aboutsummaryrefslogtreecommitdiff
blob: 5e60a816ecb98b987fe183abf5e382ebf6ae7bc8 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<link title="new" rel="stylesheet" href="http://www.gentoo.org/../css/main.css" type="text/css">
<link REL="shortcut icon" HREF="http://www.gentoo.org/../favicon.ico" TYPE="image/x-icon">
<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/www-gentoo-org.xml" title="Gentoo Website">
<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/forums-gentoo-org.xml" title="Gentoo Forums">
<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/bugs-gentoo-org.xml" title="Gentoo Bugzilla">
<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/packages-gentoo-org.xml" title="Gentoo Packages">
<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/archives-gentoo-org.xml" title="Gentoo List Archives">
<title>Gentoo Linux Documentation
--
  Introduction to Gentoo Hardened</title>
</head>
<body style="margin:0px;" bgcolor="#ffffff"><table width="100%" border="0" cellspacing="0" cellpadding="0">
<tr><td valign="top" height="125" bgcolor="#45347b"><a href="http://www.gentoo.org/"><img border="0" src="http://www.gentoo.org/../images/gtop-www.jpg" alt="Gentoo Logo"></a></td></tr>
<tr><td valign="top" align="right" colspan="1" bgcolor="#ffffff"><table border="0" cellspacing="0" cellpadding="0" width="100%"><tr>
<td width="99%" class="content" valign="top" align="left">
<br><h1>Introduction to Gentoo Hardened</h1>
<form name="contents" action="http://www.gentoo.org">
<b>Content</b>:
        <select name="url" size="1" OnChange="location.href=form.url.options[form.url.selectedIndex].value" style="font-family:sans-serif,Arial,Helvetica"><option value="#doc_chap1">1. What is Gentoo Hardened?</option>
<option value="#doc_chap2">2. ACL's (Access Control Lists)</option>
<option value="#doc_chap3">3. PIE/SSP</option>
<option value="#doc_chap4">4. Instrusion Detection Systems</option></select>
</form>
<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1.
            </span>What is Gentoo Hardened?</p>
<p>
Gentoo Hardened is a subproject that works to bring advanced
security features to Gentoo Linux. Hardened is not a single product
but rather a set of complimentary pieces of software intended to cover
many aspects of Linux security. The major components are ACL systems,
PIE/SSP and Intrusion Detection Systems.
</p>
<p class="chaphead"><a name="acl"></a><a name="doc_chap2"></a><span class="chapnum">2.
            </span>ACL's (Access Control Lists)</p>
<p>
ACL's give the systems administrator a more powerful tool to control access
to various system resources than was possible in traditional UNIX systems.
Such systems allow you to allow/disallow access to all aspects of a system to
users or groups of users, and to create powerful rulesets.
</p>
<p>
ACL systems supported by Gentoo Hardened include Grsecurity, SELinux, RSBAC, and
Systrace.
</p>
<p class="secthead"><a name="grsecurity"></a><a name="doc_chap2_sect2">Grsecurity</a></p>
<p>
Grsecurity may be the most common ACL system, and is found in several of
Gentoo's patched kernel source trees. An advantage of Grsecurity is that
it includes more than just an ACL system. It also provides PaX, a kernel
patch that forces memory to be nonexecutable, thwarting common attacks.
It also adds some other hardening features, including more randomness in
memory allocation and TCP packets, and stricter enforcement of chroot.
</p>
<p class="secthead"><a name="selinux"></a><a name="doc_chap2_sect3">SELinux</a></p>
<p>
SELinux was written by the NSA and can enforce policies on all processes and
objects on a system. Many people, including the Hardened project, are so
confident in its ability to lock down a system that they have setup public 
machines and challenge anyone to take down the box (given a root password!)
</p>
<p class="secthead"><a name="rsbac"></a><a name="doc_chap2_sect4">RSBAC</a></p>
<p>
RSBAC is an independent project driven by Amon Ott. It supports many different
security models which are implemented as modules. It can work together with PaX
and while the implementation and models are a bit different, it is often
compared to SELinux features wise.
</p>
<p class="secthead"><a name="systrace"></a><a name="doc_chap2_sect5">Systrace</a></p>
<p>
Systrace is a lightweight ACL system with an easy to use policy editor and a 
gui for on-the-fly policy management. Additionally this allows applications 
which require root capabilities to run without setuid and setgid flags.
</p>
<p class="chaphead"><a name="doc_chap3"></a><span class="chapnum">3.
            </span>PIE/SSP</p>
<p>
These two hardening features are added to binaries at compile time by GCC.
</p>
<p class="secthead"><a name="et_dyn"></a><a name="doc_chap3_sect2">PIE/SSP</a></p>
<p>
Another compile time feature to protect a programs space in memory from
exploitation. This feature tells the compiler to create a Position Independent
Executable, which can be used by a PaX (see below) enabled kernel to fully 
randomize the executable's memory space. This protection method has no 
noticable performance impact, and prevents exploits that are written to
target specific memory addresses. This can be enabled transparently via
hardened-gcc (See Below.)
</p>
<p class="secthead"><a name="ssp"></a><a name="doc_chap3_sect3">SSP (Stack Smashing Protection)</a></p>
<p>
Known commonly as ProPolice, this GCC patch is included by default in Gentoo,
but not enabled. This protects binaries from malicious code insertion into the
stack. Whenever a buffer (area in memory where a program accepts user input) is
created, ProPolice inserts a cryptographic "canary", and after each write to a 
buffer verifies that the canary has not been overwritten. This nullifies a
common attack where a cracker inserts malicious code past the edge of a buffer
and the program blindly executes it. This feature is enabled via the compiler
flag "-fstack-protector" or transparently via hardened-gcc (See Below.)
</p>
<p class="secthead"><a name="hardened-gcc"></a><a name="doc_chap3_sect4">Hardened GCC</a></p>
<p>
When GCC is built with USE="hardened", modified spec files are installed that allow
for transparent PIE/SSP compiles. Since these options are enabled by the spec file
there is no reason to also add them to CFLAGS. In fact, in the case of PIE this can
even cause problems.
</p>
<p class="chaphead"><a name="ids"></a><a name="doc_chap4"></a><span class="chapnum">4.
            </span>Instrusion Detection Systems</p>
<p>
This class of programs monitor log files for suspicious activity and report
it to the administrator.
</p>
<p class="secthead"><a name="prelude"></a><a name="doc_chap4_sect2">Prelude</a></p>
<p>
Prelude is a hybrid intrusion detection system that tracks both network 
intrusions and host intrusions with an lml (log monitoring lackey). 
Integrating this on a large scale, adding support to certain apps, and adding 
rules so that lml can monitor other projects like SELinux.
</p>
<br><p class="copyright">
    The contents of this document are licensed under the <a href="http://creativecommons.org/licenses/by-sa/2.5">Creative Commons -
    Attribution / Share Alike</a> license.
  </p>
<!--
  <rdf:RDF xmlns="http://web.resource.org/cc/"
      xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#">
  <License rdf:about="http://creativecommons.org/licenses/by-sa/2.5/">
     <permits rdf:resource="http://web.resource.org/cc/Reproduction" />
     <permits rdf:resource="http://web.resource.org/cc/Distribution" />
     <requires rdf:resource="http://web.resource.org/cc/Notice" />
     <requires rdf:resource="http://web.resource.org/cc/Attribution" />
     <permits rdf:resource="http://web.resource.org/cc/DerivativeWorks" />
     <requires rdf:resource="http://web.resource.org/cc/ShareAlike" />
  </License>
  </rdf:RDF>
--><br>
</td>
<td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px">
<tr><td class="topsep" align="center"><p class="altmenu"><a title="View a printer-friendly version" class="altlink" href="docs/glossary.xml?style=printable">Print</a></p></td></tr>
<tr><td class="topsep" align="center"><p class="alttext">Updated August 7, 2004</p></td></tr>
<tr><td class="topsep" align="left"><p class="alttext"><b>Summary: </b>
This document introduces the Gentoo Hardened project and covers
each of its subprojects in simple terms.
</p></td></tr>
<tr><td align="left" class="topsep"><p class="alttext">
  <a href="mailto:tseng@gentoo.org" class="altlink"><b>Brandon Hale</b></a>
<br><i>Author</i><br></p></td></tr>
<tr lang="en"><td align="center" class="topsep">
<p class="alttext"><b>Donate</b> to support our development efforts.
        </p>
<form action="https://www.paypal.com/cgi-bin/webscr" method="post">
<input type="hidden" name="cmd" value="_xclick"><input type="hidden" name="business" value="paypal@gentoo.org"><input type="hidden" name="item_name" value="Gentoo Linux Support"><input type="hidden" name="item_number" value="1000"><input type="hidden" name="image_url" value="http://www.gentoo.org/images/paypal.png"><input type="hidden" name="no_shipping" value="1"><input type="hidden" name="return" value="http://www.gentoo.org"><input type="hidden" name="cancel_return" value="http://www.gentoo.org"><input type="image" src="http://images.paypal.com/images/x-click-but21.gif" name="submit" alt="Donate to Gentoo">
</form>
</td></tr>
<tr lang="en"><td align="center"><iframe src="http://sidebar.gentoo.org" scrolling="no" width="125" height="850" frameborder="0" style="border:0px padding:0x" marginwidth="0" marginheight="0"><p>Your browser does not support iframes.</p></iframe></td></tr>
</table></td>
</tr></table></td></tr>
<tr><td colspan="2" align="right" class="infohead">
Copyright 2001-2011 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>.
</td></tr>
</table></body>
</html>