| View previous topic :: View next topic |
| Author |
Message |
thwint
n00b
Joined: 15 May 2003
Posts: 53
Location: Biel, Switzerland
|
 Posted: Fri Dec 12, 2003 10:16 am Post subject: Securing Linux |
 |
|
Hi all,
I recently downloaded the Securing & Optimizing Linux: The Ultimate Solution v2.0 guide.
In this guide there are mentioned the openwall kernel patches.
Before applying these patches I just wanted to ask some questions.
Has anyone some experience with these patches?
Is there an ebuild available?
Can I apply these patches on the gentoo-sources or do I need the vanilla sources?
_________________
Cheers,
Tom |
|
| Back to top |
|
 |
jondkent
Apprentice
Joined: 26 Jul 2002
Posts: 289
Location: London
|
| Posted: Fri Dec 12, 2003 1:09 pm Post subject: |
|
|
Before I answer some of your questions, what are you looking to achieve here, I think openwall stuff maybe ott
Jon |
|
| Back to top |
|
|
epretorious
Apprentice
Joined: 04 Jul 2003
Posts: 191
Location: Truckee, CA
|
| Posted: Sat Oct 16, 2004 1:01 am Post subject: Re: Securing Linux |
|
|
| thwint wrote: | Has anyone some experience with these patches?
Is there an ebuild available?
Can I apply these patches on the gentoo-sources or do I need the vanilla sources |
There doesn't appear to be much interest in Openwall on Gentoo. 
I've asked the same question elsewhere in this forum. jonnevers seems to have had some success patching the vanilla-sources-2.4.24. 
_________________
Eric P.
Sunnyvale, CA |
|
| Back to top |
|
|
tuxmin
l33t
Joined: 24 Apr 2004
Posts: 838
Location: Heidelberg
|
| Posted: Sat Oct 16, 2004 8:16 pm Post subject: |
|
|
The document you mention is over 3 years (!) old. This is a long time regarding kernel security.
Most if not all Gento kernels have grsecurity support which as far as I know adresses the same issues as openwall does. Openwall is currently not supported by the hardened herd.
And as jondkent mentioned: what do you want to achieve? Security is one point. Usability the other.
Alex!!
_________________
ALT-F4 |
|
| Back to top |
|
|
epretorious
Apprentice
Joined: 04 Jul 2003
Posts: 191
Location: Truckee, CA
|
| Posted: Sun Oct 17, 2004 12:15 am Post subject: |
|
|
| tuxmin wrote: | | The document you mention is over 3 years (!) old. This is a long time regarding kernel security. |
What document are you referring to specifically?
| tuxmin wrote: | | Most if not all Gento kernels have grsecurity support which as far as I know adresses the same issues as openwall does. |
Not AFAIK. e.g., If all of Gentoo's kernels were patched with grsecurity, what would be the purpose of the grsec-sources ebuild?
_________________
Eric P.
Sunnyvale, CA |
|
| Back to top |
|
|
tuxmin
l33t
Joined: 24 Apr 2004
Posts: 838
Location: Heidelberg
|
| Posted: Sun Oct 17, 2004 7:41 am Post subject: |
|
|
| Quote: |
What document are you referring to specifically?
|
Look at the link behind "Securing & Optimizing Linux: The Ultimate Solution v2.0" in the first post
| Quote: |
Not AFAIK. e.g., If all of Gentoo's kernels were patched with grsecurity, what would be the purpose of the grsec-sources ebuild? |
Can't tell. I just know if you emerge gentoo-sources, gentoo-dev-sources or hardened-sources the gr patch is included. I havn't compared all kernel ebuilds... maybe the grsec-sources are vanilla with the grsec patch only while the gentoo-sources are patches with tons of other stuff?
Alex!!!
_________________
ALT-F4 |
|
| Back to top |
|
|
epretorious
Apprentice
Joined: 04 Jul 2003
Posts: 191
Location: Truckee, CA
|
| Posted: Sun Oct 17, 2004 7:18 pm Post subject: |
|
|
| tuxmin wrote: | | Quote: |
What document are you referring to specifically?
|
Look at the link behind "Securing & Optimizing Linux: The Ultimate Solution v2.0" in the first post
|
Look at the date of the first post - The post itself is a year-and-a-half old! Are you trying to imply that Openwall is no longer an effective tool because it was referrenced in an article three-and-a-half years ago?! 
Anyhow, the question remains: What about Openwall?
_________________
Eric P.
Sunnyvale, CA |
|
| Back to top |
|
|
tuxmin
l33t
Joined: 24 Apr 2004
Posts: 838
Location: Heidelberg
|
| Posted: Sun Oct 17, 2004 8:37 pm Post subject: |
|
|
| Quote: |
Look at the date of the first post - The post itself is a year-and-a-half old! Are you trying to imply that Openwall is no longer an effective tool because it was referrenced in an article three-and-a-half years ago?!
|
Nope, I would not dare. I have absolutely no first hand experience with openwall... OK, I admit I missed the date  but I did state that there is no support for openwall in Gentoo. From what I've read so far about OpenWall on their homepage is that Gentoo built form the hardened stages with -fstack-protector as a CFLAG and grsecurity in kernel should be an equivalent replacement. And at least with that combination I have quite some experience. So if this might be interesting for you feel free to ask.
Regards, Alex!!!
_________________
ALT-F4 |
|
| Back to top |
|
|
epretorious
Apprentice
Joined: 04 Jul 2003
Posts: 191
Location: Truckee, CA
|
| Posted: Sun Oct 17, 2004 8:44 pm Post subject: |
|
|
| Quote: | | From what I've read so far about OpenWall on their homepage is that Gentoo built form the hardened stages with -fstack-protector as a CFLAG and grsecurity in kernel should be an equivalent replacement. And at least with that combination I have quite some experience. So if this might be interesting for you feel free to ask. |
Thanks! I'll give hardened-sources (with the -fstack-protector CFLAG) a whirl.
_________________
Eric P.
Sunnyvale, CA |
|
| Back to top |
|
|
tuxmin
l33t
Joined: 24 Apr 2004
Posts: 838
Location: Heidelberg
|
| Posted: Sun Oct 17, 2004 9:13 pm Post subject: |
|
|
That's not exactly what I meant, though it's a good starting point. But to take full advantage of the grsec features you have to use the hardened profile and the hardened stages -- the hardened-sources complement your setup.
You would do a stage1 install with -fstack-protector and the result is what I find the best available compromise between security and usability.
If you want to have even more you are encouraged to use the RSBAC system of grsec which gives you finest control over nearly any system resource.
Alex!!!
_________________
ALT-F4 |
|
| Back to top |
|
|
|
Networking & Security
