From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([69.77.167.62] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1LGbNn-0004OZ-HT for garchives@archives.gentoo.org; Sat, 27 Dec 2008 15:47:19 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id E0757E0459; Sat, 27 Dec 2008 15:47:16 +0000 (UTC) Received: from mail-bw0-f12.google.com (mail-bw0-f12.google.com [209.85.218.12]) by pigeon.gentoo.org (Postfix) with ESMTP id 66205E0459 for ; Sat, 27 Dec 2008 15:47:16 +0000 (UTC) Received: by bwz5 with SMTP id 5so4617515bwz.10 for ; Sat, 27 Dec 2008 07:47:15 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to :subject:in-reply-to:mime-version:content-type :content-transfer-encoding:content-disposition:references; bh=n8pdrZogDSrMyuDokTerzF+xBKwRqzsvOhdySPfqRQQ=; b=FNjV8IWO9QQE6khmua+zYCp6Z0uG1COFjO3n62S5dnlKzsv8XFSiNfAIwIfpckR+EP 1n1PXyvXysKGruIFTZiLGfZ5Z6xAlh2BC2tB7yBbhRNcO7SwAsN96vxkmeoiX7EP7amf OOQznLWX1KYI1hLnz5RzbErpbX57VVFv+e/Fo= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:in-reply-to:mime-version :content-type:content-transfer-encoding:content-disposition :references; b=mo/KW2CuEgbkE3a37IxBh9EGelKA0pmfaSW6d/X+igEF+cv1X42CD6KemOESqBMFjl AXbkPpMuBLroPhzAXqMJWztuUKIdjrUL3huWvDYJy3I7oaCwKP8Egd6n0stiS5TbgfK3 tlGTYeckOKme+oGA+UYiU/hBMirS9+YrOWbfY= Received: by 10.180.247.12 with SMTP id u12mr4430597bkh.154.1230392835518; Sat, 27 Dec 2008 07:47:15 -0800 (PST) Received: by 10.180.204.12 with HTTP; Sat, 27 Dec 2008 07:47:15 -0800 (PST) Message-ID: <49bf44f10812270747y9f5bee3jb192efa6e911b999@mail.gmail.com> Date: Sat, 27 Dec 2008 07:47:15 -0800 From: Grant To: gentoo-hardened@lists.gentoo.org Subject: Re: [gentoo-hardened] Profile switch: hardened to non-hardened? In-Reply-To: <897813410812270049x661a7a3el7913d39fe4fbd108@mail.gmail.com> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-hardened@lists.gentoo.org Reply-to: gentoo-hardened@lists.gentoo.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <49bf44f10812231323t7b5371eaj6a082f56f17b01e0@mail.gmail.com> <49515B9F.4030006@moremagic.com> <49bf44f10812240903r5de4963blb6c9c4e295adf7f7@mail.gmail.com> <200812241621.13188.gengor@gentoo.org> <49bf44f10812250712u35f87d71l750fd67f97204dad@mail.gmail.com> <897813410812250830i2f910883n62b426dbe5a0329a@mail.gmail.com> <49bf44f10812251752j6ab40c33jd31c15f5a849454c@mail.gmail.com> <897813410812261117t40f2fecdu8b42f530788f47ec@mail.gmail.com> <49bf44f10812261247l2997a51axe9a3b5a581994f0b@mail.gmail.com> <897813410812270049x661a7a3el7913d39fe4fbd108@mail.gmail.com> X-Archives-Salt: 5d1fc68a-6412-4aef-bc28-205b3f92bf22 X-Archives-Hash: 36176494350575f93facefea1e033026 > Why don't you tell what you didn't understand to us explain it > properly to you?. You can't assure nothing if you don't know what do > you need to assure. > You can't implement Mandatory Access Controls such as GRSEC rbac > without a bit of known. You need to make one policy for your system > and the kernel makes it enforcing their function. > > If you are not a sysadmin, how did you keep servers running?, to keep > servers you need to know how does them work internaly (for example DNS > rfc for DNS servers etc.). When I say I'm not a real sysadmin, I mean I have many duties and I'm not able to dive all the way in with sysadmin stuff. This is due to time constraints. > As bad is not getting one MAC system running (as the RBAC of > grsecurity) as get one incorrectly configured running, for example > granting all capabilities (CAP_SYS_RAWIO...) to the user running > skype. GRSEC has one TPE function in himself read about it. > > Sorry but you have to read documentation (start for example with > gentoo hardened docs). You're right. I thought that I was hardening my system just by running a hardened profile and a hardened kernel at the "Medium" Grsecurity setting. Does that provide no extra security if I don't configure it beyond that? - Grant >>> Without hardened userland only in access controls. You can implement >>> for example one Trusted Path Execution with LIDS, RSBAC, GRSEC or >>> SELinux. They could try to stop crackers that gain unpriviledge access >>> to the host (with a remote exploit for example) to execute exploits to >>> scale priviledges. They could give you one least priviledge approach >>> (as PaX does) and other useful things, as isolation of daemons, >>> resources controls. And a lot of more. With TPE however, untrusted >>> scripts (exploits) could be launched without execution rights, and >>> even restricting the use of perl and python, you must grant your users >>> the access to bash. >> >> Thank you for taking the time to explain, but I'm afraid I don't >> understand. I'm looking for things I can implement that don't require >> me to understand their inner workings. This is not ideal, but I only >> have so much time to devote to sysadmin duties since I'm not a real >> sysadmin. My server runs a hardened profile because it hasn't caused >> any problems, but running a hardened profile on my desktops has proven >> to be too difficult. All of my systems run a hardened kernel but the >> only hardened feature I've enabled in the kernel is Grsecurity set to >> medium or low depending on the system. >> >> Do the hardened profile and hardened kernels do me any good without >> further configuration? >> >> - Grant >> >>>>> In terms of userland, non hardened profile doesn't protect you at all >>>>> against buffer overflows, you are removing one important security >>>>> layer. SSP protects you against buffer overflows in terms that the >>>>> vulnerable application gets killed when the canary is modified before >>>>> the execution of the arbitrary code. PIE protects you against return >>>>> into libc attacks that doesn't need an executable stack. PaX is not >>>>> perfect and needs them as complementary solutions. For example I think >>>>> that RANDEXEC was removed from PaX time ago, one buffer overflow that >>>>> uses return into libc attack could be succesfully against one >>>>> non-hardened binary. Since skype is a network oriented software... >>>> >>>> In what situations is a hardened kernel useful? >>>> >>>> - Grant