LinuxQuestions.org
Support LQ: Use code LQ3 and save $3 on Domain Registration
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices



Reply
 
Search this Thread
Old 03-01-2013, 11:55 PM   #1
abefroman
Senior Member
 
Registered: Feb 2004
Location: Chicago
Distribution: CentOS
Posts: 1,277

Rep: Reputation: 53
Is GRsecurity worth using?


Is GRsecurity worth using, to harden the kernel?

TIA
 
Old 03-02-2013, 01:14 PM   #2
BlackRider
Member
 
Registered: Aug 2011
Distribution: Slackware
Posts: 261

Rep: Reputation: 82
I think you'd better test it and decide yourself.

With GRSecurity and similar solutions you get improved security at the cost of more complexity and the risk of breaking some applications if you are not careful. GRSecurity adds some protections against buffer overflowns, it hardens chroot, it adds new firewalling options and a fine permission system. You should decide if you require such a thing and if you are willing to maintain a system with that installed.

Most personal computers do pretty well without SElinuxes or GRSecurities. I think I would only use this kind of things for small systems which are expected to accept connections from untrusted sources (like a personal file server).
 
Old 03-03-2013, 11:12 PM   #3
sundialsvcs
Guru
 
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 5,455

Rep: Reputation: 1172Reputation: 1172Reputation: 1172Reputation: 1172Reputation: 1172Reputation: 1172Reputation: 1172Reputation: 1172Reputation: 1172
I'd chip in to offer the suggestion that, if you need to maintain a network of related systems that need to be able to operate securely in a not-trustworthy environment, the additional strictures that are available in systems like these are in fact quite useful. When coupled with centralized authentication systems like Kerberos they grow stronger yet. Basically, these are integrated-design security infrastructure models that are designed to go well-beyond the rather simplistic security model of "stock" Unix/Linux, and they have good pedigrees.
 
Old 03-07-2013, 01:51 PM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,709
Blog Entries: 54

Rep: Reputation: 2966Reputation: 2966Reputation: 2966Reputation: 2966Reputation: 2966Reputation: 2966Reputation: 2966Reputation: 2966Reputation: 2966Reputation: 2966Reputation: 2966
Quote:
Originally Posted by abefroman View Post
Is GRsecurity worth using, to harden the kernel?
*BTW recurring problem with your OPs is you tend to be too terse on the nfo... Whatsit for? SOHO machine? Single LAN file server? Hosting perhaps?

Anyway, I agree with the above (you're already aware of certain parties elsewhere using GRSecurity+PAX). Next to the learning curve (which you may or may not view as a burden), the fact it comes with a developer who's dedicated but also rather vocal, the fact that even them ppl seem to use Grsec, one of the practical problems is that only few Linux distributions offer GRSecurity-hardened kernels out of the box. IIRC the earliest adapter was Gentoo Hardened, there's Atomicorp's ASL (IIRC based on CentOS but it's a commercially licensed product) and then there's OpenWall (OWL, based on RHEL and IIRC taking some features from Grsec but correct me if I'm wrong). This means that if yours is not one of the distributions listed you'll have to recompile your kernel each time that's required (security-wise?). Not a problem with Vanilla kernels or sources patched with SELinux except you can't use both MACs at the same time. Good starting points for getting to know GRSecurity and its features would be here and here.

*I don't tend to emphasize my own opinion but when selecting this type of product it would not seem odd to me to question Linux distributions that:
0) are commercially licensed (I don't mean ASL, think water-vapour-suspended-at-an-altitude Linux) and
1) did not or still don't share source code modifications publicly as per GPL requirements and
2) have a CEO whose posts may be colored by the fact he has a vested interest in selling his product.
Just saying.
 
Old 03-07-2013, 02:36 PM   #5
abefroman
Senior Member
 
Registered: Feb 2004
Location: Chicago
Distribution: CentOS
Posts: 1,277

Original Poster
Rep: Reputation: 53
Thx for the info Unspawn.

I assumed GRsec was open source.

It'd be nice if his features were available in the Linux Kernel.

AtomicLinux says they have over 1 million servers running it, looks like it was started by the founders of Plesk. I've only heard of it recently, is it really that commonly used?

I'm not a big fan of water-vapour-suspended-at-an-altitude Linux either, it seems their main feature is to seperate environments per user...which as least for me, wouldn't help a whole lot.

Last edited by abefroman; 03-07-2013 at 02:51 PM.
 
Old 03-07-2013, 03:40 PM   #6
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,709
Blog Entries: 54

Rep: Reputation: 2966Reputation: 2966Reputation: 2966Reputation: 2966Reputation: 2966Reputation: 2966Reputation: 2966Reputation: 2966Reputation: 2966Reputation: 2966Reputation: 2966
Quote:
Originally Posted by abefroman View Post
I assumed GRsec was open source.
No, it's just that some distros slap a license on their product.
That doesn't change Grsec itself: it is Open Source Software.


Quote:
Originally Posted by abefroman View Post
It'd be nice if his features were available in the Linux Kernel.
Hmmm. There's several reasons why Grsec (and Brad Spender) and Vanilla Linux (and Linus Torvalds) don't mix.
Still you can compile it OK. You just can't enable and use both at the same time.


Quote:
Originally Posted by abefroman View Post
AtomicLinux says they have over 1 million servers running it, looks like it was started by the founders of Plesk. I've only heard of it recently, is it really that commonly used?
If they say so. Personally I never encountered an ASL machine. Still I see no reason to doubt them.
 
Old 03-07-2013, 06:56 PM   #7
abefroman
Senior Member
 
Registered: Feb 2004
Location: Chicago
Distribution: CentOS
Posts: 1,277

Original Poster
Rep: Reputation: 53
Would ASL be beneficial to run? It looks like its RPMs that you install over an existing CentOS install.
 
Old 03-26-2013, 09:38 AM   #8
spender
LQ Newbie
 
Registered: Aug 2011
Posts: 5

Rep: Reputation: Disabled
Hi,

I'm the author of grsecurity. Just wanted to clear up some information in this thread.

There's nothing stopping anyone from using both grsecurity and SELinux at the same time, some of our users choose to. Grsecurity does not implement RBAC via LSM, so it is not subject to the problems that affect other access control solutions using LSM, particularly the lack of ability to stack multiple access control solutions.

Openwall does not use grsecurity. They predate grsecurity and thus any features they contain that grsecurity also contains were not taken from grsecurity. We inherited those useful features from Openwall.

The 1 million ASL stat comes from https://www.atomicorp.com/company/bl...-1million.html. Though it may be true that the ASL distro is used on that many systems, at least 9/10ths of that count comes from CloudLinux systems that are not running grsecurity kernels.

I understand that kernel compilation can be a barrier to entry for some. For brand new users (in my opinion), it may be a useful barrier. Those users will hopefully read through all the configuration help and have a greater understanding of the additional security they're adding to their systems and under what conditions it's useful. This kind of important learning would not happen for a user installing the kernel from a package. However, I also recognize that once that initial learning is completed once, there's nothing more gained in compiling future kernels (modulo reading config help for new features introduced), so I do plan to offer custom-built kernel packages in the future.

-Brad

Last edited by spender; 03-26-2013 at 11:01 AM.
 
2 members found this post helpful.
Old 03-26-2013, 03:09 PM   #9
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,709
Blog Entries: 54

Rep: Reputation: 2966Reputation: 2966Reputation: 2966Reputation: 2966Reputation: 2966Reputation: 2966Reputation: 2966Reputation: 2966Reputation: 2966Reputation: 2966Reputation: 2966
Quote:
Originally Posted by spender View Post
There's nothing stopping anyone from using both grsecurity and SELinux at the same time, some of our users choose to.
Thanks for clearing things up.
 
Old 03-26-2013, 03:32 PM   #10
abefroman
Senior Member
 
Registered: Feb 2004
Location: Chicago
Distribution: CentOS
Posts: 1,277

Original Poster
Rep: Reputation: 53
Quote:
Originally Posted by spender View Post
Hi,

The 1 million ASL stat comes from https://www.atomicorp.com/company/bl...-1million.html. Though it may be true that the ASL distro is used on that many systems, at least 9/10ths of that count comes from CloudLinux systems that are not running grsecurity kernels.

-Brad
I didn't know CL used asl.

Also CL claims there only on about 10k+ servers, so I'm not sure where the other 890k would be coming from.

Last edited by abefroman; 03-26-2013 at 03:33 PM.
 
Old 03-27-2013, 02:58 PM   #11
CrazyNerdGuy
LQ Newbie
 
Registered: Mar 2013
Location: OR, USA
Distribution: -= Gentoo =-
Posts: 4

Rep: Reputation: Disabled
It depends on your security needs.

I use grsec features along w/ RBAC. On desktops that need graphics support I disable the intense ACL but still use grsec features. If you want anything more useful than a virus scanner that stops undiscovered threats, then grsec is a good choice. But really it is layering w/ strong ACL implementations that make up a good security policy.

Gentoo offers IMO a straightforward approach to implementation. It has automatic profiles within the kernel menuconfig for server or desktop or custom. I haven't tried anything else and Gentoo in general is a learning curve.

The advantage to grsec in large is prevention of unknown threats. Many exploits and vulnerabilities use similar methods of attacking your system. Although the individual malwares and viruses get their own unique names, how many attacks get carried out are similar in nature and grsec features aim to prevent these methods of attack by addressing the common points of weakness and changing them.

It adds overhead to performance and can hinder the possibility of graphics hardware acceleration. Also it could draw attention more undesired just being utilized.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
GRsecurity dbi Slackware 6 08-29-2006 12:50 AM
grsecurity and slackware james penguin Linux - Security 0 12-01-2005 05:25 PM
grsecurity and 2.6.11.7 houler Slackware 2 05-07-2005 03:21 AM
GRSecurity Obie Linux - Security 6 05-31-2004 09:27 PM
Implementing GRsecurity int0x80 Linux - Security 13 09-30-2002 04:31 PM


All times are GMT -5. The time now is 03:09 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration