On Wed, 2006-01-25 at 12:09 +0200, Jean Blignaut wrote: > I have often considered and even tried a couple of times to setup a > hardened box however I get confused between all the different options > and all the different implications. What with Selinux Grsecurity 1/2 > RSBAC PIE etc. etc.
Each implementation solves a different subset of all "security" problems. PIE and SSP try to stop buffer overflows and code insertion attacks. They are "invasive" as they change how memory allocation and other low level things work and may break applications in quite interesting ways. Enabling them is easy. SELinux is a security policy framework, it doesn't care about buffer overflows, but manages what applications can do. You can lock down filesystem access, network access,... per application It's a lot more complicated to set up, but still manageable. The most problematic step is as far as I can tell teaching the access rules. Takes time and patience, but no black magic :-) GRSecurity is a somewhere in between, it may be the most useful for "normal" users, but I don't have enough experience with all of those to really comment on that. > > > Also the kernel patching concerns me a bit, I would much rather not > have to search around an battle to patch kernels my self if at all > possible. sys-kernel/* might have what you want - rsbac-sources and hardened-sources should be a good starting point. No need to reinvent the wheel ... > I don't get to upgrade the kernel on my production servers very often > since company policy is 0 downtime. > > > > Also Because these are production servers in use by 1000s of customers > I would have to find a hardened kernel (or what ever) that would have > as small an impact on the current workings and config of the systems > involved. You'd have to test on a spare box anyway :-) http://www.gentoo.org/proj/en/infrastructure/server-standards.xml might be a good starting point for the kernel settings, then you'll have to test until you can be reasonably sure that nothing fails. > > I have all my partitions formatted (and kernels built) with support > for security labels, but that's as far as I've gotten. Also the idea > of splitting up roots permissions into roles is an interesting > prospect but I've yet to find decent documentation on how to > implement/use POSIX ROLES There are many ways of increasing security - I've been using vserver for some time, helps a lot in service separation. The hardened profile is a nice starting point, but as I've had too many problems using it ~x86 on a desktop box I've reverted to the default profile and a vanilla kernel. The problems were mostly toolchain / compilation bugs, no "unstable" problems. It's recommendable for server usage. Hope that helps, Patrick -- Stand still, and let the rest of the universe move
signature.asc
Description: This is a digitally signed message part
