Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in

  FAQ | Search | Memberlist | Usergroups | Statistics | Profile | Log in to check your private messages | Log in | Register

gentoo = better security?
 View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
fusionx86
n00b
n00b


Joined: 14 Dec 2003
Posts: 36
PostPosted: Wed Feb 04, 2004 5:54 am    Post subject: gentoo = better security? Reply with quote
I have a few simple questions, but first some background...

I work at a financial institution and we are required to have security scans of all devices on our internal network as well as anything sitting on the internet. These scans are performed by an outside company.

I used to use redhat for the longest time. Whenever we'd have our network scanned, my redhat box would always show up with some vulnerabilities. I'd patch them sometimes, but I got lazy once and used redhat network to download and install some patches. Needless to say my system was unusable afterwards. :cry:

About two months back however, I switched to Gentoo. I have two Gentoo boxes at home and now one at work. A couple weeks ago another security scan was run on all internal devices and my gentoo box didn't even show up with one security hole. Of course the results also depends on how good the company is at vulnerability assessment. They seem to be pretty good though. I do remember running nmap against my Gentoo box right after installing it and found all ports were closed though. How nice! :mrgreen:

Ok, the questions now...

1. I really only have redhat to compare to, but am I correct in thinking that Gentoo's default installation produces a more secure os than most other distro's default installation?

2. The following commands would keep my systems pretty well patched up correct?
Code:
 emerge sync

Code:
 emerge -uvD world

Code:
 etc-update


That is how I've been updating my computers. Man I love Gentoo! I know that there are other proceedures that would be taken to make Gentoo a truely 'hardened' os, but for most purposes just using the above steps would be sufficient for use on a private lan right?

3. How does SELinux work with Gentoo? Is SELinux a set of packages that are installed with Gentoo or is it something more? I've been meaning to read up on it, but haven't gotten around to it yet. :oops:

This is just my observations from a limitied time of Gentoo use, but I wanted to get some other opinions. Thanks!
Back to top
View user's profile Send private message
plasmagunman
l33t
l33t


Joined: 07 Jun 2002
Posts: 604
Location: berlin
PostPosted: Wed Feb 04, 2004 8:09 am    Post subject: Re: gentoo = better security? Reply with quote
fusionx86 wrote:
1. I really only have redhat to compare to, but am I correct in thinking that Gentoo's default installation produces a more secure os than most other distro's default installation?
regarding open ports: yes, it is.

Quote:
2. The following commands would keep my systems pretty well patched up correct?
Code:
 emerge sync

Code:
 emerge -uvD world

Code:
 etc-update

this will keep your system up-to-date, so all security-patches will be applied. gentoo's quite fast with fixing security-holes. but it will also install all new versions of programs, which can introduce new flaws. no gentoo-package is that heavily tested like the ones from debian.

Quote:
3. How does SELinux work with Gentoo? Is SELinux a set of packages that are installed with Gentoo or is it something more? I've been meaning to read up on it, but haven't gotten around to it yet. :oops:

there's a gentoo-selinux-installation-guide somewhere... sorry, cannot help here.
EDIT: here it is: http://www.gentoo.org/proj/en/hardened/selinux/selinux-x86-install.xml
_________________
please, feel free to correct my english. - por favor, corrige mi español.
Back to top
View user's profile Send private message
trapperjohn
Apprentice
Apprentice


Joined: 11 Nov 2003
Posts: 242
Location: Bremen/Germany
PostPosted: Wed Feb 04, 2004 10:55 am    Post subject: Re: gentoo = better security? Reply with quote
fusionx86 wrote:
1. I really only have redhat to compare to, but am I correct in thinking that Gentoo's default installation produces a more secure os than most other distro's default installation?


Not really. If you install all the software that RedHat does on a default install, it will have the same level of security (more or less ..). The problem is, that most "security scans" are just too simple. An open port does not always mean a hole in security - and some open ports are "bigger holes" than others.

As example: If RedHat installs (and starts) the sshd and Gentoo doesn't - is RedHat insecure?
Back to top
View user's profile Send private message
fusionx86
n00b
n00b


Joined: 14 Dec 2003
Posts: 36
PostPosted: Wed Feb 04, 2004 7:00 pm    Post subject: Reply with quote
Hey guys,

Quote:
regarding open ports: yes, it is.

Thanks
Quote:
this will keep your system up-to-date, so all security-patches will be applied. gentoo's quite fast with fixing security-holes. but it will also install all new versions of programs, which can introduce new flaws. no gentoo-package is that heavily tested like the ones from debian.

Thanks again. That is what I was wondering. Makes sense too that new programs can introduce new vulnerabilities. Wonder if gentoo will eventually be tested as heavily as debian.

Quote:
there's a gentoo-selinux-installation-guide somewhere... sorry, cannot help here.
EDIT: here it is: http://www.gentoo.org/proj/en/hardened/selinux/selinux-x86-install.xml

This actually looks reall cool. I did some searching on it and it uses mandatory access control. We use a sidewinder firewall here and it uses type enforcement which is the same thing basically. The idea is really great.

Quote:
Not really. If you install all the software that RedHat does on a default install, it will have the same level of security (more or less ..). The problem is, that most "security scans" are just too simple. An open port does not always mean a hole in security - and some open ports are "bigger holes" than others.

My first question probably wasn't a good one or wasn't worded correctly. I know that if both are installed or configured the same they would have the same strengths and weaknesses. I guess my point was that by default gentoo seems to install less or rather it gives the user control over everything that gets installed which resulted in a system for me that had everything turned off. Also being able to get the latest packages during the install definately helped. I'm sure redhat has the ability to somehow get and install up-to-date packages during the install, but I just never experienced that. I guess it comes down to how easy it is to keep the system updated which is where gentoo shines. From what I've read Debian is great as well.

Quote:
As example: If RedHat installs (and starts) the sshd and Gentoo doesn't - is RedHat insecure?

Well in theory any listening service adds at least a little more risk to the security of a system, but sshd isn't one that I would normally worry about.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



 Links: forums.gentoo.org | www.gentoo.org | bugs.gentoo.org | wiki.gentoo.org | forum-mods@gentoo.org

Copyright 2001-2024 Gentoo Foundation, Inc. Designed by Kyle Manna © 2003; Style derived from original subSilver theme. | Hosting by Gossamer Threads Inc. © | Powered by phpBB 2.0.23-gentoo-p11 © 2001, 2002 phpBB Group
Privacy Policy