Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Alternative to grsecurity
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
Fulgurance
Guru
Guru


Joined: 15 Feb 2017
Posts: 552

PostPosted: Thu Jul 19, 2018 4:53 pm    Post subject: Alternative to grsecurity Reply with quote

Hello, i have just one question. Now, grsecurity stop to give his hardened kernel. Is there alternative, with patch for linux kernel ?
Back to top
View user's profile Send private message
krinn
Watchman
Watchman


Joined: 02 May 2003
Posts: 6960

PostPosted: Thu Jul 19, 2018 5:09 pm    Post subject: Reply with quote

there's just none, and grsecurity was use in hardened gentoo, but grsecurity is not hardened ; grsecurity is grsecurity
Back to top
View user's profile Send private message
fedeliallalinea
Bodhisattva
Bodhisattva


Joined: 08 Mar 2003
Posts: 21321
Location: here

PostPosted: Thu Jul 19, 2018 5:47 pm    Post subject: Reply with quote

https://blogs.gentoo.org/ago/2017/08/21/sys-kernel-grsecurity-sources-available/
_________________
Questions are guaranteed in life; Answers aren't.
Back to top
View user's profile Send private message
toralf
Developer
Developer


Joined: 01 Feb 2004
Posts: 3646
Location: Hamburg

PostPosted: Thu Jul 19, 2018 5:50 pm    Post subject: Re: Alternative to grsecurity Reply with quote

Fulgurance wrote:
Hello, i have just one question. Now, grsecurity stop to give his hardened kernel. Is there alternative, with patch for linux kernel ?
Yes. Just use always the latest stable vanilla kernel, matured a lot in the mean while.
Back to top
View user's profile Send private message
mirekm
Apprentice
Apprentice


Joined: 12 Feb 2004
Posts: 182
Location: Gliwice

PostPosted: Thu Jul 19, 2018 6:35 pm    Post subject: Reply with quote

There is patch for latest kernel of version 4.9.
You can find it at:
https://github.com/dapperlinux/dapper-secure-kernel-patchset-stable/releases

This patch contains 2 parts. before making ebuild you have to split these parts, because in other case ebuild will not work.
Unfortunately, this patch is not compatible with Meltdown and Spectre fixes.
Back to top
View user's profile Send private message
depontius
Advocate
Advocate


Joined: 05 May 2004
Posts: 3374

PostPosted: Thu Jul 19, 2018 7:12 pm    Post subject: Reply with quote

Kernel developer Keys Cook has been working at getting security assists into the mainline kernel. Some of this has been from GRSecurity, some not. He has kernel configuration recommendations for the mainline vanilla sources (applies to gentoo-sources as well) here: https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project/Recommended_Settings

It's not everything in GRSecurity, but it's better than default, and it's a work-in-progress.
_________________
.sigs waste space and bandwidth
Back to top
View user's profile Send private message
Fulgurance
Guru
Guru


Joined: 15 Feb 2017
Posts: 552

PostPosted: Fri Jul 20, 2018 3:59 pm    Post subject: Reply with quote

Vanilla source ??? Why ? I thinking its just linux kernel without any patches ? Is it dangerous for security to use testing package ?
Back to top
View user's profile Send private message
Ant P.
Watchman
Watchman


Joined: 18 Apr 2009
Posts: 5584

PostPosted: Sat Jul 21, 2018 12:36 am    Post subject: Reply with quote

If you don't trust the mainline kernel how can you trust a distro-patched one? Gentoo-Sources doesn't magically make the system more secure, it only adds non-security features, and it'd be a hugely irresponsible thing if it did apply security patches without upstreaming them.
Back to top
View user's profile Send private message
depontius
Advocate
Advocate


Joined: 05 May 2004
Posts: 3374

PostPosted: Sat Jul 21, 2018 1:21 am    Post subject: Reply with quote

GRSecurity is another layer, and should be considered one of several/many, not THE security layer.
_________________
.sigs waste space and bandwidth
Back to top
View user's profile Send private message
abduct
Apprentice
Apprentice


Joined: 19 Mar 2015
Posts: 203

PostPosted: Tue Jul 24, 2018 1:43 am    Post subject: Reply with quote

depontius wrote:
Kernel developer Keys Cook has been working at getting security assists into the mainline kernel. Some of this has been from GRSecurity, some not. He has kernel configuration recommendations for the mainline vanilla sources (applies to gentoo-sources as well) here: https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project/Recommended_Settings

It's not everything in GRSecurity, but it's better than default, and it's a work-in-progress.


Are these settings realitively safe or will they hamper the daily use of a system in a way that it becomes a chore to use. Back when I was using the hardened sources in 3.xx it seemed as if I had to fight the system to do basic things. Most of those troubles went away after starting fresh with latest gentoo-sources. Not sure if they were specifically the kernels fault or not.

Also how bad is the performance impact. A few of these there are warnings that they could effect system performance.

I have quite a few of the common ones enabled, but things like the kernel hacking debugs and slub/slab/page poisoning I don't.
Back to top
View user's profile Send private message
ct85711
Veteran
Veteran


Joined: 27 Sep 2005
Posts: 1691

PostPosted: Tue Jul 24, 2018 4:33 am    Post subject: Reply with quote

Quote:
Are these settings realitively safe or will they hamper the daily use of a system in a way that it becomes a chore to use.


This is the key issue that any admin has to decide, on what level of security vs userability is acceptable. As you increase the level of security, the more of a chore of using the system it becomes; and vice versa. All security choices is going to have a cost on userability, some may not be as visible. Take a firewall for an example, having a firewall by it's self adds some latency on your network (may not be noticeable right away, but it is there). Now a firewall, has an additional cost depending on how restrictive of rules is setup on the firewall(i.e. additional latency cost, possible restrictions on network communication, etc). When you get around to the mitigations towards the Meltdown hassle, it is much easier to see the cost (noticeable to significant performance loss).

In the end, you are going to need to sit down and go over what threats is applicable/important to you. For example, I consider the threat of a virus on my machine to be minimal, so I am not worried about having a anti virus. Most of the Meltdown, is only minor (as my primary threat is through the network, if it got through the firewalls; than the network and systems are compromised anyways). It is only me that has physical access, so no threat that I need to be concerned about on that side. I've heard others have a different threat analysis, to the point where they air-gap their machine completely.
Back to top
View user's profile Send private message
depontius
Advocate
Advocate


Joined: 05 May 2004
Posts: 3374

PostPosted: Tue Jul 24, 2018 10:13 am    Post subject: Reply with quote

abduct wrote:
depontius wrote:
Kernel developer Keys Cook has been working at getting security assists into the mainline kernel. Some of this has been from GRSecurity, some not. He has kernel configuration recommendations for the mainline vanilla sources (applies to gentoo-sources as well) here: https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project/Recommended_Settings

It's not everything in GRSecurity, but it's better than default, and it's a work-in-progress.


Are these settings realitively safe or will they hamper the daily use of a system in a way that it becomes a chore to use. Back when I was using the hardened sources in 3.xx it seemed as if I had to fight the system to do basic things. Most of those troubles went away after starting fresh with latest gentoo-sources. Not sure if they were specifically the kernels fault or not.

Also how bad is the performance impact. A few of these there are warnings that they could effect system performance.

I have quite a few of the common ones enabled, but things like the kernel hacking debugs and slub/slab/page poisoning I don't.


I've been running this way for some time now, and don't notice any problems. I'm not a gamer, thought.
_________________
.sigs waste space and bandwidth
Back to top
View user's profile Send private message
abduct
Apprentice
Apprentice


Joined: 19 Mar 2015
Posts: 203

PostPosted: Tue Jul 24, 2018 11:30 pm    Post subject: Reply with quote

@depontius:

Have you had any issues with virtual machines (qemu) or the like with these settings? Also do you use the GCC plugins portion as well?

I think I might backup my config and try out all the suggested settings on 4.17.9, but I am not sure if I want to use the GCC plugins settings. I would imagine I would have to emerge @world and rebuild every package for them to take effect anyways.

Also what do you suggest for sysctl tuning. Is local.d proper or should sysctl.conf be used instead? I imagine they are more or less the same thing.

Edit:: Also how do you tell if your system needs loadable module support. I've always compiled everything into the kernel (never selecting <M>), so I figure it's safe to turn it off.

Unless it's needed for some kind of intel display drivers or something.
Back to top
View user's profile Send private message
depontius
Advocate
Advocate


Joined: 05 May 2004
Posts: 3374

PostPosted: Tue Jul 24, 2018 11:45 pm    Post subject: Reply with quote

I don't use virtual machines, so I wouldn't know about issues.

I do enable the gcc plugins. I first started using these recommendations some time ago, and since then I've done several gcc upgrades. Particularly after gcc-7.3 went stable I wanted to do a complete rebuild to get the Spectre mitigations into my system. So I'm covered on that one.

When I posted the link I looked, and it appears that the sysctl changes have changed since I did mine. When I did it, the sysctl stuff looked like alternatives to some of the kernel config options, which I'd already done. I need to reexamine this.

I have loadable modules. Once upon a time Gentoo had better module support than it does now, and included a way to automate module parms. That also let you unload and tweak the parms, for testing without rebooting. Of course my audio has been stable for a while, so I haven't had to do that in ages. Everything is a risk, I haven't gotten to the level of doing away with modules. On the other hand, I have the kernel build sign my modules, and require that signature. What's more, immediately after the kernel build I "rm certs/signing_key.*, so after the kernel build no new module can ever be built for that kernel ever again. I locked the kernel and threw away the key.
_________________
.sigs waste space and bandwidth
Back to top
View user's profile Send private message
krinn
Watchman
Watchman


Joined: 02 May 2003
Posts: 6960

PostPosted: Wed Jul 25, 2018 12:28 am    Post subject: Reply with quote

security depends also what you are securing.

it make sense to disable module loading on a server where you are not suppose for security to plug in something like that, hence you don't need modules because you are not suppose to handle new hardware that would randomly be add.
but for a desktop computer, it makes sense to use modules and makes sense to plug random hardware at will (usb disk, usb wifi cards or whatever).

Just like it makes sense to encrypt your desktop partition where you store your documents, it makes less sense to encrypt a server that hold nothing personal.
but strictly speaking about security, you can only claim encryption should be use. This doesn't mean all users have to encrypt their server.

You should had get a shop with mustard gas to really see security must be balance, because the first time you were not fully awaken and you enter your shop and get the gaz in your face and all your goods lost because the smell will never get off ; you realise that stupid ringing bell security was really doing a better job ; but yes, on paper, that mustard gas cannot be better, you even almost died to see that they didn't lie, nobody not equip with a mask could stole you, and even with one, nobody could use or sell anything with such smell on it, but this include you.
Back to top
View user's profile Send private message
abduct
Apprentice
Apprentice


Joined: 19 Mar 2015
Posts: 203

PostPosted: Wed Jul 25, 2018 12:31 am    Post subject: Reply with quote

Hmm I guess I will need to test this out on actual hardware. Most of the changes besides the GCC plugins are reverseable easily so maybe I will set aside some time and test it out.

How did you end up doing a full system rebuild by the way? I don't think I've ever done one since upgrading GCC. Would be nice to know after I enable the plugins later on.
Back to top
View user's profile Send private message
depontius
Advocate
Advocate


Joined: 05 May 2004
Posts: 3374

PostPosted: Wed Jul 25, 2018 12:38 am    Post subject: Reply with quote

"emerge -e @system" followed by "emerge -e @world". That was after the regular gcc upgrade, including "emerge -1 libtool". Yes, there were multiple rebuilds of multiple packages, but I was off in the real world while my computer was chugging away at it's rebuilds.

I really need to read Kees Cook's guide again. I know the sysctl stuff has changed, but I don't know what else might have.
_________________
.sigs waste space and bandwidth
Back to top
View user's profile Send private message
depontius
Advocate
Advocate


Joined: 05 May 2004
Posts: 3374

PostPosted: Wed Jul 25, 2018 12:41 am    Post subject: Reply with quote

krinn wrote:
security depends also what you are securing.


My server is in my basement. If someone evil gains physical access to my server, I've got a way bigger problem than my computer - I've got an intruder in my house. Prioritize your problems.
_________________
.sigs waste space and bandwidth
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum