How really Hardened Gentoo is more secure than other Linux?

vasili111 · n00b Joined: 11 Mar 2017 Posts: 2

How more secure is Hardened Gentoo against 0-day vulnerabilities in the real world than other Linux distros?

As I understand, Hardened Gentoo has many security oriented enhancements that theoretically can protect from some 0-day vulnerabilities. But how good that actually works in the real world? Here ( https://www.cvedetails.com/vendor/33/Linux.html ) I read that in 2016 there were 218 Linux vulnerabilities. How many times default Gentoo Hardened installation was protected against 0-day vulnerabilities in 2016 and other Linux distros were not protected before security patch for vulnerability came out? What evidence we have that Hardened Gentoo really better protects against 0-day vulnerabilities than other Linux distros?

NeddySeagoon · Posted: Sat Mar 11, 2017 10:45 am Post subject:

vasili111,

Welcome to Gentoo.

That's not how security works. The idea is to make something harder for an attacker, not impossible, so that they find an easier target to attack.
Further, for an attacker to use your box, they need access, then they need to subvert something. That's two steps.

Hardened is something that makes both steps more difficult with some attacks - not all.

Even without hardened you can mount /tmp and /home with the noexec option, which denies ordinary users the ability to run arbitrary software, since the have no execute space.
This means that you need to set up your system with /tmp and /home on their own partitions.
Once an attacker has root, its game over - they can do anything.

As always formulate your perceived threat model, then deploy defences against it.
Keep in mind too that there is a trade off between security and usability.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.

Syl20 · l33t Joined: 04 Aug 2005 Posts: 619 Location: France

Moreover, that depends on your kernel configuration. The hardened kernel sources package provides lots of security features (selinux, grsec...), but you have to enable and configure them, and then deal with their restrictions.

vasili111 · n00b Joined: 11 Mar 2017 Posts: 2

ct85711 · Veteran Joined: 27 Sep 2005 Posts: 1791

One thing you are not keeping in mind, is that linux is linux; the software is the same for any distribution. You get the same package on Gentoo as you get on debian, ubuntu, fedora and all of the others; we all share patches between each other (and of course to upstream too). The only main differences between the distributions is the package manager and graphical customization (i.e. logo, coloration, etc...). Gentoo has one other difference in that we are a source based distribution, and we try have dependencies separate from the package. This allows patches get applied to everything. A good case in point is heartbleed (the big openssl vulnerability). Openssl is very commonly included in several packages, and the part that made heartbleed so bad is that so many packages included their own copy of openssl (to aid on compiling against an known version). On Gentoo, we got the patch out for that issue right away, and most of our packages was protected; where as everyone else you have to hope the developers eventually got around to updating the attached copy of openssl. Now the disadvantages to this, is that Gentoo is NOT friendly when you don't update on a regular basis. Another disadvantage is that we may encounter breakage due to package updates (the devs are usually pretty good of catching these issues); and lastly the part of having to compile all/most of the packages.

NeddySeagoon · Posted: Sat Mar 18, 2017 9:38 am Post subject:

vasili111,

Its not a distro by distro thing.

There are instances of hardened systems, using the GRE Security kernel patch set and the supporting userland changes being proof against some exploits.
In Gentoo, you get these by starting with the hardened stage3 and hardened-sources.

These features are not unique to Gentoo. All distros can use them. Where distros vary is in the degree of difficulty in deploying these features.
e.g. In Gentoo you have to configure and build everything anyway. In binary distros, if you need to rebuild everything, its not so easy as binary distros are not made to make building your own packages easy.
The userland changes including building everything with a hardened toolchain.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.

The Doctor · Moderator Joined: 27 Jul 2010 Posts: 2678

Another feature that no one has pointed out yet is that Gentoo is tailored to you by design. You can't pick up malware from flash if you don't have flash, for example. When you design your own Gentoo it is much, much easier to exclude unnecessary bloat. Since some of the bloat is network aware it could be a vector. Note the weasel words.

The reason for the bloat control is Gentoo's use flag system. It makes it very easy to go *kit-less or other unusual configuration such as static /dev. Binary distros assume a standard base layout and include some pieces you may not need.

My two cents is that any well maintained distro should be about on par for security. Gentoo's advantage is that it is more configurable and more easily configured. On the other hand, Gentoo is very configurable and has a steep learning curve.
_________________
First things first, but not necessarily in that order.

Apologies if I take a while to respond. I'm currently working on the dematerialization circuit for my blue box.