From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from pigeon.gentoo.org ([69.77.167.62] helo=lists.gentoo.org)
	by finch.gentoo.org with esmtp (Exim 4.60)
	(envelope-from <gentoo-hardened+bounces-2331-garchives=archives.gentoo.org@lists.gentoo.org>)
	id 1LGUrL-0007sj-Te
	for garchives@archives.gentoo.org; Sat, 27 Dec 2008 08:49:24 +0000
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id 59273E04DB;
	Sat, 27 Dec 2008 08:49:21 +0000 (UTC)
Received: from mail-bw0-f12.google.com (mail-bw0-f12.google.com [209.85.218.12])
	by pigeon.gentoo.org (Postfix) with ESMTP id E1C5DE04DB
	for <gentoo-hardened@lists.gentoo.org>; Sat, 27 Dec 2008 08:49:20 +0000 (UTC)
Received: by bwz5 with SMTP id 5so4367813bwz.10
        for <gentoo-hardened@lists.gentoo.org>; Sat, 27 Dec 2008 00:49:20 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=gamma;
        h=domainkey-signature:received:received:message-id:date:from:to
         :subject:in-reply-to:mime-version:content-type
         :content-transfer-encoding:content-disposition:references;
        bh=ZS+o0SkIAmxempqL1JZI7Vsb11FvXpu8ltg2suOtkBM=;
        b=i2BU0NiOieU68KVrR0n0DHwRxNqHwSXH+NMXKh/fROv/MjvxoVzjL2ZJENt+nxgE/B
         SYu4kwFzunUFG2ypTOGZQSUDch5CZ/17p0+Ntjm4mMjwWYe9m/NWgnVlePV1xVYa8fbR
         TEnhOsAb9f1vL/60vlSUwelKr791XQhoR9UdU=
DomainKey-Signature: a=rsa-sha1; c=nofws;
        d=gmail.com; s=gamma;
        h=message-id:date:from:to:subject:in-reply-to:mime-version
         :content-type:content-transfer-encoding:content-disposition
         :references;
        b=hqInblyVg3E35qHSwAEefH2CHZVzikMnhEaRgGkbvfpC1Zk0LDbEB2TAx4XR7q41/S
         my5Vi4HPypNsmAC0wotJc/MSZSlQtD4ieTxKnHgeLkOOA1rKWp68NqIB+bGDxp/MvluV
         HfsaEyyIwyKYKtw2wLE37O5BqCB/WnPz5uPIk=
Received: by 10.103.171.6 with SMTP id y6mr4135554muo.110.1230367760108;
        Sat, 27 Dec 2008 00:49:20 -0800 (PST)
Received: by 10.103.214.9 with HTTP; Sat, 27 Dec 2008 00:49:20 -0800 (PST)
Message-ID: <897813410812270049x661a7a3el7913d39fe4fbd108@mail.gmail.com>
Date: Sat, 27 Dec 2008 09:49:20 +0100
From: "=?ISO-8859-1?Q?Javier_J._Mart=EDnez_Cabez=F3n?=" <tazok.id0@gmail.com>
To: gentoo-hardened@lists.gentoo.org
Subject: Re: [gentoo-hardened] Profile switch: hardened to non-hardened?
In-Reply-To: <49bf44f10812261247l2997a51axe9a3b5a581994f0b@mail.gmail.com>
Precedence: bulk
List-Post: <mailto:gentoo-hardened@lists.gentoo.org>
List-Help: <mailto:gentoo-hardened+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-hardened+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-hardened+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-hardened.gentoo.org>
X-BeenThere: gentoo-hardened@lists.gentoo.org
Reply-to: gentoo-hardened@lists.gentoo.org
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
References: <49bf44f10812231323t7b5371eaj6a082f56f17b01e0@mail.gmail.com>
	 <49515B9F.4030006@moremagic.com>
	 <49bf44f10812240903r5de4963blb6c9c4e295adf7f7@mail.gmail.com>
	 <200812241621.13188.gengor@gentoo.org>
	 <49bf44f10812250712u35f87d71l750fd67f97204dad@mail.gmail.com>
	 <897813410812250830i2f910883n62b426dbe5a0329a@mail.gmail.com>
	 <49bf44f10812251752j6ab40c33jd31c15f5a849454c@mail.gmail.com>
	 <897813410812261117t40f2fecdu8b42f530788f47ec@mail.gmail.com>
	 <49bf44f10812261247l2997a51axe9a3b5a581994f0b@mail.gmail.com>
X-Archives-Salt: 611beb54-060d-45a8-8bf9-22c96f39dba3
X-Archives-Hash: 6847d9181f5d5e0973657a565ad6effc

Why don't you tell what you didn't understand to us explain it
properly to you?. You can't assure nothing if you don't know what do
you need to assure.
You can't implement Mandatory Access Controls such as GRSEC rbac
without a bit of known. You need to make one policy for your system
and the kernel makes it enforcing their function.

If you are not a sysadmin, how did you keep servers running?, to keep
servers you need to know how does them work internaly (for example DNS
rfc for DNS servers etc.).

As bad is not getting one MAC system running (as the RBAC of
grsecurity) as get one incorrectly configured running, for example
granting all capabilities (CAP_SYS_RAWIO...) to the user running
skype. GRSEC has one TPE function in himself read about it.

Sorry but you have to read documentation (start for example with
gentoo hardened docs).

2008/12/26 Grant <emailgrant@gmail.com>:
>> Without hardened userland only in access controls. You can implement
>> for example one Trusted Path Execution with LIDS, RSBAC, GRSEC or
>> SELinux. They could try to stop crackers that gain unpriviledge access
>> to the host (with a remote exploit for example) to execute exploits to
>> scale priviledges. They could give you one least priviledge approach
>> (as PaX does) and other useful things, as isolation of daemons,
>> resources controls. And a lot of more. With TPE however, untrusted
>> scripts (exploits) could be launched without execution rights, and
>> even restricting the use of perl and python, you must grant your users
>> the access to bash.
>
> Thank you for taking the time to explain, but I'm afraid I don't
> understand.  I'm looking for things I can implement that don't require
> me to understand their inner workings.  This is not ideal, but I only
> have so much time to devote to sysadmin duties since I'm not a real
> sysadmin.  My server runs a hardened profile because it hasn't caused
> any problems, but running a hardened profile on my desktops has proven
> to be too difficult.  All of my systems run a hardened kernel but the
> only hardened feature I've enabled in the kernel is Grsecurity set to
> medium or low depending on the system.
>
> Do the hardened profile and hardened kernels do me any good without
> further configuration?
>
> - Grant
>
>>>> In terms of userland, non hardened profile doesn't protect you at all
>>>> against buffer overflows, you are removing one important security
>>>> layer. SSP protects you against buffer overflows in terms that the
>>>> vulnerable application gets killed when the canary is modified before
>>>> the execution of the arbitrary code. PIE protects you against return
>>>> into libc attacks that doesn't need an executable stack. PaX is not
>>>> perfect and needs them as complementary solutions. For example I think
>>>> that RANDEXEC was removed from PaX time ago, one buffer overflow that
>>>> uses return into libc attack could be succesfully against one
>>>> non-hardened binary. Since skype is a network oriented software...
>>>
>>> In what situations is a hardened kernel useful?
>>>
>>> - Grant
>
>