Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
How really Hardened Gentoo is more secure than other Linux?
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
vasili111
n00b
n00b


Joined: 11 Mar 2017
Posts: 2

PostPosted: Sat Mar 11, 2017 5:37 am    Post subject: How really Hardened Gentoo is more secure than other Linux? Reply with quote

How more secure is Hardened Gentoo against 0-day vulnerabilities in the real world than other Linux distros?

As I understand, Hardened Gentoo has many security oriented enhancements that theoretically can protect from some 0-day vulnerabilities. But how good that actually works in the real world? Here ( https://www.cvedetails.com/vendor/33/Linux.html ) I read that in 2016 there were 218 Linux vulnerabilities. How many times default Gentoo Hardened installation was protected against 0-day vulnerabilities in 2016 and other Linux distros were not protected before security patch for vulnerability came out? What evidence we have that Hardened Gentoo really better protects against 0-day vulnerabilities than other Linux distros?
Back to top
View user's profile Send private message
NeddySeagoon
Administrator
Administrator


Joined: 05 Jul 2003
Posts: 43985
Location: 56N 3W

PostPosted: Sat Mar 11, 2017 10:45 am    Post subject: Reply with quote

vasili111,

Welcome to Gentoo.

That's not how security works. The idea is to make something harder for an attacker, not impossible, so that they find an easier target to attack.
Further, for an attacker to use your box, they need access, then they need to subvert something. That's two steps.

Hardened is something that makes both steps more difficult with some attacks - not all.

Even without hardened you can mount /tmp and /home with the noexec option, which denies ordinary users the ability to run arbitrary software, since the have no execute space.
This means that you need to set up your system with /tmp and /home on their own partitions.
Once an attacker has root, its game over - they can do anything.

As always formulate your perceived threat model, then deploy defences against it.
Keep in mind too that there is a trade off between security and usability.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.
Back to top
View user's profile Send private message
Syl20
Guru
Guru


Joined: 04 Aug 2005
Posts: 564
Location: France

PostPosted: Mon Mar 13, 2017 9:50 am    Post subject: Reply with quote

Moreover, that depends on your kernel configuration. The hardened kernel sources package provides lots of security features (selinux, grsec...), but you have to enable and configure them, and then deal with their restrictions.
Back to top
View user's profile Send private message
vasili111
n00b
n00b


Joined: 11 Mar 2017
Posts: 2

PostPosted: Sat Mar 18, 2017 4:25 am    Post subject: Reply with quote

NeddySeagoon wrote:
vasili111,

Welcome to Gentoo.



Thank you :D

NeddySeagoon wrote:
vasili111,

Welcome to Gentoo.

That's not how security works. The idea is to make something harder for an attacker, not impossible, so that they find an easier target to attack.
Further, for an attacker to use your box, they need access, then they need to subvert something. That's two steps.

Hardened is something that makes both steps more difficult with some attacks - not all.

Even without hardened you can mount /tmp and /home with the noexec option, which denies ordinary users the ability to run arbitrary software, since the have no execute space.
This means that you need to set up your system with /tmp and /home on their own partitions.
Once an attacker has root, its game over - they can do anything.

As always formulate your perceived threat model, then deploy defences against it.
Keep in mind too that there is a trade off between security and usability.


Syl20 wrote:
Moreover, that depends on your kernel configuration. The hardened kernel sources package provides lots of security features (selinux, grsec...), but you have to enable and configure them, and then deal with their restrictions.


I understand that. But I am interested if anyone has personal experience that his system was secured against 0-day exploit with default or even well-configured Hardened Gentoo with well-configured features that it provides, but in that time other Linux distributions were vulnerable for same 0-day exploit. Does anyone have such personal experience?
Back to top
View user's profile Send private message
ct85711
Veteran
Veteran


Joined: 27 Sep 2005
Posts: 1715

PostPosted: Sat Mar 18, 2017 6:33 am    Post subject: Reply with quote

One thing you are not keeping in mind, is that linux is linux; the software is the same for any distribution. You get the same package on Gentoo as you get on debian, ubuntu, fedora and all of the others; we all share patches between each other (and of course to upstream too). The only main differences between the distributions is the package manager and graphical customization (i.e. logo, coloration, etc...). Gentoo has one other difference in that we are a source based distribution, and we try have dependencies separate from the package. This allows patches get applied to everything. A good case in point is heartbleed (the big openssl vulnerability). Openssl is very commonly included in several packages, and the part that made heartbleed so bad is that so many packages included their own copy of openssl (to aid on compiling against an known version). On Gentoo, we got the patch out for that issue right away, and most of our packages was protected; where as everyone else you have to hope the developers eventually got around to updating the attached copy of openssl. Now the disadvantages to this, is that Gentoo is NOT friendly when you don't update on a regular basis. Another disadvantage is that we may encounter breakage due to package updates (the devs are usually pretty good of catching these issues); and lastly the part of having to compile all/most of the packages.
Back to top
View user's profile Send private message
NeddySeagoon
Administrator
Administrator


Joined: 05 Jul 2003
Posts: 43985
Location: 56N 3W

PostPosted: Sat Mar 18, 2017 9:38 am    Post subject: Reply with quote

vasili111,

Its not a distro by distro thing.

There are instances of hardened systems, using the GRE Security kernel patch set and the supporting userland changes being proof against some exploits.
In Gentoo, you get these by starting with the hardened stage3 and hardened-sources.

These features are not unique to Gentoo. All distros can use them. Where distros vary is in the degree of difficulty in deploying these features.
e.g. In Gentoo you have to configure and build everything anyway. In binary distros, if you need to rebuild everything, its not so easy as binary distros are not made to make building your own packages easy.
The userland changes including building everything with a hardened toolchain.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.
Back to top
View user's profile Send private message
The Doctor
Moderator
Moderator


Joined: 27 Jul 2010
Posts: 2600

PostPosted: Sat Mar 18, 2017 6:37 pm    Post subject: Reply with quote

Another feature that no one has pointed out yet is that Gentoo is tailored to you by design. You can't pick up malware from flash if you don't have flash, for example. When you design your own Gentoo it is much, much easier to exclude unnecessary bloat. Since some of the bloat is network aware it could be a vector. Note the weasel words. :)

The reason for the bloat control is Gentoo's use flag system. It makes it very easy to go *kit-less or other unusual configuration such as static /dev. Binary distros assume a standard base layout and include some pieces you may not need.

My two cents is that any well maintained distro should be about on par for security. Gentoo's advantage is that it is more configurable and more easily configured. On the other hand, Gentoo is very configurable and has a steep learning curve.
_________________
First things first, but not necessarily in that order.

Apologies if I take a while to respond. I'm currently working on the dematerialization circuit for my blue box.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum