Slashdot Mirror

← Back to Stories (view on slashdot.org)

Additional Security in the Linux Kernel?

Posted by Cliff on from the going-beyond-ugo dept.

nyx asks: "Recently, I was looking for some way to improve security on my linux boxes. I found few linux patches like grsecurity, LIDS (now also as Linux Security Module), Medusa DS9. I'm testing grsecurity (and it's ACLs) now and I'm quite satisfied with it, but I wonder, what are pros and cons of other solutions. Anybody tried them and can share his experience with us?"

25 of 300 comments (clear)

  1. GRSecurity by ClickWir · · Score: 1, Informative

    I've been useing the grsecurity patch on the medium level. Seems to help out a bit, haven't had any problems. Performance does not seem to be affected.

  2. I suggest vserver by WetCat · · Score: 5, Informative

    http://www.solucorp.qc.ca
    You can create virtual servers on your machine, tailored for specific tasks.
    For example, you can create virtual server where you'll work on your project, virtual server which will run apache, virtual server in which you'll browse web and read mail.
    You then can put them on different IP addresses (or no addresses at all) and make them indepedent, changing information only by means YOU approve (shared directory, TCP sockets under firewall, etc).
    It's a kernel patch and some user-mode programs.
    Virtual servers can share binaries for saving disk space.

    1. Re:I suggest vserver by jelle · · Score: 3, Informative

      Actually, I run Debian (woody) and I've been running a pristine RedHat7.2 install in a vserver on it for a couple of weeks now. I'm running two distributions in parallel. No more upgrading of distributions, just install new ones additionally. I can always still use the old version (as long as they all accept a common 2.4 kernel)

      howto? Simple, install redhat7.2 on an empty disk, and copy all the files including permissions to /vservers/01 (or mount the disk there).

      The vserver sources are easy to deb-make (man deb-make) (tip: "RPM_BUILD_ROOT=$(DESTDIR)" in the Makefile).

      "vserver 01 start" to boot rh72, and "vserver 01 enter" to enter it as root. edit the ListenAddress in /etc/ssh/sshd_config of your debian to only bind to one IP instead of 0.0.0.0, and then you can start an ssh in the rh72 vserver and there you are, as if you had an extra computer running rh72.

      (did I mention the whole thing is diskless remote boot too?)

      --
      --- Hindsight is 20/20, but walking backwards is not the answer.
  3. nsa linux (selinux) by Anonymous Coward · · Score: 1, Informative

    http://www.nsa.gov/selinux/

    adds some intresting security features, but doesnt support x so i didnt install it on my workcomputer.

    Also adds the question do we trust the NSA even if the source is avalible

  4. Current Project with PF_KEY by mrphish697 · · Score: 2, Informative

    I'm currently using OpenBSD in a work-related project. It's quite good, if not well documented.

    --
    You can't ride two horses with one ass
    1. Re:Current Project with PF_KEY by CoolVibe · · Score: 3, Informative

      Also, if you're condemned to Solaris, like me, then Pappillon is another option.

  5. LSM has been included in 2.5.27 by daserver · · Score: 5, Informative

    The Linux Security Model has been included in the upcomming 2.6

    1. Re:LSM has been included in 2.5.27 by RTFA+Man · · Score: 0, Informative

      Try the Openwall kernel patches too. They make the stack non-executable, preventing a whole class of buffer overrun attacks. The general page has more info, too.

  6. Small thing... by Jetifi · · Score: 3, Informative

    Linux Security module is what adds hooks into the kernel for security. LIDS uses the LSM hooks, and so does SELinux, and (I think?) others. But LIDS != LSM.

    1. Re:Small thing... by kylus · · Score: 5, Informative

      Yeah there are other components that use the LSM hooks aside from SELinux and LIDS. There's Domain Type Enforcement (I believe).

      Back to the original question I've used LIDS, SELinux, and GRSecurity and I've found them all to have their strengths and their weaknesses. The common problem with all of them is there is usually something you forget to configure properly the first time which can really be a pain to fix. SELinux and GRSecurity both solved this by adding a toggle mode and a /proc entry respectively to change the enforcement of their code.

      With SELinux, the major advantage is that you gain a VERY flexible architecture you can use to create nearly any type of Mandatory Access policy you need. The specifications of the system make it able to use policies based on Type Enforcement (putting the bitchy SCC patent issues aside for the moment...), Role-Based Access Control, or Multi-Level Security and likely a host of other things. The drawback is that creating a policy that covers the whole system is not a trivial thing...look at the example security policy included with the distribution (http://www.nsa.gov/selinux) and you'll see what I mean.

      GRSecurity is not exactly related to SELinux; they do different things. I like GRSecurity because most of its options do not require a lot of extra configuration, they don't break any existing applications (those that do are clearly marked), and they add a lot of small protections without a great deal of overhead to the vanilla kernel. Plus their ACL system is quite well-developed and extremely secure.

      Ultimately I think it comes down to figuring out what you need for your box and then going with the option that will provide it to you with the least amount of interference (unless you like fixing things, of course ;) ).

      --
      --Kylus
      Idiot-proof something, and Life will build a better Idiot.
  7. Re:Bastille - No Kernel Patches by RadioheadKid · · Score: 5, Informative

    Bastille Linux is user space hardening (e.g. changing file permissions, disabling telnet and other vulnerable services, setting up IPTables and various other security features), no kernel patches as far as I remember.

    --
    "Karma can only be portioned out by the cosmos." -Homer Simpson
  8. Snort by Quantum+Singularity · · Score: 2, Informative

    There's a program called Snort that does packet sniffing and intrusion detection, among other things. It's at snort.org.
    That and good ol' P.G.P.

    --
    We're Doomed
  9. If you don't mind proprietary stuff... by MajorBurrito · · Score: 2, Informative

    ... you can try PitBull from Argus Systems. It's a very good product and free for non-commercial use (I think). If you can live without the source to their module.

  10. Re:User Mode Linux by WetCat · · Score: 2, Informative

    I tried that - that solution gives more isolation between your virtual machine and main machine, but it's much slower than vserver patch.
    I tried to use vserver patch for Mandrake 8.2 on
    P1-200MMX with Apache, DNS, Mozilla, X and it worked perfectly.

  11. use only trusted code by Pegasus · · Score: 3, Informative
    Bandaids like lsm, grsecurity & co will only help you cover to some extent the holes already there. I don't feel like this is the ideal solution ... The ideal solution is to write clean and bugfree code and use that. OpenBSD will probably get you there in the quickest way.

    But on the other hand, you know what idealism is ...

  12. Re:security by RinkSpringer · · Score: 3, Informative

    From http://www.trustedbsd.org:

    The TrustedBSD project provides a set of trusted operating system extensions to the FreeBSD operating system

    In other words, it's not an OS, it's a set of patches and extensions... please, check your facts before you post something.

  13. grsecurity by bozoman42 · · Score: 3, Informative

    It works marvellously when it works. Randomized pid, randomized sequence numbers, and soon to have ACL's that define resource limits on just about anything. Really powerful.

    When it works.

    I've been trying to run it on an SMP Xeon for a while now, and any time the machine exerts itself I have to go hit the big red button. And it's not really a machine I'd like to do "testing" on, so no, I won't help with debugging. What "testing" I've done so far has been nothing but infuriating.

    Another few tidbits: all the security in grsec basically completely prevents any JVM from running at all. Ditto UML. (Though UML may also have issues with SMP. But now that I've removed a big variable in my equation of horror...)

    Since Rusell Coker has package SELinux for Debian, I will definitely have to investigate that sometime in the near future. I think I'll rack some uptime first to bolster my self esteem. :)

  14. LIDS does a good job by Anonymous Coward · · Score: 1, Informative

    This past January-June, I worked on a project involving LIDS. I was responsible for all the setup/maintenance. Setup for LIDS is extremely easy. The difficult part is setting up the ACL's. For a complex system with many daemons running, this might be a difficult task. Fortunately, you can find plenty of people who make their ACL lists public, so you can see how to setup common things such as Sendmail, Apache, SSH, etc. With a good ACL list, your box will be as secure as it can get. With constant attacks on our LIDS box, no one ever got total control. The one time we let someone get root (for research purposes), that person was not able to do anything (even root can be made to not have certain accesses). I highly recomend LIDS to anyone looking for a more secure linux.

  15. Re:Stack Guard by mccrew · · Score: 2, Informative
    > I was wondering whether there are any similar products to StackGuard

    Um, how about libsafe?

    -Steve

    --
    Hey, Windows users, there is no such thing as "forward" slash, there is only slash and backslash.
  16. security illusion by g4dget · · Score: 1, Informative
    With very few exceptions, adding more stuff to your kernel doesn't make it more secure. ACLs, for example, make it very easy to screw up in numerous ways.

    One of the best ways to keep your system secure is to keep it simple: remove daemons, remove kernel modules, remove software you don't need, etc.

  17. BSD is concerning itself with kernel security by c13v3rm0nk3y · · Score: 2, Informative

    I don't know the facts about Linux, specifically, but there is a push in the *BSD world for kernel security features to be incorporated as defaults.

    The only one I recall off the top of my head is "non-executable stacks" to keep stack overflow attacks from being quite as easy. I'm sure it has other advantages, as well.

    All this does is "raise the bar" for attackers. I'm assuming most of the Linux kernel security tweaks do the same.

    --
    -- clvrmnky
  18. LIDS != LSM by Great_Geek · · Score: 2, Informative

    It seems to me LSM (Linux Security Module) is the former SELinux (Security Enhanced Linux) from NSA. The LIDS (Linux IDS) is totally independent. The news is that LSM has been accepted into the development kernel tree.

  19. Dear Troll... by Anonymous Coward · · Score: 1, Informative

    You must feel kinda silly now that the recent OpenSSH ChallengeResponse bug can root a default OpenBSD remotely in seconds...

  20. chflags/chattr by chrysalis · · Score: 3, Informative

    All these add-ons are nice, but you can easily have a very hardened server without installing nor patching anything. Linux, *BSD and probably other operating systems have extended fs attributes for ages.

    With standard commands like chflags (BSD) or chattr (Linux), you can mark files and directories read-only (immutable) or append-only.

    The point is that once you have a working system, and if you have local access to the console, you can set proper attributes to all your files.

    You then have the concept of "security levels". Once your box is in multi-user mode, the "security level" can increase, and a lot of thing will be refused by the kernel : changing firewall rules, access to kmem, to raw devices, etc. and changing extended attributes.

    So even if an attacker gets root access on your box, he won't be able to alter anything except some ever changing files (something that can be solved by using an NFS mount) . And the append-only log files are really nasty, because he won't be able to hide what he's doing. Patch your favorite shells to always log history files to an append-only file to get even more fun.

    On a properly configured box (that you have console access on), you must be able to run "rm -rf /" as root, and your system must still be up and running. No need for any integrity checker.

    --
    {{.sig}}
  21. Re:ACLs by ts0003 · · Score: 5, Informative

    The parent post in incomplete at best, and if viewed less charitably it is misleading.

    1. The 1976 Harrison, Ruzzo and Ullman result (from "Protection in Operating Systems") pertains to "safety" in the access-matrix model. Inferences about security need to verify the implementation of the model as well.

    2. The result only applies to a system where an infinite number of subjects and objects can be created. An implementation on a typical OS does not suffer from this limitation since resources of the host that are used for the digital representation are finite.

    3. Their proof reduces a Turing machine to the access-matrix model, introducing a mapping between decidability and the leakage of a right in the access-matrix. Deciding whether a specific leak occurs is the equivalent, then, of solving the Halting problem. This proof, however, says nothing for a system where more specific knowledge of the system is used, where you *can* make stronger inferences. Look to the mono-operational system for a concrete, albeit impractical, example.

    4. Their results hold for any model that uses an access-matrix, regardless of whether it is Discretionary or Mandatory.