FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Gentoo > Gentoo User

 
 
LinkBack Thread Tools
 
Old 12-10-2011, 07:07 PM
Matthew Finkel
 
Default New Server, considering hardened, need pointers to tfm...

On Sat, Dec 10, 2011 at 12:45 PM, Tanstaafl <tanstaafl@libertytrek.org> wrote:


Hello all,



I'm considering rolling out a new server with gentoo, but wanted to base it on the hardened profile, but the docs I've read so far all seem to be a bit vague about all the details.



I've been using gentoo for a while on my hobby server, but I installed it about 8 years ago, and chose the 'server' profile, and I must say it has been a real pleasure to maintain, and the only real hiccup I ever experienced was the mailman update that moved the directories for the lists without telling me what to do about it (the fix was simple, and the devs swiftly fixed the lack of post-install docs).





Does anyone know of a good How-To that covers *all* of the bases? Ie, which model is best - grsecurity, PAX, SeLinux - and how best to implement it?



Thanks...




You may be able to get a better response from the -hardened list, but I built a hardened server a few months ago without much difficulty. As far as I know, the correct model to use depends on what you want to do with the server/what security you are looking to implement. When I went hardened, I used PaX and grsec [1] because it offered the security I was looking for but didn't restrict userland*usability*on a server on which I was the only user. My understanding is that this restriction would be a consequence of using SeLinux.*


[1]*http://www.gentoo.org/proj/en/hardened/grsecurity.xml
As for a solid comparison of the different models and tutorials for them, I don't know of any. I just used [1] as well as the PaX page to install and configure them and I didn't run into any problems.


hope that helps a bit (and I hopefully didn't describe anything incorrectly).

- Matt
 
Old 12-10-2011, 07:14 PM
Tanstaafl
 
Default New Server, considering hardened, need pointers to tfm...

On 2011-12-10 3:07 PM, Matthew Finkel <matthew.finkel@gmail.com> wrote:


You may be able to get a better response from the -hardened list,


Dang, I had forgotten gentoo has a bunch of other lists... thanks, just
subscribed...



but I built a hardened server a few months ago without much
difficulty. As far as I know, the correct model to use depends on
what you want to do with the server/what security you are looking to
implement. When I went hardened, I used PaX and grsec [1] because it
offered the security I was looking for but didn't restrict userland
usability on a server on which I was the only user. My understanding
is that this restriction would be a consequence of using SeLinux.


Yeah, I was leaning toward avoiding SeLinux already from what I've been
reading, thanks...



[1] http://www.gentoo.org/proj/en/hardened/grsecurity.xml

As for a solid comparison of the different models and tutorials for
them, I don't know of any. I just used [1] as well as the PaX page to
install and configure them and I didn't run into any problems.


Good to know, and thanks again...
 
Old 12-10-2011, 07:17 PM
Tanstaafl
 
Default New Server, considering hardened, need pointers to tfm...

Hello all,

I'm considering rolling out a new server with gentoo, but wanted to base
it on the hardened profile, but the gentoo docs I've read so far all
seem to be a bit vague about all the details.


I've been using gentoo for a while on my hobby server, but I installed
it about 8 years ago, and chose the 'server' profile, and I must say it
has been a real pleasure to maintain, with the only real hiccup I ever
experienced being the mailman update that moved the directories for the
lists without telling me what to do about it (the fix was simple, and
the devs swiftly fixed the lack of post-install docs).


Does anyone know of a good How-To that covers *all* of the bases? Ie,
which model is best - grsecurity, PAX, SeLinux - and how best to
implement it?


The purpose of this server will be as a mail server (dovecot, postfix,
amavisd-new/spamassassin, mailman), and hosting a few small websites.


Thanks...
 
Old 12-10-2011, 07:52 PM
Matthew Thode (prometheanfire)
 
Default New Server, considering hardened, need pointers to tfm...

On Sat, 10 Dec 2011 15:17:47 -0500
Tanstaafl <tanstaafl@libertytrek.org> wrote:

> Hello all,
>
> I'm considering rolling out a new server with gentoo, but wanted to
> base it on the hardened profile, but the gentoo docs I've read so far
> all seem to be a bit vague about all the details.
>
> I've been using gentoo for a while on my hobby server, but I
> installed it about 8 years ago, and chose the 'server' profile, and I
> must say it has been a real pleasure to maintain, with the only real
> hiccup I ever experienced being the mailman update that moved the
> directories for the lists without telling me what to do about it (the
> fix was simple, and the devs swiftly fixed the lack of post-install
> docs).
>
> Does anyone know of a good How-To that covers *all* of the bases? Ie,
> which model is best - grsecurity, PAX, SeLinux - and how best to
> implement it?
>
> The purpose of this server will be as a mail server (dovecot,
> postfix, amavisd-new/spamassassin, mailman), and hosting a few small
> websites.
>
> Thanks...
>

As with most things gentoo, 'best' is a mater of opinion. I personally
use grsec (includes pax) for hardening and selinux for policies. To
convert you generally do the following.

profile-config set 12 (this sets to nomultilib selinux)
emerge system
emerge world

Since I'm paranoid revdep-rebuild too.

--
Matthew Thode (prometheanfire)
 
Old 12-10-2011, 11:16 PM
Pandu Poluan
 
Default New Server, considering hardened, need pointers to tfm...

On Dec 11, 2011 3:17 AM, "Tanstaafl" <tanstaafl@libertytrek.org> wrote:

>

> On 2011-12-10 3:07 PM, Matthew Finkel <matthew.finkel@gmail.com> wrote:

>>

>>

>> You may be able to get a better response from the -hardened list,

>

>

> Dang, I had forgotten gentoo has a bunch of other lists... thanks, just subscribed...

>


Don't forget gentoo-server! It's full of people who deploy and manage servers daily :-)


>> but I built a hardened server a few months ago without much

>> difficulty. As far as I know, the correct model to use depends on

>> what you want to do with the server/what security you are looking to

>> implement. When I went hardened, I used PaX and grsec [1] because it

>> offered the security I was looking for but didn't restrict userland

>> usability on a server on which I was the only user. My understanding

>> is that this restriction would be a consequence of using SeLinux.

>

>

> Yeah, I was leaning toward avoiding SeLinux already from what I've been reading, thanks...

>


Nothing beats the security of SELinux. But along with that, there will be a HUGE learning curve and management complexity.


GrSec + PaX are enough for me.


>> [1] http://www.gentoo.org/proj/en/hardened/grsecurity.xml

>>

>> As for a solid comparison of the different models and tutorials for

>> them, I don't know of any. I just used [1] as well as the PaX page to

>> install and configure them and I didn't run into any problems.

>

>

> Good to know, and thanks again...

>


If you decide to deploy PaX, do read the help pages for PaX options; there are settings that might be severely detrimental for certain hardware combinations.


Rgds,
 
Old 12-10-2011, 11:41 PM
Pandu Poluan
 
Default New Server, considering hardened, need pointers to tfm...

On Dec 11, 2011 12:48 AM, "Tanstaafl" <tanstaafl@libertytrek.org> wrote:

>

> Hello all,

>

> I'm considering rolling out a new server with gentoo, but wanted to base it on the hardened profile, but the docs I've read so far all seem to be a bit vague about all the details.

>

> I've been using gentoo for a while on my hobby server, but I installed it about 8 years ago, and chose the 'server' profile, and I must say it has been a real pleasure to maintain, and the only real hiccup I ever experienced was the mailman update that moved the directories for the lists without telling me what to do about it (the fix was simple, and the devs swiftly fixed the lack of post-install docs).


>

> Does anyone know of a good How-To that covers *all* of the bases? Ie, which model is best - grsecurity, PAX, SeLinux - and how best to implement it?

>

> Thanks...

>


Oh, one more thing:


If you don't need to milk your hardware for every last bit of performance, consider running the server inside a VM like XenServer. You gain the benefit of branchable snapshots, ease of migrating to a different physical box (as long as you don't use -march=native), and simpler menuconfig. Plus, if somehow your VM lost all connectivity, you don't need to visit the server; you can still manage it through XenServer's virtual console.



I have been deploying my servers on top of XenServers, including one gateway/firewall that used to oversee 5 internet links + 1 LAN with an aggregate Internet bandwidth of 35 Mbps. Albeit running on an elderly Pentium 4 box, I have no performance problems at all, even when the gatewall does some very exotic iptables magic (my list of iptables rules is already longer than 100 lines).



Rgds,
 
Old 12-11-2011, 09:18 AM
Sven Vermeulen
 
Default New Server, considering hardened, need pointers to tfm...

On Sat, Dec 10, 2011 at 02:52:04PM -0600, Matthew Thode wrote:
> As with most things gentoo, 'best' is a mater of opinion. I personally
> use grsec (includes pax) for hardening and selinux for policies. To
> convert you generally do the following.
>
> profile-config set 12 (this sets to nomultilib selinux)
> emerge system
> emerge world
>
> Since I'm paranoid revdep-rebuild too.

If you're considering SELinux, please follow the instructions at
http://hardened.gentoo.org/selinux/selinux-handbook.xml?part=2&chap=1

There's a little more to it than emerge system/world:
- Your /tmp might need a specific mount option (in /etc/fstab)
- If you use LVM or XFS, you need to take specific measures if you want your
system to bootup properly
- You need to build a SELinux-aware kernel as well
- You need to install SELinux utilities
- You need to relabel the system
etc.

That said, my opinion on a server is the same as with Matthew: use hardened
with the options given (grsec, selinux) and perhaps even TPE (trusted path
execution).

Also consider hardening your system settings-wise. I would appreciate if you
take a look at
http://dev.gentoo.org/~swift/docs/previews/oval/gentoo-xccdf-guide.html.
With the instructions given, you can even have your system validated (as far
as possible) automatically.

Wkr,
Sven Vermeulen
 
Old 12-11-2011, 11:20 AM
Alex Efros
 
Default New Server, considering hardened, need pointers to tfm...

Hi!

On Sun, Dec 11, 2011 at 10:18:51AM +0000, Sven Vermeulen wrote:
> Also consider hardening your system settings-wise. I would appreciate if you
> take a look at
> http://dev.gentoo.org/~swift/docs/previews/oval/gentoo-xccdf-guide.html.

Some points at that guide looks strange to me. For example:

1) How can
4.2.4.1. Root Logon Through SSH Is Not Allowed
increase security, if we're already using
4.2.4.2. Public Key Authentication Only
Disabling root may have sense with password auth, but with keys it is
just useless inconvenience.

2) How can
4.2.4.6. Listen on Management Interface
increase security? Moreover, on multihomed systems listening on all
interfaces may help you a lot in case one of network link is broken.

3) In my experience, the
4.4.2.2. Enable Source Route Verification
often conflict with net-misc/openvpn based VPN interfaces. I didn't
investigated this issue in deep, just google for issue and found
solution which was to disable source route verification, and it works.
Maybe there is exists better way to solve this issue, not sure.

4) Nowadays, in addition to
4.8.2. Limit Setuid and Setgid File and Directory Usage
we've to also check for SECURITY_FILE_CAPABILITIES and `getcat`.

5) In my experience, while
4.8.5. Review File Integrity Regularly
looks like good idea, it's nearly impossible to use in Gentoo because
of daily updates which change a lot of system files, so it's too hard
to review aide-like tool reports and quickly detect suspicious file
changes. If anyone have a good recipe how to work around this I'll be
glad to learn it.

--
WBR, Alex.
 
Old 12-11-2011, 01:25 PM
Sven Vermeulen
 
Default New Server, considering hardened, need pointers to tfm...

On Sun, Dec 11, 2011 at 02:20:43PM +0200, Alex Efros wrote:
> On Sun, Dec 11, 2011 at 10:18:51AM +0000, Sven Vermeulen wrote:
> > Also consider hardening your system settings-wise. I would appreciate if you
> > take a look at
> > http://dev.gentoo.org/~swift/docs/previews/oval/gentoo-xccdf-guide.html.
>
> Some points at that guide looks strange to me. For example:
>
> 1) How can
> 4.2.4.1. Root Logon Through SSH Is Not Allowed
> increase security, if we're already using
> 4.2.4.2. Public Key Authentication Only
> Disabling root may have sense with password auth, but with keys it is
> just useless inconvenience.

I read somewhere that security is about making things more inconvenient for
malicious people than for authorized ones.

For me, immediately logging in as root is not done. I want to limit root
access through the regular accounts on the system (with su(do)). I never had
the need to log on as root immediately myself.

> 2) How can
> 4.2.4.6. Listen on Management Interface
> increase security? Moreover, on multihomed systems listening on all
> interfaces may help you a lot in case one of network link is broken.

True, but by only allowing management activities on the management interface
and not on a more public facing network, you reduce the likelihood that this
service is abused for malicious reasons.

Personally, I don't limit this on my systems because I don't really have a
multi-homed setup and I am not (yet) considering creating one. Just like
most hardening guides, it is meant to provide some insight in what can be
done - there are always reasons why a setting isn't good for your situation.

> 3) In my experience, the
> 4.4.2.2. Enable Source Route Verification
> often conflict with net-misc/openvpn based VPN interfaces. I didn't
> investigated this issue in deep, just google for issue and found
> solution which was to disable source route verification, and it works.
> Maybe there is exists better way to solve this issue, not sure.

Ah, didn't realise that. I'll look into this and if necessary, mention that
OpenVPN might require that this is disabled.

> 4) Nowadays, in addition to
> 4.8.2. Limit Setuid and Setgid File and Directory Usage
> we've to also check for SECURITY_FILE_CAPABILITIES and `getcat`.

I still need to look into capabilities. I know Anthony was considering
updating Gentoo/Portage to have this support elevated.

> 5) In my experience, while
> 4.8.5. Review File Integrity Regularly
> looks like good idea, it's nearly impossible to use in Gentoo because
> of daily updates which change a lot of system files, so it's too hard
> to review aide-like tool reports and quickly detect suspicious file
> changes. If anyone have a good recipe how to work around this I'll be
> glad to learn it.

It of course depends on how you manage your system. I can imagine that you
do not want to pull in daily updates on a server, but instead rely on other
hardening measures, glsa-check, cvechecker and the like to mitigate risks of
vulnerabilities.

Thanks a lot for the feedback though, really appreciated!

Wkr,
Sven Vermeulen
 
Old 12-11-2011, 01:53 PM
Alex Efros
 
Default New Server, considering hardened, need pointers to tfm...

Hi!

On Sun, Dec 11, 2011 at 02:25:19PM +0000, Sven Vermeulen wrote:
> > 1) How can
> > 4.2.4.1. Root Logon Through SSH Is Not Allowed
> > increase security, if we're already using
> > 4.2.4.2. Public Key Authentication Only
> > Disabling root may have sense with password auth, but with keys it is
> > just useless inconvenience.
>
> I read somewhere that security is about making things more inconvenient for
> malicious people than for authorized ones.
>
> For me, immediately logging in as root is not done. I want to limit root
> access through the regular accounts on the system (with su(do)). I never had
> the need to log on as root immediately myself.

Understood. But I still don't see how this can increase security.

> hardening measures, glsa-check, cvechecker and the like to mitigate risks of

Been there, done that, it doesn't work: in average, after 1-1.5 years of
security-only updates we end with next one security update which depends
on few other packages which in turn pull in 80% of other @world updates.
So we've to emerge world anyway every ~1.5 years, but such delayed
updates wasn't tested by anyone and usually gives a lot of troubles
resulting in server offline for several days. Daily world updates are much
ease to manage, even with needs to check these updates on test servers
first, before updating production servers. (And daily updates usually easy
to rollback and debug in case of unexpected troubles.) Because of this I
don't think Gentoo is capable to act as LTS-release with security-only
updates like some other distributives.

--
WBR, Alex.
 

Thread Tools




All times are GMT. The time now is 09:37 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org