On Sat, 2006-02-18 at 01:23 +0100, Maarten wrote: > Eric Bliss wrote: > > On Friday 17 February 2006 14:36, Rumen Yotov wrote: > > > >>Hi, > >>Please don't take this post as a signal for more battles. > >>IMHO there are many true facts from both of you. > >>Just a few point, as i have some (limited experience with hardened > >>systems). > >>1.For 2-3 years using portage-tree in /var/portage, no problems so far, > >>all it takes is a symlink in /usr & change in /etc/make.conf file. > >>So i can mount all /usr as 'noexec'. > > > > > > Forgive me for asking, but how is this possible??? The last time I checked > > (which was 2 minutes ago...), /usr is where almost all the executables on > > my > > system are - /usr/bin, /usr/kde/3.x, /usr/libexec, /usr/sbin... > > It is, therefore, logically not possible. > I believe, in all the mess that this thread has developed into, that > Rumen simply confused 'noexec' with 'ro'. Shit happens... :-) > This must be the explanation for sure. Or else, if /usr can be mounted > noexec without trouble, I'll donate 7500000000 bogomips to the FSF. > > Maarten > > > P.S.: > > The thread this derived from has to be the most lame discussion I have > witnessed in ages, and I've seen a few. First and foremost because > neither of you took the simple effort to run two trivial 'find' commands > to try and prove the other guy wrong. It is a shame, because at first, > you both said some things that were 'insightful'[tm]... > Most people would try to strengthen their positions by coming up with > some proof, some good arguments, but that is SO totally absent here... > No proof, nor examples, nor whatsoever... All you two did manage to say > was really just an endless loop of-- > > "Wrong" > "Not wrong, right." > "No, you're wrong" > "I'm right, you are wrong" > "You are a thousand times wrong" > "No, it is you who are infinitely wrong" > "You are wrong infinitely plus one" > "I am right, have always been right, and you suck" > "No YOU suck" > "I may suck but that is because you know I'm right" > "You suck AND you are wrong" > "I do not suck. YOU suck!" > "Do NOT!" > "Do TOO!" > "No you suck. And you are wrong..." > > Now what age-group type conversation does that remind you of...? Hi, In the beginning have to say it's *my* mistake - noexec != ro. As soon as i posted this went to bed and just then remembered about this HUGE mistake. You need 'exec' on /usr just to do anything, but i was thinking about 'ro'- so that nobody could change anything there. Could be remounted only during installation of new packages, then closed again. But now i need to explain more (because of this silly mistake). 1.While reading about filling up a partition, remembered that i wanted to write about 'quota' too (using this defense mechanism is easy). Now back to 'hardened' 2.grsec generally said is using three main lines of additional defense: 2.1. PAX - protects memory space from various attacks + makes data pages no-executable; Complemented by GCC with SSP,PIC,PIE code generation. 2.2. grsecurity kernel patch (which integrates PAX patch from #2.1)- which adds some additional chroot protections, hides many things/info visible in '/proc' could protect/limit networking access (IIRC) and some other things; 2.3.Uses RBAC (MAC - Mandatory Access Control) model (through ACLs) to protect file-system data, could be done easily with 'learning mode'. 3.RSBAC (my favorite ;) 3.1.Has PAX too (plus hardened GCC); 3.2 Main protection is from RSBAC (Rule Set Based Access Control). Generally speaking it's as you have not one but two admin/root users: the old classic 'root' user plus 'secoff' (Security Officer). Secoff can limit *all* root privileges/access as he wants - on all type of resources (root could look like a normal user, no problem to do it ;) i have all /usr + subdirs (inherited property) as 'RO' even for 'root', only on system update remove this then afterward apply again. Same could be done on /etc (minus mtab and some individual files which change during boot). Still impressed with the power of this system. 3.3. New feature (from some half an year) is the new 'user management' code. All user account data is kept into kernel space (so no /etc/passwd, /etc/shadow files). One big drawback with this is the management issue, it's very difficult to learn to manage such system (still learning, and a lot to go). 3.4.Very strong "chroot" protection & features. Think this info explains at least part of the story. 4.SELinux - have no real experience here, just in theory. 4.1.This one is integrated into the kernel as LSM; 4.2.Offers a level of protection similar to RSBAC (IMHO); 4.3.Also have a very strong Type/Domain controlled Access Control; 4.4.Easier to implement (than RSBAC) because there're many ready to be used 'policies' (also in portage); 4.5.But managing requires a deeper/enough understanding if it's working model; 4.5.Developed by NSA. This it. Again sorry for my mistake. Rumen
smime.p7s
Description: S/MIME cryptographic signature
