been able to do so; basically I switched over to the standard profile,
> disabled selinux in the kernel, and re-emerged system for new use flags.
> There were some other details but overall the process was pretty painless,
> anyone ambitious enough to configure a hardened system can probably handle
> the switch without much problem. Not that I'm encouraging you to drop
> hardened (especially on a laptop that could be exposed to random wifi
> networks ;-)

I'd love to keep it hardened but I want to install programs like
skype, miro, and mplayer that don't seem to compile under a hardened
profile.

- Grant

>> Can I switch my laptop's profile from a hardened one to a non-hardened
>> one?  I thought this was impossible without a complete reinstall but
>> folks on the gentoo-user list seem to think it's not a problem.
>>
>> - Grant

Re: [gentoo-hardened] Profile switch: hardened to non-hardened?

[Vlad "SATtva" Miller]

Grant (24.12.2008 03:56):
>> I've been able to do so; basically I switched over to the standard profile,
>> disabled selinux in the kernel, and re-emerged system for new use flags.
>> There were some other details but overall the process was pretty painless,
>> anyone ambitious enough to configure a hardened system can probably handle
>> the switch without much problem. Not that I'm encouraging you to drop
>> hardened (especially on a laptop that could be exposed to random wifi
>> networks ;-)
> 
> I'd love to keep it hardened but I want to install programs like
> skype, miro, and mplayer that don't seem to compile under a hardened
> profile.

Vanilla GCC profile and paxctl are your friends.

> - Grant
> 
>>> Can I switch my laptop's profile from a hardened one to a non-hardened
>>> one?  I thought this was impossible without a complete reinstall but
>>> folks on the gentoo-user list seem to think it's not a problem.
>>>
>>> - Grant
> 
> 
> 


-- 
SATtva | security & privacy consulting
www.vladmiller.info | www.pgpru.com

Re: [gentoo-hardened] Profile switch: hardened to non-hardened?

[Grant]

> I've been able to do so; basically I switched over to the standard profile,
> disabled selinux in the kernel, and re-emerged system for new use flags.
> There were some other details but overall the process was pretty painless,
> anyone ambitious enough to configure a hardened system can probably handle
> the switch without much problem. Not that I'm encouraging you to drop
> hardened (especially on a laptop that could be exposed to random wifi
> networks ;-)

Does a properly configured hardened kernel on a non-hardened profile
help with that type of thing?

- Grant

>> Can I switch my laptop's profile from a hardened one to a non-hardened
>> one?  I thought this was impossible without a complete reinstall but
>> folks on the gentoo-user list seem to think it's not a problem.
>>
>> - Grant

Re: [gentoo-hardened] Profile switch: hardened to non-hardened?

[Cyprien Nicolas]

>> I'd love to keep it hardened but I want to install programs like
>> skype, miro, and mplayer that don't seem to compile under a hardened
>> profile.
>
> Vanilla GCC profile and paxctl are your friends.


For mplayer that's not true, I did it using selinux x86 hardened profile

I bought a shuttle to use it as a multimedia server, and I wasn't able
to compile mplayer with the default gcc profile, which is
i686-pc-linux-gnu-3.4.6.

I changed it with gcc-config to
i686-pc-linux-gnu-3.4.6-hardenednopiessp and mplayer compiles fine
(that was just a couple of hours ago).

Now mplayer looks well on my TV, and sounds good on my Hi-Fi.

For skype and miro, I didn't try.

--
Cyprien

[gentoo-hardened] Re: Profile switch: hardened to non-hardened?

[7v5w7go9ub0o]

Grant wrote:
>> I've been able to do so; basically I switched over to the standard profile,
>> disabled selinux in the kernel, and re-emerged system for new use flags.
>> There were some other details but overall the process was pretty painless,
>> anyone ambitious enough to configure a hardened system can probably handle
>> the switch without much problem. Not that I'm encouraging you to drop
>> hardened (especially on a laptop that could be exposed to random wifi
>> networks ;-)
> 
> I'd love to keep it hardened but I want to install programs like
> skype, miro, and mplayer that don't seem to compile under a hardened
> profile.
> 
> - Grant

IIUC, certain flags can be problematic on a very few ebuilds.

Don't know about miro and skype, but for mplayer I have the following in 
/etc/portage/package.use:

media-video/mplayer 3dnow 3dnowext X aac aalib alsa custom-cflags dga 
directfb dts dv dvd encode esd fbcon ftp gif -gtk gnome-mplayer iconv 
ipv6 jpeg live mad md5sum mmx mmxext mp2 mp3 nas opengl png pvr 
quicktime radio real rtc sdl sse sse2 svga theora truetype unicode v4l 
vorbis win32codecs x264 xanim xv xvid lame -a52 -altivec -amrnb -amrwb 
-arts -bidi -bindist -bl -cddb -cdio -cdparanoia cpudetection -debug 
-doc -dvb -enca -ggi -ivtv -jack -joystick -libcaca -lirc -livecd -lzo 
-musepack -nemesi -openal -oss -pnm -rar -samba -speex srt -ssse3 
-teletext -tga -tivo -v4l2 -vidix -xinerama -xvmc -zoran -ladspa 
-pulseaudio -ivtv -pvr

Re: [gentoo-hardened] Profile switch: hardened to non-hardened?

[Grant]

> I've been able to do so; basically I switched over to the standard profile,
> disabled selinux in the kernel, and re-emerged system for new use flags.
> There were some other details but overall the process was pretty painless,
> anyone ambitious enough to configure a hardened system can probably handle
> the switch without much problem. Not that I'm encouraging you to drop
> hardened (especially on a laptop that could be exposed to random wifi
> networks ;-)

Is there any difference between 1 and 8 here?  Should I switch to 8?

# eselect profile list
Available profile symlink targets:
  [1]   hardened/x86/2.6 *
  [2]   selinux/2007.0/x86
  [3]   selinux/2007.0/x86/hardened
  [4]   default/linux/x86/2008.0
  [5]   default/linux/x86/2008.0/desktop
  [6]   default/linux/x86/2008.0/developer
  [7]   default/linux/x86/2008.0/server
  [8]   hardened/linux/x86

- Grant

>>
>> Can I switch my laptop's profile from a hardened one to a non-hardened
>> one?  I thought this was impossible without a complete reinstall but
>> folks on the gentoo-user list seem to think it's not a problem.
>>
>> - Grant

Re: [gentoo-hardened] Profile switch: hardened to non-hardened?

[Gordon Malm]

Hardened profiles: Yes there's a difference, no you should not switch to 
hardened/linux/${ARCH} at this time.

You can get skype working by downloading or building gcc 4.1.x and pointing 
LD_LIBRARY_PATH at the shared object directory when starting skype.  skype 
won't be using hardened toolchain but since its closed source and you're 
willing to switch the whole machine to non-hardened I figure you probably 
don't mind. ;)

Example: 
1. Download 
http://tinderbox.dev.gentoo.org/default-linux/x86/sys-devel/gcc-4.1.2.tbz2
2. unpack the archive to ${HOME}/tinderbox-pkgs/sys-devel/gcc/
3. Run it: 
LD_LIBRARY_PATH="${HOME}/tinderbox-pkgs/sys-devel/gcc/usr/lib/gcc/i686-pc-linux-gnu/4.1.2/" 
skype

If you only require VoIP capability and not skype specifically you might be 
interested net-im/ekiga.

Gordon Malm (gengor)

On Wednesday, December 24, 2008 09:03:21 Grant wrote:
> > I've been able to do so; basically I switched over to the standard
> > profile, disabled selinux in the kernel, and re-emerged system for new
> > use flags. There were some other details but overall the process was
> > pretty painless, anyone ambitious enough to configure a hardened system
> > can probably handle the switch without much problem. Not that I'm
> > encouraging you to drop hardened (especially on a laptop that could be
> > exposed to random wifi networks ;-)
>
> Is there any difference between 1 and 8 here?  Should I switch to 8?
>
> # eselect profile list
> Available profile symlink targets:
>   [1]   hardened/x86/2.6 *
>   [2]   selinux/2007.0/x86
>   [3]   selinux/2007.0/x86/hardened
>   [4]   default/linux/x86/2008.0
>   [5]   default/linux/x86/2008.0/desktop
>   [6]   default/linux/x86/2008.0/developer
>   [7]   default/linux/x86/2008.0/server
>   [8]   hardened/linux/x86
>
> - Grant
>
> >> Can I switch my laptop's profile from a hardened one to a non-hardened
> >> one?  I thought this was impossible without a complete reinstall but
> >> folks on the gentoo-user list seem to think it's not a problem.
> >>
> >> - Grant

Re: [gentoo-hardened] Profile switch: hardened to non-hardened?

[Grant]

> Hardened profiles: Yes there's a difference, no you should not switch to
> hardened/linux/${ARCH} at this time.

Is hardened/x86/2.6 still available for new installations?  My other
systems are amd64 but none of them list hardened/amd64/2.6.

> You can get skype working by downloading or building gcc 4.1.x and pointing
> LD_LIBRARY_PATH at the shared object directory when starting skype.  skype
> won't be using hardened toolchain but since its closed source and you're
> willing to switch the whole machine to non-hardened I figure you probably
> don't mind. ;)
>
> Example:
> 1. Download
> http://tinderbox.dev.gentoo.org/default-linux/x86/sys-devel/gcc-4.1.2.tbz2
> 2. unpack the archive to ${HOME}/tinderbox-pkgs/sys-devel/gcc/
> 3. Run it:
> LD_LIBRARY_PATH="${HOME}/tinderbox-pkgs/sys-devel/gcc/usr/lib/gcc/i686-pc-linux-gnu/4.1.2/"
> skype
>
> If you only require VoIP capability and not skype specifically you might be
> interested net-im/ekiga.

Thank you very much for that, but I'm trying to simplify.  You see,
I'm only a fake sysadmin.  Does using a hardened kernel with a
non-hardened profile still offer good protection?

- Grant

>> > I've been able to do so; basically I switched over to the standard
>> > profile, disabled selinux in the kernel, and re-emerged system for new
>> > use flags. There were some other details but overall the process was
>> > pretty painless, anyone ambitious enough to configure a hardened system
>> > can probably handle the switch without much problem. Not that I'm
>> > encouraging you to drop hardened (especially on a laptop that could be
>> > exposed to random wifi networks ;-)
>>
>> Is there any difference between 1 and 8 here?  Should I switch to 8?
>>
>> # eselect profile list
>> Available profile symlink targets:
>>   [1]   hardened/x86/2.6 *
>>   [2]   selinux/2007.0/x86
>>   [3]   selinux/2007.0/x86/hardened
>>   [4]   default/linux/x86/2008.0
>>   [5]   default/linux/x86/2008.0/desktop
>>   [6]   default/linux/x86/2008.0/developer
>>   [7]   default/linux/x86/2008.0/server
>>   [8]   hardened/linux/x86
>>
>> - Grant
>>
>> >> Can I switch my laptop's profile from a hardened one to a non-hardened
>> >> one?  I thought this was impossible without a complete reinstall but
>> >> folks on the gentoo-user list seem to think it's not a problem.
>> >>
>> >> - Grant

Re: [gentoo-hardened] Profile switch: hardened to non-hardened?

[Javier J. Martínez Cabezón]

In terms of userland, non hardened profile doesn't protect you at all
against buffer overflows, you are removing one important security
layer. SSP protects you against buffer overflows in terms that the
vulnerable application gets killed when the canary is modified before
the execution of the arbitrary code. PIE protects you against return
into libc attacks that doesn't need an executable stack. PaX is not
perfect and needs them as complementary solutions. For example I think
that RANDEXEC was removed from PaX time ago, one buffer overflow that
uses return into libc attack could be succesfully against one
non-hardened binary. Since skype is a network oriented software...

2008/12/25 Grant <emailgrant@gmail.com>:
>> Hardened profiles: Yes there's a difference, no you should not switch to
>> hardened/linux/${ARCH} at this time.
>
> Is hardened/x86/2.6 still available for new installations?  My other
> systems are amd64 but none of them list hardened/amd64/2.6.
>
>> You can get skype working by downloading or building gcc 4.1.x and pointing
>> LD_LIBRARY_PATH at the shared object directory when starting skype.  skype
>> won't be using hardened toolchain but since its closed source and you're
>> willing to switch the whole machine to non-hardened I figure you probably
>> don't mind. ;)
>>
>> Example:
>> 1. Download
>> http://tinderbox.dev.gentoo.org/default-linux/x86/sys-devel/gcc-4.1.2.tbz2
>> 2. unpack the archive to ${HOME}/tinderbox-pkgs/sys-devel/gcc/
>> 3. Run it:
>> LD_LIBRARY_PATH="${HOME}/tinderbox-pkgs/sys-devel/gcc/usr/lib/gcc/i686-pc-linux-gnu/4.1.2/"
>> skype
>>
>> If you only require VoIP capability and not skype specifically you might be
>> interested net-im/ekiga.
>
> Thank you very much for that, but I'm trying to simplify.  You see,
> I'm only a fake sysadmin.  Does using a hardened kernel with a
> non-hardened profile still offer good protection?
>
> - Grant
>
>>> > I've been able to do so; basically I switched over to the standard
>>> > profile, disabled selinux in the kernel, and re-emerged system for new
>>> > use flags. There were some other details but overall the process was
>>> > pretty painless, anyone ambitious enough to configure a hardened system
>>> > can probably handle the switch without much problem. Not that I'm
>>> > encouraging you to drop hardened (especially on a laptop that could be
>>> > exposed to random wifi networks ;-)
>>>
>>> Is there any difference between 1 and 8 here?  Should I switch to 8?
>>>
>>> # eselect profile list
>>> Available profile symlink targets:
>>>   [1]   hardened/x86/2.6 *
>>>   [2]   selinux/2007.0/x86
>>>   [3]   selinux/2007.0/x86/hardened
>>>   [4]   default/linux/x86/2008.0
>>>   [5]   default/linux/x86/2008.0/desktop
>>>   [6]   default/linux/x86/2008.0/developer
>>>   [7]   default/linux/x86/2008.0/server
>>>   [8]   hardened/linux/x86
>>>
>>> - Grant
>>>
>>> >> Can I switch my laptop's profile from a hardened one to a non-hardened
>>> >> one?  I thought this was impossible without a complete reinstall but
>>> >> folks on the gentoo-user list seem to think it's not a problem.
>>> >>
>>> >> - Grant
>
>

Re: [gentoo-hardened] Profile switch: hardened to non-hardened?

[Grant]

> In terms of userland, non hardened profile doesn't protect you at all
> against buffer overflows, you are removing one important security
> layer. SSP protects you against buffer overflows in terms that the
> vulnerable application gets killed when the canary is modified before
> the execution of the arbitrary code. PIE protects you against return
> into libc attacks that doesn't need an executable stack. PaX is not
> perfect and needs them as complementary solutions. For example I think
> that RANDEXEC was removed from PaX time ago, one buffer overflow that
> uses return into libc attack could be succesfully against one
> non-hardened binary. Since skype is a network oriented software...

In what situations is a hardened kernel useful?

- Grant


>>> Hardened profiles: Yes there's a difference, no you should not switch to
>>> hardened/linux/${ARCH} at this time.
>>
>> Is hardened/x86/2.6 still available for new installations?  My other
>> systems are amd64 but none of them list hardened/amd64/2.6.
>>
>>> You can get skype working by downloading or building gcc 4.1.x and pointing
>>> LD_LIBRARY_PATH at the shared object directory when starting skype.  skype
>>> won't be using hardened toolchain but since its closed source and you're
>>> willing to switch the whole machine to non-hardened I figure you probably
>>> don't mind. ;)
>>>
>>> Example:
>>> 1. Download
>>> http://tinderbox.dev.gentoo.org/default-linux/x86/sys-devel/gcc-4.1.2.tbz2
>>> 2. unpack the archive to ${HOME}/tinderbox-pkgs/sys-devel/gcc/
>>> 3. Run it:
>>> LD_LIBRARY_PATH="${HOME}/tinderbox-pkgs/sys-devel/gcc/usr/lib/gcc/i686-pc-linux-gnu/4.1.2/"
>>> skype
>>>
>>> If you only require VoIP capability and not skype specifically you might be
>>> interested net-im/ekiga.
>>
>> Thank you very much for that, but I'm trying to simplify.  You see,
>> I'm only a fake sysadmin.  Does using a hardened kernel with a
>> non-hardened profile still offer good protection?
>>
>> - Grant
>>
>>>> > I've been able to do so; basically I switched over to the standard
>>>> > profile, disabled selinux in the kernel, and re-emerged system for new
>>>> > use flags. There were some other details but overall the process was
>>>> > pretty painless, anyone ambitious enough to configure a hardened system
>>>> > can probably handle the switch without much problem. Not that I'm
>>>> > encouraging you to drop hardened (especially on a laptop that could be
>>>> > exposed to random wifi networks ;-)
>>>>
>>>> Is there any difference between 1 and 8 here?  Should I switch to 8?
>>>>
>>>> # eselect profile list
>>>> Available profile symlink targets:
>>>>   [1]   hardened/x86/2.6 *
>>>>   [2]   selinux/2007.0/x86
>>>>   [3]   selinux/2007.0/x86/hardened
>>>>   [4]   default/linux/x86/2008.0
>>>>   [5]   default/linux/x86/2008.0/desktop
>>>>   [6]   default/linux/x86/2008.0/developer
>>>>   [7]   default/linux/x86/2008.0/server
>>>>   [8]   hardened/linux/x86
>>>>
>>>> - Grant
>>>>
>>>> >> Can I switch my laptop's profile from a hardened one to a non-hardened
>>>> >> one?  I thought this was impossible without a complete reinstall but
>>>> >> folks on the gentoo-user list seem to think it's not a problem.
>>>> >>
>>>> >> - Grant

Re: [gentoo-hardened] Profile switch: hardened to non-hardened?

[Javier J. Martínez Cabezón]

Without hardened userland only in access controls. You can implement
for example one Trusted Path Execution with LIDS, RSBAC, GRSEC or
SELinux. They could try to stop crackers that gain unpriviledge access
to the host (with a remote exploit for example) to execute exploits to
scale priviledges. They could give you one least priviledge approach
(as PaX does) and other useful things, as isolation of daemons,
resources controls. And a lot of more. With TPE however, untrusted
scripts (exploits) could be launched without execution rights, and
even restricting the use of perl and python, you must grant your users
the access to bash.

2008/12/26 Grant <emailgrant@gmail.com>:
>> In terms of userland, non hardened profile doesn't protect you at all
>> against buffer overflows, you are removing one important security
>> layer. SSP protects you against buffer overflows in terms that the
>> vulnerable application gets killed when the canary is modified before
>> the execution of the arbitrary code. PIE protects you against return
>> into libc attacks that doesn't need an executable stack. PaX is not
>> perfect and needs them as complementary solutions. For example I think
>> that RANDEXEC was removed from PaX time ago, one buffer overflow that
>> uses return into libc attack could be succesfully against one
>> non-hardened binary. Since skype is a network oriented software...
>
> In what situations is a hardened kernel useful?
>
> - Grant
>
>
>>>> Hardened profiles: Yes there's a difference, no you should not switch to
>>>> hardened/linux/${ARCH} at this time.
>>>
>>> Is hardened/x86/2.6 still available for new installations?  My other
>>> systems are amd64 but none of them list hardened/amd64/2.6.
>>>
>>>> You can get skype working by downloading or building gcc 4.1.x and pointing
>>>> LD_LIBRARY_PATH at the shared object directory when starting skype.  skype
>>>> won't be using hardened toolchain but since its closed source and you're
>>>> willing to switch the whole machine to non-hardened I figure you probably
>>>> don't mind. ;)
>>>>
>>>> Example:
>>>> 1. Download
>>>> http://tinderbox.dev.gentoo.org/default-linux/x86/sys-devel/gcc-4.1.2.tbz2
>>>> 2. unpack the archive to ${HOME}/tinderbox-pkgs/sys-devel/gcc/
>>>> 3. Run it:
>>>> LD_LIBRARY_PATH="${HOME}/tinderbox-pkgs/sys-devel/gcc/usr/lib/gcc/i686-pc-linux-gnu/4.1.2/"
>>>> skype
>>>>
>>>> If you only require VoIP capability and not skype specifically you might be
>>>> interested net-im/ekiga.
>>>
>>> Thank you very much for that, but I'm trying to simplify.  You see,
>>> I'm only a fake sysadmin.  Does using a hardened kernel with a
>>> non-hardened profile still offer good protection?
>>>
>>> - Grant
>>>
>>>>> > I've been able to do so; basically I switched over to the standard
>>>>> > profile, disabled selinux in the kernel, and re-emerged system for new
>>>>> > use flags. There were some other details but overall the process was
>>>>> > pretty painless, anyone ambitious enough to configure a hardened system
>>>>> > can probably handle the switch without much problem. Not that I'm
>>>>> > encouraging you to drop hardened (especially on a laptop that could be
>>>>> > exposed to random wifi networks ;-)
>>>>>
>>>>> Is there any difference between 1 and 8 here?  Should I switch to 8?
>>>>>
>>>>> # eselect profile list
>>>>> Available profile symlink targets:
>>>>>   [1]   hardened/x86/2.6 *
>>>>>   [2]   selinux/2007.0/x86
>>>>>   [3]   selinux/2007.0/x86/hardened
>>>>>   [4]   default/linux/x86/2008.0
>>>>>   [5]   default/linux/x86/2008.0/desktop
>>>>>   [6]   default/linux/x86/2008.0/developer
>>>>>   [7]   default/linux/x86/2008.0/server
>>>>>   [8]   hardened/linux/x86
>>>>>
>>>>> - Grant
>>>>>
>>>>> >> Can I switch my laptop's profile from a hardened one to a non-hardened
>>>>> >> one?  I thought this was impossible without a complete reinstall but
>>>>> >> folks on the gentoo-user list seem to think it's not a problem.
>>>>> >>
>>>>> >> - Grant
>
>

Re: [gentoo-hardened] Profile switch: hardened to non-hardened?

[Grant]

> Without hardened userland only in access controls. You can implement
> for example one Trusted Path Execution with LIDS, RSBAC, GRSEC or
> SELinux. They could try to stop crackers that gain unpriviledge access
> to the host (with a remote exploit for example) to execute exploits to
> scale priviledges. They could give you one least priviledge approach
> (as PaX does) and other useful things, as isolation of daemons,
> resources controls. And a lot of more. With TPE however, untrusted
> scripts (exploits) could be launched without execution rights, and
> even restricting the use of perl and python, you must grant your users
> the access to bash.

Thank you for taking the time to explain, but I'm afraid I don't
understand.  I'm looking for things I can implement that don't require
me to understand their inner workings.  This is not ideal, but I only
have so much time to devote to sysadmin duties since I'm not a real
sysadmin.  My server runs a hardened profile because it hasn't caused
any problems, but running a hardened profile on my desktops has proven
to be too difficult.  All of my systems run a hardened kernel but the
only hardened feature I've enabled in the kernel is Grsecurity set to
medium or low depending on the system.

Do the hardened profile and hardened kernels do me any good without
further configuration?

- Grant

>>> In terms of userland, non hardened profile doesn't protect you at all
>>> against buffer overflows, you are removing one important security
>>> layer. SSP protects you against buffer overflows in terms that the
>>> vulnerable application gets killed when the canary is modified before
>>> the execution of the arbitrary code. PIE protects you against return
>>> into libc attacks that doesn't need an executable stack. PaX is not
>>> perfect and needs them as complementary solutions. For example I think
>>> that RANDEXEC was removed from PaX time ago, one buffer overflow that
>>> uses return into libc attack could be succesfully against one
>>> non-hardened binary. Since skype is a network oriented software...
>>
>> In what situations is a hardened kernel useful?
>>
>> - Grant

Re: [gentoo-hardened] Profile switch: hardened to non-hardened?

[Javier J. Martínez Cabezón]

Why don't you tell what you didn't understand to us explain it
properly to you?. You can't assure nothing if you don't know what do
you need to assure.
You can't implement Mandatory Access Controls such as GRSEC rbac
without a bit of known. You need to make one policy for your system
and the kernel makes it enforcing their function.

If you are not a sysadmin, how did you keep servers running?, to keep
servers you need to know how does them work internaly (for example DNS
rfc for DNS servers etc.).

As bad is not getting one MAC system running (as the RBAC of
grsecurity) as get one incorrectly configured running, for example
granting all capabilities (CAP_SYS_RAWIO...) to the user running
skype. GRSEC has one TPE function in himself read about it.

Sorry but you have to read documentation (start for example with
gentoo hardened docs).

2008/12/26 Grant <emailgrant@gmail.com>:
>> Without hardened userland only in access controls. You can implement
>> for example one Trusted Path Execution with LIDS, RSBAC, GRSEC or
>> SELinux. They could try to stop crackers that gain unpriviledge access
>> to the host (with a remote exploit for example) to execute exploits to
>> scale priviledges. They could give you one least priviledge approach
>> (as PaX does) and other useful things, as isolation of daemons,
>> resources controls. And a lot of more. With TPE however, untrusted
>> scripts (exploits) could be launched without execution rights, and
>> even restricting the use of perl and python, you must grant your users
>> the access to bash.
>
> Thank you for taking the time to explain, but I'm afraid I don't
> understand.  I'm looking for things I can implement that don't require
> me to understand their inner workings.  This is not ideal, but I only
> have so much time to devote to sysadmin duties since I'm not a real
> sysadmin.  My server runs a hardened profile because it hasn't caused
> any problems, but running a hardened profile on my desktops has proven
> to be too difficult.  All of my systems run a hardened kernel but the
> only hardened feature I've enabled in the kernel is Grsecurity set to
> medium or low depending on the system.
>
> Do the hardened profile and hardened kernels do me any good without
> further configuration?
>
> - Grant
>
>>>> In terms of userland, non hardened profile doesn't protect you at all
>>>> against buffer overflows, you are removing one important security
>>>> layer. SSP protects you against buffer overflows in terms that the
>>>> vulnerable application gets killed when the canary is modified before
>>>> the execution of the arbitrary code. PIE protects you against return
>>>> into libc attacks that doesn't need an executable stack. PaX is not
>>>> perfect and needs them as complementary solutions. For example I think
>>>> that RANDEXEC was removed from PaX time ago, one buffer overflow that
>>>> uses return into libc attack could be succesfully against one
>>>> non-hardened binary. Since skype is a network oriented software...
>>>
>>> In what situations is a hardened kernel useful?
>>>
>>> - Grant
>
>

Re: [gentoo-hardened] Profile switch: hardened to non-hardened?

[Grant]

> Why don't you tell what you didn't understand to us explain it
> properly to you?. You can't assure nothing if you don't know what do
> you need to assure.
> You can't implement Mandatory Access Controls such as GRSEC rbac
> without a bit of known. You need to make one policy for your system
> and the kernel makes it enforcing their function.
>
> If you are not a sysadmin, how did you keep servers running?, to keep
> servers you need to know how does them work internaly (for example DNS
> rfc for DNS servers etc.).

When I say I'm not a real sysadmin, I mean I have many duties and I'm
not able to dive all the way in with sysadmin stuff.  This is due to
time constraints.

> As bad is not getting one MAC system running (as the RBAC of
> grsecurity) as get one incorrectly configured running, for example
> granting all capabilities (CAP_SYS_RAWIO...) to the user running
> skype. GRSEC has one TPE function in himself read about it.
>
> Sorry but you have to read documentation (start for example with
> gentoo hardened docs).

You're right.  I thought that I was hardening my system just by
running a hardened profile and a hardened kernel at the "Medium"
Grsecurity setting.  Does that provide no extra security if I don't
configure it beyond that?

- Grant


>>> Without hardened userland only in access controls. You can implement
>>> for example one Trusted Path Execution with LIDS, RSBAC, GRSEC or
>>> SELinux. They could try to stop crackers that gain unpriviledge access
>>> to the host (with a remote exploit for example) to execute exploits to
>>> scale priviledges. They could give you one least priviledge approach
>>> (as PaX does) and other useful things, as isolation of daemons,
>>> resources controls. And a lot of more. With TPE however, untrusted
>>> scripts (exploits) could be launched without execution rights, and
>>> even restricting the use of perl and python, you must grant your users
>>> the access to bash.
>>
>> Thank you for taking the time to explain, but I'm afraid I don't
>> understand.  I'm looking for things I can implement that don't require
>> me to understand their inner workings.  This is not ideal, but I only
>> have so much time to devote to sysadmin duties since I'm not a real
>> sysadmin.  My server runs a hardened profile because it hasn't caused
>> any problems, but running a hardened profile on my desktops has proven
>> to be too difficult.  All of my systems run a hardened kernel but the
>> only hardened feature I've enabled in the kernel is Grsecurity set to
>> medium or low depending on the system.
>>
>> Do the hardened profile and hardened kernels do me any good without
>> further configuration?
>>
>> - Grant
>>
>>>>> In terms of userland, non hardened profile doesn't protect you at all
>>>>> against buffer overflows, you are removing one important security
>>>>> layer. SSP protects you against buffer overflows in terms that the
>>>>> vulnerable application gets killed when the canary is modified before
>>>>> the execution of the arbitrary code. PIE protects you against return
>>>>> into libc attacks that doesn't need an executable stack. PaX is not
>>>>> perfect and needs them as complementary solutions. For example I think
>>>>> that RANDEXEC was removed from PaX time ago, one buffer overflow that
>>>>> uses return into libc attack could be succesfully against one
>>>>> non-hardened binary. Since skype is a network oriented software...
>>>>
>>>> In what situations is a hardened kernel useful?
>>>>
>>>> - Grant

Re: [gentoo-hardened] Profile switch: hardened to non-hardened?

[Javier J. Martínez Cabezón]

Low grsecurity level:

linking restrictions
fifo restrictions
random pids
enforcing nproc on execve()
restricted dmesg
random ip ids
enforced chdir("/") on chroot

Medium grsecurity level (include low grsec level)

random tcp source ports
failed fork logging
time change logging
signal logging
deny mounts in chroot
deny double chrooting
deny sysctl writes in chroot
deny mknod in chroot
deny access to abstract AF_UNIX sockets out of chroot
deny pivot_root in chroot
denied writes of /dev/kmem, /dev/mem, and /dev/port
/proc restrictions with special gid set to 10 (generalmente wheel)
address space layout randomization
removal of addresses from /proc//[maps|stat]

high grsecurity level (include low and medium):

additional /proc restrictions
chmod restrictions in chroot
no signals, ptrace, or viewing processes outside of chroot
capability restrictions in chroot
deny fchdir out of chroot
priority restrictions in chroot
segmentation-based implementation of PaX
mprotect restrictions
kernel stack randomization
mount/unmount/remount logging
kernel symbol hiding

I took this from the grsecurity-hacktimes-v1.0.pdf. Let's see.

Low level: it enforces the chroot creation a bit and protect against
linking attacks. Protects against a few D.O.S. Is a very low low low
low level of security (this and nothing is something like the same.

Medium level: This introduces two things interesting, it protects
memory devices from alteration (rootkits could do this). It harden the
chroots creation closing some doors that could make people escape from
it. I think it has not sense that ASLR appears here since the stack
probably stays executable and so is not needed one return into libc
attack to get success. The same for the restrictions to
/proc/self/maps.

High level: It enforces the no executable stack and heap and the
mprotect restrictions to make it useful (so no memory could be
simultaneously writeable and executable. Now is needed the ASLR
approach and the hiding of address to make it useful against buffer
overflows.

It would be useful to activate Trusted Path Execution by default
(maybe could appears in custom level?).

2008/12/27 Grant <emailgrant@gmail.com>:
>> Why don't you tell what you didn't understand to us explain it
>> properly to you?. You can't assure nothing if you don't know what do
>> you need to assure.
>> You can't implement Mandatory Access Controls such as GRSEC rbac
>> without a bit of known. You need to make one policy for your system
>> and the kernel makes it enforcing their function.
>>
>> If you are not a sysadmin, how did you keep servers running?, to keep
>> servers you need to know how does them work internaly (for example DNS
>> rfc for DNS servers etc.).
>
> When I say I'm not a real sysadmin, I mean I have many duties and I'm
> not able to dive all the way in with sysadmin stuff.  This is due to
> time constraints.
>
>> As bad is not getting one MAC system running (as the RBAC of
>> grsecurity) as get one incorrectly configured running, for example
>> granting all capabilities (CAP_SYS_RAWIO...) to the user running
>> skype. GRSEC has one TPE function in himself read about it.
>>
>> Sorry but you have to read documentation (start for example with
>> gentoo hardened docs).
>
> You're right.  I thought that I was hardening my system just by
> running a hardened profile and a hardened kernel at the "Medium"
> Grsecurity setting.  Does that provide no extra security if I don't
> configure it beyond that?
>
> - Grant
>
>
>>>> Without hardened userland only in access controls. You can implement
>>>> for example one Trusted Path Execution with LIDS, RSBAC, GRSEC or
>>>> SELinux. They could try to stop crackers that gain unpriviledge access
>>>> to the host (with a remote exploit for example) to execute exploits to
>>>> scale priviledges. They could give you one least priviledge approach
>>>> (as PaX does) and other useful things, as isolation of daemons,
>>>> resources controls. And a lot of more. With TPE however, untrusted
>>>> scripts (exploits) could be launched without execution rights, and
>>>> even restricting the use of perl and python, you must grant your users
>>>> the access to bash.
>>>
>>> Thank you for taking the time to explain, but I'm afraid I don't
>>> understand.  I'm looking for things I can implement that don't require
>>> me to understand their inner workings.  This is not ideal, but I only
>>> have so much time to devote to sysadmin duties since I'm not a real
>>> sysadmin.  My server runs a hardened profile because it hasn't caused
>>> any problems, but running a hardened profile on my desktops has proven
>>> to be too difficult.  All of my systems run a hardened kernel but the
>>> only hardened feature I've enabled in the kernel is Grsecurity set to
>>> medium or low depending on the system.
>>>
>>> Do the hardened profile and hardened kernels do me any good without
>>> further configuration?
>>>
>>> - Grant
>>>
>>>>>> In terms of userland, non hardened profile doesn't protect you at all
>>>>>> against buffer overflows, you are removing one important security
>>>>>> layer. SSP protects you against buffer overflows in terms that the
>>>>>> vulnerable application gets killed when the canary is modified before
>>>>>> the execution of the arbitrary code. PIE protects you against return
>>>>>> into libc attacks that doesn't need an executable stack. PaX is not
>>>>>> perfect and needs them as complementary solutions. For example I think
>>>>>> that RANDEXEC was removed from PaX time ago, one buffer overflow that
>>>>>> uses return into libc attack could be succesfully against one
>>>>>> non-hardened binary. Since skype is a network oriented software...
>>>>>
>>>>> In what situations is a hardened kernel useful?
>>>>>
>>>>> - Grant
>
>

Re: [gentoo-hardened] Profile switch: hardened to non-hardened?

[Grant]

> Low grsecurity level:
>
> linking restrictions
> fifo restrictions
> random pids
> enforcing nproc on execve()
> restricted dmesg
> random ip ids
> enforced chdir("/") on chroot
>
> Medium grsecurity level (include low grsec level)
>
> random tcp source ports
> failed fork logging
> time change logging
> signal logging
> deny mounts in chroot
> deny double chrooting
> deny sysctl writes in chroot
> deny mknod in chroot
> deny access to abstract AF_UNIX sockets out of chroot
> deny pivot_root in chroot
> denied writes of /dev/kmem, /dev/mem, and /dev/port
> /proc restrictions with special gid set to 10 (generalmente wheel)
> address space layout randomization
> removal of addresses from /proc//[maps|stat]
>
> high grsecurity level (include low and medium):
>
> additional /proc restrictions
> chmod restrictions in chroot
> no signals, ptrace, or viewing processes outside of chroot
> capability restrictions in chroot
> deny fchdir out of chroot
> priority restrictions in chroot
> segmentation-based implementation of PaX
> mprotect restrictions
> kernel stack randomization
> mount/unmount/remount logging
> kernel symbol hiding
>
> I took this from the grsecurity-hacktimes-v1.0.pdf. Let's see.
>
> Low level: it enforces the chroot creation a bit and protect against
> linking attacks. Protects against a few D.O.S. Is a very low low low
> low level of security (this and nothing is something like the same.
>
> Medium level: This introduces two things interesting, it protects
> memory devices from alteration (rootkits could do this). It harden the
> chroots creation closing some doors that could make people escape from
> it. I think it has not sense that ASLR appears here since the stack
> probably stays executable and so is not needed one return into libc
> attack to get success. The same for the restrictions to
> /proc/self/maps.
>
> High level: It enforces the no executable stack and heap and the
> mprotect restrictions to make it useful (so no memory could be
> simultaneously writeable and executable. Now is needed the ASLR
> approach and the hiding of address to make it useful against buffer
> overflows.
>
> It would be useful to activate Trusted Path Execution by default
> (maybe could appears in custom level?).

Thank you for that.  What I'm looking for is one or more easy methods
for hardening my Gentoo systems.  I have two desktops, a laptop, and a
remote server.  The desktops and laptop run a hardened kernel with
grsecurity "Low" and the server runs a hardened profile and a hardened
kernel with grsecurity "Medium".   I don't run a hardened profile or
grsecurity "Medium" on the desktops or laptops because problems pop up
with Xorg apps and I don't have time to delve into them.  I need
something easy like enabling "Low", "Medium", or "High" and
recompiling the kernel.

What else would you recommend for me?

- Grant


>>> Why don't you tell what you didn't understand to us explain it
>>> properly to you?. You can't assure nothing if you don't know what do
>>> you need to assure.
>>> You can't implement Mandatory Access Controls such as GRSEC rbac
>>> without a bit of known. You need to make one policy for your system
>>> and the kernel makes it enforcing their function.
>>>
>>> If you are not a sysadmin, how did you keep servers running?, to keep
>>> servers you need to know how does them work internaly (for example DNS
>>> rfc for DNS servers etc.).
>>
>> When I say I'm not a real sysadmin, I mean I have many duties and I'm
>> not able to dive all the way in with sysadmin stuff.  This is due to
>> time constraints.
>>
>>> As bad is not getting one MAC system running (as the RBAC of
>>> grsecurity) as get one incorrectly configured running, for example
>>> granting all capabilities (CAP_SYS_RAWIO...) to the user running
>>> skype. GRSEC has one TPE function in himself read about it.
>>>
>>> Sorry but you have to read documentation (start for example with
>>> gentoo hardened docs).
>>
>> You're right.  I thought that I was hardening my system just by
>> running a hardened profile and a hardened kernel at the "Medium"
>> Grsecurity setting.  Does that provide no extra security if I don't
>> configure it beyond that?
>>
>> - Grant
>>
>>
>>>>> Without hardened userland only in access controls. You can implement
>>>>> for example one Trusted Path Execution with LIDS, RSBAC, GRSEC or
>>>>> SELinux. They could try to stop crackers that gain unpriviledge access
>>>>> to the host (with a remote exploit for example) to execute exploits to
>>>>> scale priviledges. They could give you one least priviledge approach
>>>>> (as PaX does) and other useful things, as isolation of daemons,
>>>>> resources controls. And a lot of more. With TPE however, untrusted
>>>>> scripts (exploits) could be launched without execution rights, and
>>>>> even restricting the use of perl and python, you must grant your users
>>>>> the access to bash.
>>>>
>>>> Thank you for taking the time to explain, but I'm afraid I don't
>>>> understand.  I'm looking for things I can implement that don't require
>>>> me to understand their inner workings.  This is not ideal, but I only
>>>> have so much time to devote to sysadmin duties since I'm not a real
>>>> sysadmin.  My server runs a hardened profile because it hasn't caused
>>>> any problems, but running a hardened profile on my desktops has proven
>>>> to be too difficult.  All of my systems run a hardened kernel but the
>>>> only hardened feature I've enabled in the kernel is Grsecurity set to
>>>> medium or low depending on the system.
>>>>
>>>> Do the hardened profile and hardened kernels do me any good without
>>>> further configuration?
>>>>
>>>> - Grant
>>>>
>>>>>>> In terms of userland, non hardened profile doesn't protect you at all
>>>>>>> against buffer overflows, you are removing one important security
>>>>>>> layer. SSP protects you against buffer overflows in terms that the
>>>>>>> vulnerable application gets killed when the canary is modified before
>>>>>>> the execution of the arbitrary code. PIE protects you against return
>>>>>>> into libc attacks that doesn't need an executable stack. PaX is not
>>>>>>> perfect and needs them as complementary solutions. For example I think
>>>>>>> that RANDEXEC was removed from PaX time ago, one buffer overflow that
>>>>>>> uses return into libc attack could be succesfully against one
>>>>>>> non-hardened binary. Since skype is a network oriented software...
>>>>>>
>>>>>> In what situations is a hardened kernel useful?
>>>>>>
>>>>>> - Grant

Re: [gentoo-hardened] Profile switch: hardened to non-hardened?

[Ned Ludd]

[snip]
> What else would you recommend for me?

I'd suggest to completely ignore the grsec (low/med/high) options and
use the Hardened Gentoo level in the hardened-sources all the time.

Xorg should not cause problems unless you are stuck using 3rd party
binary drivers. Most of us are using a hardened X setup.

Re: [gentoo-hardened] Profile switch: hardened to non-hardened?

[Grant]

>> What else would you recommend for me?
>
> I'd suggest to completely ignore the grsec (low/med/high) options and
> use the Hardened Gentoo level in the hardened-sources all the time.
>
> Xorg should not cause problems unless you are stuck using 3rd party
> binary drivers. Most of us are using a hardened X setup.

Excellent, thank you.  You think the "Hardened Gentoo (workstation)"
and "Hardened Gentoo (server)" grsecurity setups are adequate
low-maintenance solutions?

What does a hardened profile do for my server?

- Grant

Re: [gentoo-hardened] Profile switch: hardened to non-hardened?

[Ned Ludd]

On Mon, 2008-12-29 at 17:05 -0800, Grant wrote:
> >> What else would you recommend for me?
> >
> > I'd suggest to completely ignore the grsec (low/med/high) options and
> > use the Hardened Gentoo level in the hardened-sources all the time.
> >
> > Xorg should not cause problems unless you are stuck using 3rd party
> > binary drivers. Most of us are using a hardened X setup.
> 
> Excellent, thank you.  You think the "Hardened Gentoo (workstation)"
> and "Hardened Gentoo (server)" grsecurity setups are adequate
> low-maintenance solutions?


Re: "low maintenance" 
I'm not sure we can dumb down the hardening efforts anymore than we
already have. It's all pretty transparent and seems mostly like a normal
install of anything else. The ELF's are just smarter.

> What does a hardened profile do for my server?

Enables things to match the kernel options/blocks things that conflict.

Re: [gentoo-hardened] Profile switch: hardened to non-hardened?

[Grant]

>> >> What else would you recommend for me?
>> >
>> > I'd suggest to completely ignore the grsec (low/med/high) options and
>> > use the Hardened Gentoo level in the hardened-sources all the time.
>> >
>> > Xorg should not cause problems unless you are stuck using 3rd party
>> > binary drivers. Most of us are using a hardened X setup.
>>
>> Excellent, thank you.  You think the "Hardened Gentoo (workstation)"
>> and "Hardened Gentoo (server)" grsecurity setups are adequate
>> low-maintenance solutions?
>
>
> Re: "low maintenance"
> I'm not sure we can dumb down the hardening efforts anymore than we
> already have. It's all pretty transparent and seems mostly like a normal
> install of anything else. The ELF's are just smarter.

Low maintenance definitely.  Is the security OK?

>> What does a hardened profile do for my server?
>
> Enables things to match the kernel options/blocks things that conflict.

Is the grsecurity "Hardened Gentoo (workstation)" setting useful
without the hardened profile?

- Grant

Re: [gentoo-hardened] Profile switch: hardened to non-hardened?

[Ned Ludd]

On Tue, 2008-12-30 at 12:31 -0800, Grant wrote:
> >> >> What else would you recommend for me?
> >> >
> >> > I'd suggest to completely ignore the grsec (low/med/high) options and
> >> > use the Hardened Gentoo level in the hardened-sources all the time.
> >> >
> >> > Xorg should not cause problems unless you are stuck using 3rd party
> >> > binary drivers. Most of us are using a hardened X setup.
> >>
> >> Excellent, thank you.  You think the "Hardened Gentoo (workstation)"
> >> and "Hardened Gentoo (server)" grsecurity setups are adequate
> >> low-maintenance solutions?
> >
> >
> > Re: "low maintenance"
> > I'm not sure we can dumb down the hardening efforts anymore than we
> > already have. It's all pretty transparent and seems mostly like a normal
> > install of anything else. The ELF's are just smarter.
> 
> Low maintenance definitely.  Is the security OK?

Please think before you type and hit send.

Pretend you have 0 extra security now. Then you take an entire project
that devotes itself to proactive security measures. It enables features
that are security based. So 0 vs 1... 

> >> What does a hardened profile do for my server?
> >
> > Enables things to match the kernel options/blocks things that conflict.
> 
> Is the grsecurity "Hardened Gentoo (workstation)" setting useful
> without the hardened profile?

Of course it is. Is your make menuconfig (read help) broken?

We are also getting way off topic here and this thread is going on for a
week. the orig question was answered with a simple "yes". If you have
lots of interactive new questions, jump on irc where you can learn more
in an hour than you can in two months of playing ping/pong on the list.

Re: [gentoo-hardened] Profile switch: hardened to non-hardened?

[Grant]

>> >> >> What else would you recommend for me?
>> >> >
>> >> > I'd suggest to completely ignore the grsec (low/med/high) options and
>> >> > use the Hardened Gentoo level in the hardened-sources all the time.
>> >> >
>> >> > Xorg should not cause problems unless you are stuck using 3rd party
>> >> > binary drivers. Most of us are using a hardened X setup.
>> >>
>> >> Excellent, thank you.  You think the "Hardened Gentoo (workstation)"
>> >> and "Hardened Gentoo (server)" grsecurity setups are adequate
>> >> low-maintenance solutions?
>> >
>> >
>> > Re: "low maintenance"
>> > I'm not sure we can dumb down the hardening efforts anymore than we
>> > already have. It's all pretty transparent and seems mostly like a normal
>> > install of anything else. The ELF's are just smarter.
>>
>> Low maintenance definitely.  Is the security OK?
>
> Please think before you type and hit send.
>
> Pretend you have 0 extra security now. Then you take an entire project
> that devotes itself to proactive security measures. It enables features
> that are security based. So 0 vs 1...
>
>> >> What does a hardened profile do for my server?
>> >
>> > Enables things to match the kernel options/blocks things that conflict.
>>
>> Is the grsecurity "Hardened Gentoo (workstation)" setting useful
>> without the hardened profile?
>
> Of course it is. Is your make menuconfig (read help) broken?
>
> We are also getting way off topic here and this thread is going on for a
> week. the orig question was answered with a simple "yes". If you have
> lots of interactive new questions, jump on irc where you can learn more
> in an hour than you can in two months of playing ping/pong on the list.

Fair enough, thanks to everyone for their help.

- Grant