Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
With GRSecurity and similar solutions you get improved security at the cost of more complexity and the risk of breaking some applications if you are not careful. GRSecurity adds some protections against buffer overflowns, it hardens chroot, it adds new firewalling options and a fine permission system. You should decide if you require such a thing and if you are willing to maintain a system with that installed.
Most personal computers do pretty well without SElinuxes or GRSecurities. I think I would only use this kind of things for small systems which are expected to accept connections from untrusted sources (like a personal file server).
I'd chip in to offer the suggestion that, if you need to maintain a network of related systems that need to be able to operate securely in a not-trustworthy environment, the additional strictures that are available in systems like these are in fact quite useful. When coupled with centralized authentication systems like Kerberos they grow stronger yet. Basically, these are integrated-design security infrastructure models that are designed to go well-beyond the rather simplistic security model of "stock" Unix/Linux, and they have good pedigrees.
*BTW recurring problem with your OPs is you tend to be too terse on the nfo... Whatsit for? SOHO machine? Single LAN file server? Hosting perhaps?
Anyway, I agree with the above (you're already aware of certain parties elsewhere using GRSecurity+PAX). Next to the learning curve (which you may or may not view as a burden), the fact it comes with a developer who's dedicated but also rather vocal, the fact that even them ppl seem to use Grsec, one of the practical problems is that only few Linux distributions offer GRSecurity-hardened kernels out of the box. IIRC the earliest adapter was Gentoo Hardened, there's Atomicorp's ASL (IIRC based on CentOS but it's a commercially licensed product) and then there's OpenWall (OWL, based on RHEL and IIRC taking some features from Grsec but correct me if I'm wrong). This means that if yours is not one of the distributions listed you'll have to recompile your kernel each time that's required (security-wise?). Not a problem with Vanilla kernels or sources patched with SELinux except you can't use both MACs at the same time. Good starting points for getting to know GRSecurity and its features would be here and here.
*I don't tend to emphasize my own opinion but when selecting this type of product it would not seem odd to me to question Linux distributions that:
0) are commercially licensed (I don't mean ASL, think water-vapour-suspended-at-an-altitude Linux) and
1) did not or still don't share source code modifications publicly as per GPL requirements and
2) have a CEO whose posts may be colored by the fact he has a vested interest in selling his product.
Just saying.
It'd be nice if his features were available in the Linux Kernel.
AtomicLinux says they have over 1 million servers running it, looks like it was started by the founders of Plesk. I've only heard of it recently, is it really that commonly used?
I'm not a big fan of water-vapour-suspended-at-an-altitude Linux either, it seems their main feature is to seperate environments per user...which as least for me, wouldn't help a whole lot.
No, it's just that some distros slap a license on their product.
That doesn't change Grsec itself: it is Open Source Software.
Quote:
Originally Posted by abefroman
It'd be nice if his features were available in the Linux Kernel.
Hmmm. There's several reasons why Grsec (and Brad Spender) and Vanilla Linux (and Linus Torvalds) don't mix.
Still you can compile it OK. You just can't enable and use both at the same time.
Quote:
Originally Posted by abefroman
AtomicLinux says they have over 1 million servers running it, looks like it was started by the founders of Plesk. I've only heard of it recently, is it really that commonly used?
If they say so. Personally I never encountered an ASL machine. Still I see no reason to doubt them.
I'm the author of grsecurity. Just wanted to clear up some information in this thread.
There's nothing stopping anyone from using both grsecurity and SELinux at the same time, some of our users choose to. Grsecurity does not implement RBAC via LSM, so it is not subject to the problems that affect other access control solutions using LSM, particularly the lack of ability to stack multiple access control solutions.
Openwall does not use grsecurity. They predate grsecurity and thus any features they contain that grsecurity also contains were not taken from grsecurity. We inherited those useful features from Openwall.
The 1 million ASL stat comes from https://www.atomicorp.com/company/bl...-1million.html. Though it may be true that the ASL distro is used on that many systems, at least 9/10ths of that count comes from CloudLinux systems that are not running grsecurity kernels.
I understand that kernel compilation can be a barrier to entry for some. For brand new users (in my opinion), it may be a useful barrier. Those users will hopefully read through all the configuration help and have a greater understanding of the additional security they're adding to their systems and under what conditions it's useful. This kind of important learning would not happen for a user installing the kernel from a package. However, I also recognize that once that initial learning is completed once, there's nothing more gained in compiling future kernels (modulo reading config help for new features introduced), so I do plan to offer custom-built kernel packages in the future.
The 1 million ASL stat comes from https://www.atomicorp.com/company/bl...-1million.html. Though it may be true that the ASL distro is used on that many systems, at least 9/10ths of that count comes from CloudLinux systems that are not running grsecurity kernels.
-Brad
I didn't know CL used asl.
Also CL claims there only on about 10k+ servers, so I'm not sure where the other 890k would be coming from.
I use grsec features along w/ RBAC. On desktops that need graphics support I disable the intense ACL but still use grsec features. If you want anything more useful than a virus scanner that stops undiscovered threats, then grsec is a good choice. But really it is layering w/ strong ACL implementations that make up a good security policy.
Gentoo offers IMO a straightforward approach to implementation. It has automatic profiles within the kernel menuconfig for server or desktop or custom. I haven't tried anything else and Gentoo in general is a learning curve.
The advantage to grsec in large is prevention of unknown threats. Many exploits and vulnerabilities use similar methods of attacking your system. Although the individual malwares and viruses get their own unique names, how many attacks get carried out are similar in nature and grsec features aim to prevent these methods of attack by addressing the common points of weakness and changing them.
It adds overhead to performance and can hinder the possibility of graphics hardware acceleration. Also it could draw attention more undesired just being utilized.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.