Proposed changes to predefined Hardened Gentoo WORKSTATION and SERVER settings
Hi hardened users,
Currently, when configuring the hardened kernel, the user is presented with some predefined Security Levels. (Security options -> Grsecuirty -> Security Level). Four of these are set by Gentoo Hardened Gentoo [server] Hardened Gentoo [server no rbac] Hardened Gentoo [workstation] Hardened Gentoo [workstation no rbac] These are defined so as to maximize security while minimizing breakage with Gentoo software. I'm proposing to change this to Hardened Gentoo [server] Hardened Gentoo [workstation or virtualization host] One change will be to remove the "no rbac" option which is easily turned on/off at Security options -> Grsecuirty -> Role Based Access Control Options -> Disable RBAC system. The default will be on (ie do not disable rbac). Even if the users doesn't want to use RBAC and still enables it, there is no harm done since RBAC simply be available but not used unless turned on by gradm. The other change will be to add a "virtualization host" option. Currently these settings are identical to the workstation and so are coalesced, but may change. I am trying to make the hardened kernel compatible with VirtualBox and kvm, but there are some security settings which will most likely *always* break virtualization and will need to be turned off. This is work in progress and testing is appreciated. The ebuilds are on my overlay. -- Anthony G. Basile, Ph.D. Gentoo Developer |
Proposed changes to predefined Hardened Gentoo WORKSTATION and SERVER settings
Am 25.01.2011 13:26, schrieb Anthony G. Basile:
> Hi hardened users, > > Currently, when configuring the hardened kernel, the user is presented > with some predefined Security Levels. (Security options -> Grsecuirty > -> Security Level). Four of these are set by Gentoo > > Hardened Gentoo [server] > Hardened Gentoo [server no rbac] > Hardened Gentoo [workstation] > Hardened Gentoo [workstation no rbac] > > These are defined so as to maximize security while minimizing breakage > with Gentoo software. I'm proposing to change this to > > Hardened Gentoo [server] > Hardened Gentoo [workstation or virtualization host] > > One change will be to remove the "no rbac" option which is easily turned > on/off at Security options -> Grsecuirty -> Role Based Access Control > Options -> Disable RBAC system. The default will be on (ie do not > disable rbac). Even if the users doesn't want to use RBAC and still > enables it, there is no harm done since RBAC simply be available but not > used unless turned on by gradm. > > The other change will be to add a "virtualization host" option. > Currently these settings are identical to the workstation and so are > coalesced, but may change. I am trying to make the hardened kernel > compatible with VirtualBox and kvm, but there are some security settings > which will most likely *always* break virtualization and will need to be > turned off. > > This is work in progress and testing is appreciated. The ebuilds are on > my overlay. > > My suggestion, as talked about in IRC: server profile with UDEREF and KERNEXEC forced on workstation profile with UDEREF and KERNEXEC default enabled virtualization profile with UDEREF and KERNEXEC default disabled While virtualbox and kvm currently have issues with both options, this may change in the future. To be able to easily test it, those options should not be forced off, but default disabled. Since most other apps for workstations should work with both options, they should be default enabled. Since there might be some special issue with some specific desktop app, it should be able to disable those options, so not forced on for them. -- Thomas Sachau Gentoo Linux Developer |
Proposed changes to predefined Hardened Gentoo WORKSTATION and SERVER settings
25.01.2011 21:19, Thomas Sachau пишет:
> virtualization profile with UDEREF and KERNEXEC default disabled KVM works fine on x86 with both UDEREF and KERNEXEC enabled, and I've been explicitly told by some people that they run KVM host with KERNEXEC enabled on x86_64 without any slowdown. Seems like issues are CPU arch/vendor dependant here. |
Proposed changes to predefined Hardened Gentoo WORKSTATION and SERVER settings
25.01.2011 22:14, Pavel Labushev пишет:
> KVM works fine on x86 with both UDEREF and KERNEXEC enabled, and I've been Forgot to add: on AMD CPUs. I didn't test Intel's. |
Proposed changes to predefined Hardened Gentoo WORKSTATION and SERVER settings
Hi!
On Tuesday 25 January 2011 15:19:55 Thomas Sachau wrote: > Am 25.01.2011 13:26, schrieb Anthony G. Basile: > server profile with UDEREF and KERNEXEC forced on > workstation profile with UDEREF and KERNEXEC default enabled > virtualization profile with UDEREF and KERNEXEC default disabled > > While virtualbox and kvm currently have issues with both options, this may > change in the future. To be able to easily test it, those options should > not be forced off, but default disabled. Is this also true for XEN-based PV hosts? Thanks, Marcel |
Proposed changes to predefined Hardened Gentoo WORKSTATION and SERVER settings
On Tue, Jan 25, 2011 at 9:20 PM, Marcel Meyer <meyerm@fs.tum.de> wrote:
> Is this also true for XEN-based PV hosts? Here is the link to related bug: http://bugs.gentoo.org/show_bug.cgi?id=279795 I have a XEN VPS with hardened gentoo. Kernel doesn`t boot with KERNEXEC enabled. |
Proposed changes to predefined Hardened Gentoo WORKSTATION and SERVER settings
On 01/25/2011 09:19 AM, Thomas Sachau wrote:
> Am 25.01.2011 13:26, schrieb Anthony G. Basile: >> Hi hardened users, >> >> Currently, when configuring the hardened kernel, the user is presented >> with some predefined Security Levels. (Security options -> Grsecuirty >> -> Security Level). Four of these are set by Gentoo >> >> Hardened Gentoo [server] >> Hardened Gentoo [server no rbac] >> Hardened Gentoo [workstation] >> Hardened Gentoo [workstation no rbac] >> >> These are defined so as to maximize security while minimizing breakage >> with Gentoo software. I'm proposing to change this to >> >> Hardened Gentoo [server] >> Hardened Gentoo [workstation or virtualization host] >> >> One change will be to remove the "no rbac" option which is easily turned >> on/off at Security options -> Grsecuirty -> Role Based Access Control >> Options -> Disable RBAC system. The default will be on (ie do not >> disable rbac). Even if the users doesn't want to use RBAC and still >> enables it, there is no harm done since RBAC simply be available but not >> used unless turned on by gradm. >> >> The other change will be to add a "virtualization host" option. >> Currently these settings are identical to the workstation and so are >> coalesced, but may change. I am trying to make the hardened kernel >> compatible with VirtualBox and kvm, but there are some security settings >> which will most likely *always* break virtualization and will need to be >> turned off. >> >> This is work in progress and testing is appreciated. The ebuilds are on >> my overlay. >> >> > > My suggestion, as talked about in IRC: > > server profile with UDEREF and KERNEXEC forced on > workstation profile with UDEREF and KERNEXEC default enabled > virtualization profile with UDEREF and KERNEXEC default disabled > > While virtualbox and kvm currently have issues with both options, this may change in the future. To > be able to easily test it, those options should not be forced off, but default disabled. > > Since most other apps for workstations should work with both options, they should be default > enabled. Since there might be some special issue with some specific desktop app, it should be able > to disable those options, so not forced on for them. > Hi everyone, its been a while since I visited this issue, but I've finally made the change. Its still experimental, but preliminary testing shows that nothing is broken. Hopefully it will also be useful. Currently, the following ebuilds have the same codebase hardened-sources-2.6.37-r2 <-> hardened-sources-2.6.37-r3 hardened-sources-2.6.32-r37 <-> hardened-sources-2.6.32-r38 The only difference is the higher rev number has the new predefined GRSEC/PaX settings. Please test and let me know. -- Anthony G. Basile, Ph.D. Gentoo Developer |
| All times are GMT. The time now is 02:00 AM. |
VBulletin, Copyright ©2000 - 2013, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.