Hardened Gentoo‘s purpose is to make Gentoo viable for high security, high stability production server environments. This project is not a standalone project disjoined from Gentoo proper; it is intended to be a team of Gentoo developers which are focused on delivering solutions to Gentoo that provide strong security and stability. This machine is Hardened Gentoo’s SELinux demo machine. The primary use of it is to test and audit SELinux integration, and policy.
Hardened Gentoo’s SELinux Demo Machine
2003-06-07 Gentoo 21 Comments
You get root access, but you can’t do anything!
Certainly a usefull feature. The capability to change kernel with prepared items, and, obviously, the availabilty of various kernel.
Of course it’s not as simple as the new linux trolling mantra :”just emerge new kernel, whaouh the scrennshot, and it’s rock” ;-))) But it’s reasonnabily easy.
To cut off another mantra, just forget the word speed when you use grsecurity. And, in a first time, lets say a month, also forget the word security, you just have mounted a formidable hole. One month later, aka when you have understood what really to do whit that, you can use again the word security. Well, except for studying, i prefer a zywall, for $200 you have an effective and easy security. Matter of choice. On another hand, as usual if you don’t care or want the hassle, it’s free…
To finish, this is undoubtly a nice new from and for Gentoo.
Before anyone starts making assumptions about this machine I want to say some things about it.
What this machine is:
A Gentoo installation secured with SELinux, running several daemons for testing in a production environment.
What this machine is not:
A chrooted installation
A uml installation
A userland restricted shell (ie: rbash)
A completely useless and stripped down machine
Impervious to DoS attacks (don’t DoS or forkbomb, it doesn’t do anything except annoy people and stop others from enjoying the machine)
this is not a fake machine, root is not a fake account.. apache and a couple other daemons are running, the reason root is restricted is because it is in the user_r selinux role (you can see the current role/context by typing id).
… what I call “Trustworthy Computing.”
Lets see if someone can even think of comparing this machines security to microsoft’s policy and it’s newest product, Windows 2003 Server.
Hi, recently due to legal concerns we migrated our Linux setup to SCO OpenServer, and the difference is like night and day! Now I truly appreciate the comparison between SCO = luxury car and Linux = bicycle. SCO is so far ahead its not funny — security, stability, desktop integration; and I hope some good old fashioned litigation kills this Linux hype once and for all. If you currently use Linux, I invite you to first talk to your lawyer, and then try a high-quality, commercial-grade operating system: SCO OpenServer or SCO UnixWare.
I don’t understand the point why the root can’t have the access to the anything? How can I upgrade or do whatever in the machine with the limited power on root? I just login in the selinux.dev.gentoo.org machine and look here:
selinux usr # ls -l
ls: src: Permission denied
ls: portage: Permission denied
ls: flask: Permission denied
drwxr-xr-x 6 root root 4096 Apr 8 18:53 X11R6
How insterest, it doesn’t allow me to know what’s in src, portage and flask info. Also, it won’t let me get in..
selinux usr # id
uid=0(root) gid=0(root) groups=0(root) context=user_u:user_r:user_t sid=271
Looks like I am missing the point of theory why they should limit the power on the root account.
If someone roots the box, they can’t do anything. The real admins can do what they want, using other accounts.
Try doing ls –context and ps –context.
I think the idea is that there is no single all powerful user like root is on normal Linux.
For instance, if someone has very sensitive information in a user account, you may not want the system admin to be able to view it or change it.
ROFLMAO!!! Thanks for the laughs.
” Hi, recently due to legal concerns we migrated our Linux setup to SCO OpenServer, and the difference is like night and day! Now I truly appreciate the comparison between SCO = luxury car and Linux = bicycle. SCO is so far ahead its not funny — security, stability, desktop integration; and I hope some good old fashioned litigation kills this Linux hype once and for all. If you currently use Linux, I invite you to first talk to your lawyer, and then try a high-quality, commercial-grade operating system: SCO OpenServer or SCO UnixWare. ”
Dude UnixWare sucks, it sucked when Novell had it and even now yes, UnixWare still sucks, if you think UnixWare is high quality then I suggest Windows 3.1 for your workstations. If Linux gets killed I will either go FreeBSD or BeOS, But I wont be going UnixWare or OpenServer, by the way OpenServer sucks more than UnixWare does. I have talked to three attorneys regarding SCOs legal threats and basically all 3 just said to wait to see what happens but they seriously doubt SCO will win,
For those of you not familiar with advanced security the Gentoo box is enforcing Mandatory Access Control (MAC)and the equivalent of Role Based Access Control (RBAC) where root is a role.
The advantages are that if something is not specifically allowed it is denied, and this is B Level security (minimally under TCSEC) or EAL4+ (under Common Criteria). Only used in the the most demanding and secure environments. And I really doubt that any version of Windows will ever be this secure!
Russel Coker passed around an IP/root pass combo on a lot of mailing lists and IRC channels and had his Debian SELinux box up for months without anyone breaking into it (obviously, they can log in as root, but they couldn’t do any damage). The only thing they could do was locally DoS it and that was mentioned in all of the distribution areas as a “no-no” and the motd noted that anyone doing so would have their IPs blocked.
Please don’t feed that troll.
Nope. He isn’t a troll. He’s a regular here, and his comments are (usually) the truth. UnixWare/OpenServer do suck, why not use a real UNIX like Solaris/AIX/HPUX etc.?
Analyst (IP: —.cpe.net.cable.rogers.com) is a Troll.
Yes, I did it first. But I’m happy to see the Gentoo people get the credit they deserve. They are doing some good work, and are experimenting with some new policy changes that should provide additional benefits.
I think it’s good to have multiple play machines, then we can each concentrate on different areas, and in future we can offer unrestricted access to each other’s machines to allow further tests (firewalls are necessary to protect regular machines on the Internet from such play machines).
If you would like to run your own SE Linux play machine then please contact me or the Gentoo people for some suggestions on how to do it properly.
Security is an on going process, not a set it a forget it chore. Although Windows and MAC, which were never built for networking anyway, provide the least system and network security, it is really the function of the system/network administrator to continue to design, redesign, implement, reimplent and research the best security options or policy, inlight of available resources(funds and hardware) and security threats(which differ from business to business, or situation to situation).
In fact, the security of a machine usually boils down to the dexteriy, experience and knowledge of the network/system administrator(s) and the design of their security policies. Every computer user should devote a considerable amount of time to researching security and the security needs of their workstation(s). To the best of my knowledge, most well trained or experienced network administrators are well honed , with regards to security literacy. Unfortunately, a lot more aren’t.
After all said and done, Gentoo seems to be making waves of late. Congratulations to Gentoo team/community for a great distro and for being at the forefront of security concerns.
I’ve done it on Coker’s SELinux Play Machine, I’ve done it on the Hardened Gentoo SELinux Machine, but I can’t get no satisfaction!!!
Logged in as root, and
rm -rf /
Imagine how useful that will be when the next killer clown tries defacing your web server. I’m all for it.
… Actually finishing Gentoo 1.4 before investing your resources into other ventures.
Theres practically no difference between any of the RCs and a final 1.4 release for 99% of users. The actual releases only affect the default settings/programs on the installation discs and maybe some precompiled binaries. Once you get Gentoo running you just keep updating the packages to the newest releases. Packages includes all the system utilities and portage itself so after the installation process there’s No Reason you should care about new releases. You’ll get the same exact system/userland software by just updating your packages regularly.