Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
OpenBSD vs. Hardened Gentoo
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
Sith_Happens
Veteran
Veteran


Joined: 15 Dec 2004
Posts: 1807
Location: The University of Maryland at College Park

PostPosted: Mon May 09, 2005 7:48 pm    Post subject: OpenBSD vs. Hardened Gentoo Reply with quote

I've been wondering lately about the security offered by OpenBSD compared to the security offered by Hardened Gentoo. The two take very different approaches to security, so it is difficult to compare the two on a point by point basis. Hardened Gentoo seeks to layer security enhancements to prevent and contain compromises, such as PIE/SSP binaries, PAX, Mandatory Access Controls, etc. OpenBSD seems to focus more on the first line of defense, the security of the code itself, by carrying out extensive security auditing of code, combined with security enhancements such as integrated cryptography and pseudo randomization built into the default install.

So, on to my question, is OpenBSD's approach really any "better" than running a Hardened Gentoo system and just being smart about when you upgrade key packages, and how can I integrate some of the better features of OpenBSD into a Hardened Gentoo System? I'm certainly not trying to marginalize OpenBSD's security auditing, as it's effectiveness is well established by that famous OpenBSD catchphrase which I won't bother to repeat here. However, the multiplicity of security options offered by Hardened Gentoo seem to provide a significant barrier even to the most insecure of code, and intelligent adminstration along with Gentoo's own security team can hopefully work to alleviate that threat as well. GRSecurity's chroot restrictions for example make it nearly impossible for even root to break out of a chroot jail, where as with OpenBSD, a cracker with root access will eventually break out of any chroot. (I have to admit I'm parroting this statement, so please correct me if I'm wrong about this).

What about OpenBSD's integrated encryption? How can I as a Hardened Gentoo user integrate stronger encryption into my system? It would be nice if an encryption how-to could be written and added to the Hardened Gentoo Documentation, but some tips here would be helpful as well. As a Gentoo user I feel a strong sense of loyalty to this distro and to Linux in general, and I would like it if I could run a Linux server/firewall and have it be "as secure" as an OpenBSD server/firewall. Certainly Linux offers advantages when it comes to scalability, hardware support, etc... but to have those advantages while being less secure isn't a tradeoff I want to settle for. So what do you say guys, can you offer some constructive tips? (or flame me for my complete lack of security knowlege, whatever suits you :wink: )
_________________
"That question was less stupid; though you asked it in a profoundly stupid way."
I'm the brains behind Jackass! | Tutorials: Shorewall
Back to top
View user's profile Send private message
Sith_Happens
Veteran
Veteran


Joined: 15 Dec 2004
Posts: 1807
Location: The University of Maryland at College Park

PostPosted: Tue May 10, 2005 1:39 am    Post subject: Reply with quote

That's funny, I at least thought this thread would attract some attention. Oh well, I guess I'll just bump it up a notch and see where that gets me. :)
_________________
"That question was less stupid; though you asked it in a profoundly stupid way."
I'm the brains behind Jackass! | Tutorials: Shorewall
Back to top
View user's profile Send private message
Sith_Happens
Veteran
Veteran


Joined: 15 Dec 2004
Posts: 1807
Location: The University of Maryland at College Park

PostPosted: Tue May 10, 2005 2:30 am    Post subject: Reply with quote

Here is an interesting and informative comparison of GRSecurity's PaX vs OpenBSD's W^X. It's criticisms of OpenBSD's memory allocation model seem well thought out, and seem to support my claim that OpenBSD puts most, perhaps too much, emphasis on security auditing, and not enough in other areas.
_________________
"That question was less stupid; though you asked it in a profoundly stupid way."
I'm the brains behind Jackass! | Tutorials: Shorewall
Back to top
View user's profile Send private message
esromneb
n00b
n00b


Joined: 20 Apr 2005
Posts: 37

PostPosted: Tue May 10, 2005 4:47 am    Post subject: Reply with quote

I thought your thread was interesting. I'm just too much of a noob to say anything.
-ben
Back to top
View user's profile Send private message
Sith_Happens
Veteran
Veteran


Joined: 15 Dec 2004
Posts: 1807
Location: The University of Maryland at College Park

PostPosted: Tue May 10, 2005 4:56 am    Post subject: Reply with quote

esromneb wrote:
I thought your thread was interesting. I'm just too much of a noob to say anything.
-ben
Me too. :wink:
_________________
"That question was less stupid; though you asked it in a profoundly stupid way."
I'm the brains behind Jackass! | Tutorials: Shorewall
Back to top
View user's profile Send private message
pjp
Administrator
Administrator


Joined: 16 Apr 2002
Posts: 16117
Location: Colorado

PostPosted: Tue May 10, 2005 4:59 am    Post subject: Reply with quote

Sith_Happens, meet the Edit button. Edit button, Sith_Happens. :P

Generally speaking, bumping threads sooner than 24 hours after your first post is considered "bad." Each of your posts has an edit button, which allows you to add information to a post.
_________________
lolgov. 'cause where we're going, you don't have civil liberties.

In Loving Memory
1787 - 2008
Back to top
View user's profile Send private message
Jake
Veteran
Veteran


Joined: 31 Jul 2003
Posts: 1129

PostPosted: Tue May 10, 2005 6:59 am    Post subject: Reply with quote

OpenBSD has far more security features than just W^X.

In general, I think any properly configured MAC system is more secure than default OpenBSD. Even Windows can be insanely secure with MAC lists. If you want the best of both worlds, you might try systrace on OpenBSD.

OpenBSD's vnd filesystem encryption isn't that great. I personally prefer Linux dm-crypt, NetBSD cgd, and FreeBSD gbde all to OpenBSD's vnd, which is kind of a hack and limited to Blowfish. There's been talk of porting cgd. OpenBSD's swap encrytion is nice, however, requiring nothing more than setting a sysctl variable. The problem with filesystem encyrption is that it's only as strong as the system it's running on. An attacker can crack the system and download all the data, gain physical access and use a local exploit if you happen to be logged in, or the most devious method, gain physical access, trojan the system, then download all the data later. Basically if you can't guarantee physical security, you have to either encrypt everything and boot from read-only media, or run a system like tripwire and store checksums to read-only media. Otherwise you should assume your system compromised if it ever loses power when you're not around. Of course this is all assuming you don't have any exploitable servers, which is why if you're paranoid enough to use filesystem encyrption you need to be using MAC lists. EDIT: If you're trying to hide data from the US government, you should know that there's legeal precedent for requiring the accused to give up their passwords.
Back to top
View user's profile Send private message
Sith_Happens
Veteran
Veteran


Joined: 15 Dec 2004
Posts: 1807
Location: The University of Maryland at College Park

PostPosted: Tue May 10, 2005 1:13 pm    Post subject: Reply with quote

pjp wrote:
Sith_Happens, meet the Edit button. Edit button, Sith_Happens. :P

Generally speaking, bumping threads sooner than 24 hours after your first post is considered "bad." Each of your posts has an edit button, which allows you to add information to a post.
:oops:
Jake wrote:
The problem with filesystem encyrption is that it's only as strong as the system it's running on.
Thats exactly what I'm saying. It seems that the various secure Linux projects go to further lengths to secure all possible points of explotation in the kernel, as well as in userland utilities. It just seems to me that OpenBSD's security depends too heavily on their security auditing process, and not enough in providing a strong security policy in the kernel itself. Personally, I would rather assume that all the code I'm running has the potential to be insecure if I know that I have a truly hardened kernel, and a MAC system to prevent and contain any security breach. Thats just my opinion though.
_________________
"That question was less stupid; though you asked it in a profoundly stupid way."
I'm the brains behind Jackass! | Tutorials: Shorewall
Back to top
View user's profile Send private message
Jake
Veteran
Veteran


Joined: 31 Jul 2003
Posts: 1129

PostPosted: Tue May 10, 2005 11:50 pm    Post subject: Reply with quote

I still think OpenBSD will be more secure by default than something like Hardened Gentoo. Since the GNU/Linux userland and kernel haven't been developed with security in mind, more things break as the system gets more secure. The defaults have to be set to a level such that the system is still generally usable while being as secure as possible. Both the OpenBSD kernel and userland have been developed with security in mind all along, so they can have more security without breaking things. When you start adding security to a hardened Linux distro, stuff breaks, but since it's probably a dedicated server, the only thing that needs to work is what you're serving. Systems like GRSecurity pull some nifty tricks, but OpenBSD can be secured in many of the same ways by tweaking sysctls like the security level. And as I mentioned before, both systems can be secured with MACs.

Now I'm curious why you would want FS encyrption. I don't think it's worth using. Are you really worried about physical security perhaps?
Back to top
View user's profile Send private message
Sith_Happens
Veteran
Veteran


Joined: 15 Dec 2004
Posts: 1807
Location: The University of Maryland at College Park

PostPosted: Wed May 11, 2005 2:09 am    Post subject: Reply with quote

Jake wrote:
Now I'm curious why you would want FS encyrption. I don't think it's worth using. Are you really worried about physical security perhaps?
Nope, I'm really just a hobbyist looking for some new toys to play with. I'd like to use some really strong encryption for passwords though, since that is a non paranoid (well, not irrationally paranoid, if there is such a thing) security measure. I'm thinking blowfish, taking from OpenBSD again. :wink:

I do understand what your saying when it comes to OpenBSD's "secure by design" policy, and the merits it offers over tightening your system to the point of it being unusable. However, from a server standpoint, like you said it is simple to get a few server applications working under hardened gentoo. I also think that the developmental problems associated with hardened linux and userland applications will probably become less and less as time goes by, and applications move to adapt to a hardened environment rather than the other way around.

What I should probably do is just stop whining and order a copy of OpenBSD 3.7 when it comes out, and make a more educated decision. :) I just wanted to see what some people with OpenBSD and Hardened Gentoo experience thought about the comparison between the two, and your objective comments have given me what I was looking for. Thanks. :)

What do you think about the point for point comparison of GRSecurity's memory allocation system (PaX) vs OpenBSD's (W^X)? I understand that OpenBSD has more security features than simply W^X, but the realitive security of the two meathods is still worth comparing.
_________________
"That question was less stupid; though you asked it in a profoundly stupid way."
I'm the brains behind Jackass! | Tutorials: Shorewall
Back to top
View user's profile Send private message
plbe
l33t
l33t


Joined: 01 May 2004
Posts: 661

PostPosted: Wed May 11, 2005 2:52 am    Post subject: Reply with quote

I say just give it a try and see for yourself, as a server its great although I find freebsd to out perform obsd. IMHO this is irrelevent since obsd's goal is security which they do well. One thing I will say about obsd is they got some talented devs on their team
Back to top
View user's profile Send private message
mliesenf
n00b
n00b


Joined: 22 Jul 2003
Posts: 18
Location: University of Florida

PostPosted: Wed May 11, 2005 3:25 am    Post subject: filesystem encryption Reply with quote

I run hardened gentoo, I'm happy with it. I can't comment on Hardened vs. OpenBSD but I can add input on something else...

I'm really happy with this style hard drive encryption which uses a kernel cryptoloopback device and a symmetric 256bit AES cypher. I've used it on my laptop for some time now with absolutely no problems. It's totally invisible to userspace (except for / mounting from /dev/loopX). You should definitely check out this thread. They've done a wonderful job composing a great howto on the subject. Also reading the Loop-AES sourceforge page is a good idea.

https://forums.gentoo.org/viewtopic-t-108162-highlight-filesystem+encryption.html
Back to top
View user's profile Send private message
FastTurtle
Guru
Guru


Joined: 03 Sep 2002
Posts: 409
Location: Shake & Bake

PostPosted: Wed May 11, 2005 4:40 am    Post subject: Reply with quote

The first thing to understand about the diffs between OpenBSD and the Hardened/SE-Linux projects is that OpenBSD does something very critical towards building a hardened system. That's the auditing of all source code they start from.

This audit that's done has several benefits.

1) it ensures that the source code is actually clean
2) it debugs the source code
3) it's the foundation for security, not security in itself

How they do this audit is pretty impressive. The first thing they do is ensure that all code follows strict compliance with ISO c/c++ standards such as all variables have to be unique. The next step is to debug the source code and clean up any uncheck buffer allocations, thus preventing most buffer overflow attackts and many additional steps.

Of course oBSD does make the claim to security by design. What they've done is reduced initial startup services to the minimum needed to boot the system, enforced strong passwords and forced general thinking about system security from the beginning. Does this ensure a secure system? No it doesn't. What it does is ensures a solid starting point for a secure system. By requiring you to explictly start any additional services you want/need. Enforcing a good default password policy and by forcing you to determine exactly what the system is going to be used for.

The Hardened philosophy is different. What they're trying to do is make it idiot proof by increasing the fault tollerence and ensuring that buggy code doesn't screw the system up. It appears to be doing a better job then oBSD does but that's a misperception. What's being done is entirely different then oBSD's code audit.

In regards to SE-Linux, there's a significant difference. It enforces security through out the entire context of the system by changing the paridign. Instead of following the normal home use policies, no locked doors and little true privacy; they went with a more paranoid policy of need to know. Very different. If you don't have a need to know (MAC list) then you will never have access to it. This is pretty much what I've been able to determine from researching the diference.

Another difference between Hardened and SE is the fact that SE was not designed to lock down a general purpose workstation but instead a server running several different apps such as email, web server and maybe a mesaging server. The Hardened project though is supposed to lock down a general purpose workstation.

The one thing that many folks don't know is that the Hardened and SE-Linux philosophy's can be applied to any OS to improve the level of security. This will eventually result in what's known as Trusted Computing or as MS called it Paladin.

The big question to ask yourself is how much effort you're willing to put into securing your system and how much flexibility are you willing to loose?
_________________
AsRock Q87M with E3-1230 Xeon (Haswell)
16GB RAM - Geforce GT640 2GB
Crucial M500 120GB SSD (Windows Boot)
Seagate 250GB Barracuda (linux disk)- Samsung 1TB Spinpoint - WD 2TB Green - Seagate 3TB
Back to top
View user's profile Send private message
Jake
Veteran
Veteran


Joined: 31 Jul 2003
Posts: 1129

PostPosted: Wed May 11, 2005 4:50 am    Post subject: Reply with quote

I don't know enough of the technical details about W^X or PaX to compare the two, but your source seemed a bit out of date. For example, they mentioned that W^X isn't supported on i386, but I think it is now.

GRSecurity is definitely fun to play with. I remember some time ago, back when I used Slackware, I'd compile GRSecurity kernels on my desktop and see what broke. Usually I ended up doing more as root, so I don't know if it was even a net security gain.

You're right about the strength of OpenBSD's password hashing. I don't understand why Linux and the other BSDs don't use it. The Blowfish algorith has a complicated key schedule that makes its use as a hash funtion take roughly and order of magnitide more CPU time than modern MD5-based systems.

I ran filesystem encryption once, but I don't think I'd bother with it again. I had about 100Gb encyrpted with a 20 character computer-generated random password that wasn't written down anywhere. One time I had an uptime of a month or so and almost didn't remember my password when I rebooted. I used Twofish-256 (supposedly more secure than AES and now, it would seem, also Serpent, but without being too CPU-intensive). The hash algorithm was SHA-512, which as far as I know is probably still the best option even now that SHA-1 has been broken. My big problem was using cryptoloop. The format changed around 2.4.2[123], so I couldn't use new kernels without a hack that I didn't know existed at the time. Then when I learned that cryrptoloop was fundamentally insecure, I decided to just give up on filesystem encyrption. Loop-AES and new incarnations of cryptoloop might be secure, and I think dm-crypt is safe, but the lesson I learned is to do my homework before using filesystem-level crypto.
Back to top
View user's profile Send private message
popcan
n00b
n00b


Joined: 27 Nov 2004
Posts: 33
Location: bath, ny

PostPosted: Wed May 11, 2005 5:14 am    Post subject: Reply with quote

i believe openbsd has an exceptional approach to security due to the auditing process. this is the same process an advanced blackhat would use to penetrate a running system, by going line by line through the code to find flaws and string together ways of exploiting them. with the openbsd team doing the same thing all along, it becomes that much more difficult for an exploitable flaw to be found in an application. they also use PIE/SSP on all their binaries and have been doing so for some time, eliminating most potentially destructive buffer overflows that the line by line audit has missed.

that said, i use gentoo hardened on my systems because i like it. i don't bother encrypting the hard drive (if you're not using a 2.6.10+ kernel with dm-crypt and multiple AES keys, it's an exploitable implementation anyway...) i use grsec/pax because i actually want to use X and am quite pleased overall with it. but certain things quite simply don't work with it, and have to be shut off (try using mplayer for example with all the pax security on, you can't). so some of the security is marginalized for a running system, and all of the security is done retroactively. pax doesn't protect from everything, but PIE and stack smashing account for the other common attack vectors. for my environment, hard disk encryption is overrated as if they manage to get in and steal my computers, i'm pretty screwed anyway...

i feel the openbsd model is a stronger system as it is more proactive. pax is a band aid (a very good band aid, which i like using, but still no substitute for well written code). but the basic point is, linux out of the box is very secure IF configured correctly. bad implementation will break the most secure system, and no amount of nonexecutable memory will help if someone just pulled a script kiddie apache exploit on you because you missed the file permissions on your stats directory or something trivial like that.

and i saw you make mention that grsec gives you a truely hardened kernel... there is no such thing my friend...
Back to top
View user's profile Send private message
Sith_Happens
Veteran
Veteran


Joined: 15 Dec 2004
Posts: 1807
Location: The University of Maryland at College Park

PostPosted: Wed May 11, 2005 1:46 pm    Post subject: Reply with quote

Just some thoughts:

FastTurtle wrote:
The first thing to understand about the diffs between OpenBSD and the Hardened/SE-Linux projects is that OpenBSD does something very critical towards building a hardened system. That's the auditing of all source code they start from.
I agree, the extensive code auditing OpenBSD undertakes is a wonderful advantage and provides a good measure of Security. They are able to do this because of the general BSD development style, and their strict rule of 6 month releases. Both of these are difficult to impliment in a linux project, and thus OpenBSD will probably always have this security advantage over Linux. It comes at the cost of being less up to date than your average Linux distro, but this isn't really an issue from a security standpoint. However, looking over interviews with various OpenBSD developers, I think their evangelism when it comes to code auditing is equaled only by the hubris it instills in them. I just feel that from a standpoint of developer culture, they put too much confidence in their code auditing abilities and not enough in other areas of security.
FastTurtle wrote:
Of course oBSD does make the claim to security by design. What they've done is reduced initial startup services to the minimum needed to boot the system, enforced strong passwords and forced general thinking about system security from the beginning.
Couldn't some of this also be said of Hardened Gentoo to some degree? When you first install a Hardened Gentoo, there are no additional processes running at boot (this can be said of any Gentoo install). Although strong password encryption is not well integrated into the Hardened project (although I think it should be), security conciousness and general thinking about system security is certainly implied by installing a Hardened Gentoo system
FastTurtle wrote:
In regards to SE-Linux, there's a significant difference. It enforces security through out the entire context of the system by changing the paridign. Instead of following the normal home use policies, no locked doors and little true privacy; they went with a more paranoid policy of need to know. Very different. If you don't have a need to know (MAC list) then you will never have access to it. This is pretty much what I've been able to determine from researching the diference.

Another difference between Hardened and SE is the fact that SE was not designed to lock down a general purpose workstation but instead a server running several different apps such as email, web server and maybe a mesaging server. The Hardened project though is supposed to lock down a general purpose workstation.
I'm a little confused by your semantics here. When I say Hardened Gentoo, I'm reffering to a Gentoo system employing any of the technologies that have been integrated into Gentoo as part of the Hardened project, including SELinux. However, in regards to your comments about SELinux, the benefits of a MAC system are not exclusive to SELinux. Although their particular meathodology is unique, there are several other MAC systems worthy of note, including RBAC (GRSecurity) and RSBAC, both of which are included in the Hardened Project.
FastTurtle wrote:
The one thing that many folks don't know is that the Hardened and SE-Linux philosophy's can be applied to any OS to improve the level of security. This will eventually result in what's known as Trusted Computing or as MS called it Paladin.
Are you talking about Palladium? Palladium sounds like a combination of an ill-defined MAC system with some vague hardware modifications that will create trusted and untrusted memory. An interesting concept, but the press release also states that the system will be designed by Microsoft to be backwards compatible and accessible to your average user, which probably means that most of the security benefit will go out the door the second that average user installs a "non-Palladium compliant" version of Kazaa on it. :wink: Then again I could be wrong, the information on the project is vague at best. The idea that Microsoft and the OS "nexus" decide what programs are "trusted" and not the user opens up a whole range of issues in itself. Although I suppose you could say that is akin to OpenBSD's development style. (kidding of course :wink: )
Jake wrote:
I don't know enough of the technical details about W^X or PaX to compare the two, but your source seemed a bit out of date. For example, they mentioned that W^X isn't supported on i386, but I think it is now.
They weren't saying that W^X isn't supported on i386, just that non-executable kernel pages weren't supported on 32 bit architectures. This sounds to me like some technical trickery, because in truth they aren't really "supported" by PaX either, but their are tricks that PaX and I believe OpenBSD uses as well (check this out, and this too) to squeeze around 32 bit limitations. I have seen other recent criticisms of W^X however that contain some of the same points.
popcan wrote:
For my environment, hard disk encryption is overrated as if they manage to get in and steal my computers, i'm pretty screwed anyway...
I think this is true of just about anybody's environment eh? :wink: Truth be told I'm not that interested in filesystem encryption either as a practical security measure. When I was reffering to OpenBSD's use of strong encryption by default, I talking more about password encryption than anything else.
popcan wrote:
i feel the openbsd model is a stronger system as it is more proactive. pax is a band aid (a very good band aid, which i like using, but still no substitute for well written code).
I absolutely agree. While I feel OpenBSD's auditing proccess makes them somewhat arrogant, I'm not saying they don't have reason to be proud. However, I think if they stopped thumbing their noses at other OSS projects for two seconds, they would see there is a great deal they could take from other projects that would improve the overall security of OpenBSD.
_________________
"That question was less stupid; though you asked it in a profoundly stupid way."
I'm the brains behind Jackass! | Tutorials: Shorewall
Back to top
View user's profile Send private message
gohmdoree
Guru
Guru


Joined: 12 Oct 2004
Posts: 533

PostPosted: Fri Feb 22, 2008 5:07 pm    Post subject: Reply with quote

i'm still wrestling over this
Back to top
View user's profile Send private message
mosburn
n00b
n00b


Joined: 27 Jul 2007
Posts: 22
Location: Denver

PostPosted: Fri Feb 22, 2008 7:49 pm    Post subject: Reply with quote

The biggest concern when trying to evaluate the differences is knowing before hand what you want the system to do. Having a ridiculously secure system is great, until you need it to do something that isn't supported easily. Looking at OpenBSD the base system is secure and it requires the admin to add anything else they want to it. This is something that you need to really consider as ports by them selves are not secure, no matter what OS you have them installed on. Granted OpenBSD does try to secure the ports and the porters handbook states that its best to clean up the code removing glaring security vulns. but that is about it. There are more important aspects to be working on in this realm then say, making KDE completely secure.
From the OpenBSD handbook
Quote:
The ports & packages collection does NOT go through the thorough security audit that OpenBSD follows. Although we strive to keep the quality of the packages collection high, we just do not have enough human resources to ensure the same level of robustness and security.


Gentoo on the other hand has a hardened use flag that if the ebuild has been configured to use it will add some security patches. This allows for some security improvements that way. In fact the Gentoo wiki has several pages about security and the hardened docs are quite good, but calling it the end all be all to have a truly secure system is a joke. Just as installing OpenBSD and adding a bunch of crap applications into it is defeating the purpose of installing OpenBSD for its security. http://gentoo-wiki.com/Index:Security

This guide, while a bit outdated, still is really useful when it comes to achieving Linux security.
http://www.linuxsecurity.com/docs/SecurityAdminGuide/SecurityAdminGuide.html

IMHO -- as a former security consultant
Hardened Gentoo and OpenBSD still require something that neither project can guarantee, a competent administrator that maintains the system as well as tightly adhering to advanced security principals. When deciding which Operating System you want to decide on using you need to know and plan on what you will require of the system. After you have decided what you are going to be using then you need to develop several documents in order to make sure the system stays secure. Some of the documents that I keep on hand for every server that I am responsible for include,

  • update schedule
  • weekly checklist (cron jobs, audits, etc.)
  • monthly checks (usually more cron jobs)
  • How often are you going to sting the system? How are you going to do this? (aka Penn test the system. Nessus scans {with updated plugins})
  • Incident response forms (In the event of something happening, what are you going to do).
  • Users and password policies


These just touch on the basics of the forms that I consider a must have before I bring a system from the test bed into production. Having these on hand has saved me several times when I find something happens. Security is not 100% preparation, your system WILL get poked and prodded if it is exposed to the world and you need to be able to respond appropriately. Just because you have a secure OS and Apache install does not mean that your web developer did not introduce flaws into your system by writing crap code. You need to be reactive.


Finally, your system has to remain usable. If the system in question is your personal desktop and you just want to secure it some, running iptables can be all you need. There is no need to keep your data in Fort Knox when a simple locked filing cabinet would be sufficient. If you lock the system down to unusable conditions, you will find yourself doing things out of necessity in order to use the system. Remember, security is not a one shot thing. It is an on going process.


I am going to stop now but if you need/want more information let me know and I can go on.
Back to top
View user's profile Send private message
kernelOfTruth
Watchman
Watchman


Joined: 20 Dec 2005
Posts: 5767
Location: Vienna, Austria; Germany; hello world :)

PostPosted: Sat Feb 23, 2008 12:08 pm    Post subject: Reply with quote

*subscribes*:

this thread somehow caresses the paranoid guarddog inside of me :lol: 8)

@mosburn:

could you please tell some more on this topic ? your post was very informative

thanks :)

in the past I've always considered in trying openBSD, the problem however always was it's lack of up-to-date drivers & drivers in general ...
_________________
https://github.com/kernelOfTruth/ZFS-for-SystemRescueCD/tree/ZFS-for-SysRescCD-4.3.0-r3
2.6.37.2_plus_v1: BFS, CFS,THP,compaction, zcache or TOI
Hardcore Linux user since 2004 :D
Back to top
View user's profile Send private message
mosburn
n00b
n00b


Joined: 27 Jul 2007
Posts: 22
Location: Denver

PostPosted: Sun Feb 24, 2008 5:24 am    Post subject: Reply with quote

Alot of the generic policies that I use are based off the SANS Institute templates found at the bottom of the page here. http://www.sans.org/resources/policies/
The site has a lot of good information that can really help understand the security issues and responsibilities that you are taking on. In addition the NSA has a selection of good information to review on computer security.
http://www.nsa.gov/snac/

I use these sites and a few others (when I get back to work i can look those up if you need) to generate my policies. At a minimum they allow me to eliminate repetitive typing and reinventing the wheel.

@kernelOfTruth
When it comes to using OpenBSD grabbing an old server/desktop and giving it a shot. There only thing that you really are going to loose is a few hours. Most of the drivers that OpenBSD lacks is mainly new hardware and 3d devices. The tests that I would run in your situation are rather basic.

  • penetration testing
  • speed of data access (OpenBSD is going to run low here, IO is not the fastest based on certain kernel level checks)
  • ease of use
  • installing/updating software
  • what ever big application/show stopper your going to be needing


After that you want to see how difficult it is to keep going with your primary purpose in mind. Do a kernel and system rebuild. Play around.

OpenBSD is not a one shot solution, neither is the hardened flag. Each OS has its own benefits and flaws. Its the same when choosing your desktop OS. Personal beliefs and trade-offs brought you to Gentoo. There are even times when Windows has its uses. Granted there are not many but they do exits.

I use OpenBSD mainly for routers and proxies. I run Gentoo for web content (apache, email, etc.) My laptop has not had a Distribution last more then 2 months at a time since I got it and probably never will. It changes when ever a big new project comes out.

The point is, with out spending some time using both OpenBSD and Gentoo a canned answer will never work for you. Because I happen to find pf really easy to configure and run correctly and have to spend some time with iptables does not mean that you are in the same position. After you get a feel for the other side take some time and review the earlier linked documents.

The final step that will help you on your way is to get used to documentation. Document everything you do. This can be as simple as "edited make.conf on `date`" just so you can track what you do. Keeping track of what happens on the system is actually 50% of securing your system.

http://openbsd.org/faq/index.html
Back to top
View user's profile Send private message
noobstate
n00b
n00b


Joined: 07 Oct 2007
Posts: 61

PostPosted: Sun Feb 24, 2008 9:37 am    Post subject: Reply with quote

with out reading through everyones comments it all depends what u are more familiar with (me gentoo)

i find that using a SELinux profile with hardened kernel (pax) or any mandatory access control is more then enough security (selinux kills everything u dont specify in strict mode) although usability drops to nill other then a server

a package management system is key for security of a box - more tools to choose from - easier to take advantage of security through obscurity and the finner things in life - like hardening scripts (basttile)

just because BSD* has a small market share doesnt mean its more secure then gentoo, it just means there aint enough people finding flaws for it.

but in the end any system can be broken into, so what ur more comfortable with and has more resources and flavors in securing styles and are able to use clean efficiently once compromised is what should be in your mind


i find selinux targeted with a paranoid logging system and network sniffers (ips/ids) is good mix of things on the desktop

for servers selinux strict with minimal services and network logs is sufficient. just dont try and update it lol
Back to top
View user's profile Send private message
dj_farid
l33t
l33t


Joined: 14 Jun 2004
Posts: 613

PostPosted: Sat Nov 29, 2008 10:32 pm    Post subject: Reply with quote

I have been a gentooer for several years. Before that I had OpenBSD running on my server, but it got boring.
I am in the situation right now of choosing an OS for a few servers at work (apache, freeradius, log server...).
Looking at how things has been with the Windows servers where I am now, no one has been taking care of them. No one has had the time to patch them nor audit the logs.

At first I was considering gentoo since it's the distro that I know. But then I realized that it needs way too much love and care.
I understand that any system needs some love every now and then in order to stay some what secure. But I think that OpenBSD would need a lot less attention than a gentoo system would.

Any thoughts on this?
Back to top
View user's profile Send private message
FastTurtle
Guru
Guru


Joined: 03 Sep 2002
Posts: 409
Location: Shake & Bake

PostPosted: Mon Mar 09, 2009 6:35 am    Post subject: Reply with quote

Well I'm going to bump this thread:

Dark_Sith asked a question about the differences between Hardened Gentoo and SE-Linux, which I'm going to address.

The main differences between Gentoo-Hardened and the SE-Linux is the purpose behind them. From the docs, the Gentoo project is to implement a more generic base for using various system security models while the SE-LInux Project follows a specific model (paradign). This means that the Gentoo-Hardened is closer to the OpenBSD idea of code auditing and running as few services at boot as needed to start the system.

Now we get into the meat of the issue and the 64K question: How much security do you need? Going back to one important element of SE-Linux, it's really not usable on a multipurpose system such as our desktops. It's designed around military needs of specialist systems that do one thing and one thing only. This is useful in a large corporate environment or a VM environment due to limiting the failure routes to very proscribed.

Gentoo-Hardened and OpenBSD have pretty much the same results though they get their by different routes. The primary difference is OpenBSD's heavy code auditing that blocks most exploits by fixing the bugs used to penetrate a system.

At this time, SE-Linux is not a viable Desktop option as either Hardened-Gentoo and OpenBSD are becuase the level of security is very paranoid though in the Server environment, it's actually quite useful, especially if you use Virtualization to host an SE-Linux secured Sever.

Now from a small business owners perspective, I'm seriously considering OpenBSD as the OS of choice for my desktop systems due to increased stability (code audits and bug fixes) as it provides the flexibility needed while having the needed level of user restriction in place. Sorry but Gentoo-Hardened does not suit my business needs at this time.

On my personal desktop, I'm currently using Gentoo AMD64 in multi-lib mode as it offers the most flexiblity along with my desired level of stability (unlike Windows which has the most flexibility because it's made from cheesecloth).

Simply put, the matter of system security revolves around how limited you can afford the system to be becuase to get a high security setup, you will loose lots of flexibility.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum