Go to:
Gentoo Home
Documentation
Forums
Lists
Bugs
Planet
Store
Wiki
Get Gentoo!
Gentoo's Bugzilla – Attachment 36645 Details for
Bug 59164
review new hardened docs for mass consumption
Home
|
New
–
[Ex]
|
Browse
|
Search
|
Privacy Policy
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
general overview of technologies (glossary?)
hardened.xml (text/plain), 4.66 KB, created by
Brandon Hale (RETIRED)
on 2004-08-02 09:44:16 UTC
(
hide
)
Description:
general overview of technologies (glossary?)
Filename:
MIME Type:
Creator:
Brandon Hale (RETIRED)
Created:
2004-08-02 09:44:16 UTC
Size:
4.66 KB
patch
obsolete
><?xml version='1.0' encoding="UTF-8"?> ><guide link="proj/en/hardened"> ><title>Introduction to Gentoo Hardened</title> ><author title="Author"> > <mail link="tseng@gentoo.org">Brandon Hale</mail> ></author> > ><abstract> >This document introduces the Gentoo Hardened project and covers >each of its subprojects in simple terms. ></abstract> > ><license/> > ><version>1.0</version> ><date>16 Dec 2003</date> > > ><chapter> ><title>What is Gentoo Hardened?</title> ><section> ><body> > ><p> >Gentoo Hardened is a subproject that works to bring advanced >security features to Gentoo Linux. Hardened is not a single product, >rather a set of complimentary pieces of software intended to cover the >many aspects of Linux security. The major components are ACL systems, >SSP/ET_DYN and Intrusion Detection Systems. ></p> ></body> ></section> ></chapter> > ><chapter> ><title>ACL's (Access Control Lists)</title> ><section> ><body> > ><p> >ACL's give the systems administrator a more powerful tool to control access >to various system resources than was possible in traditional UNIX systems. >Such systems allow you to allow/disallow access to all aspects of a system to >users or groups of users, and to create powerful rulesets. ></p> > ><p> >ACL systems supported by Gentoo Hardened include Grsecurity, SELinux, and >Systrace. ></p> ></body> ></section> > ><section> ><title>Grsecurity</title> ><body> ><p> >Grsecurity may be the most common ACL system, and is found in several of >Gentoo's patched kernel source trees. An advantage of Grsecurity is that >it includes more than just an ACL system. It also provides PaX, a kernel >patch that forces memory to be nonexecutable, thwarting common attacks. >It also adds some other hardening features, including more randomness in >memory allocation and TCP packets, and stricter enforcment of chroot. ></p> ></body> ></section> > ><section> ><title>SELinux</title> ><body> ><p> >SELinux was written by the NSA, and can enforce policies on all processes and >objects on a system. Many people, including the Hardened project, are so >confident in its ability to lock down a system that they have setup public machines and challenge anyone to take down the box (given a root password!) ></p> ></body> ></section> > ><section> ><title>Systrace</title> ><body> ><p> >Systrace is a lightweight ACL system with an easy to use policy editor and a >gui for on-the-fly policy management. Additionally this allows applications >which require root capabilities to run without setuid and setgid flags. ></p> ></body> ></section> ></chapter> > ><chapter> ><title>SSP/ET_DYN</title> > ><section> ><body> ><p> >These two hardening features are added to binaries at compile time by GCC. ></p> ></body> ></section> > ><section> ><title>ET_DYN/PIE</title> ><body> ><p> >Another compile time feature to protect a programs space in memory from >exploitation. This feature tells the compiler to create a Position Independent >Executable, which can be used by a PaX (see below) enabled kernel to fully randomize the executable's memory space. This protection method has no >noticable performance impact, and prevents exploits that are written to >target specific memory addresses. This can be enabled transparently via >hardened-gcc (See Below.) ></p> ></body> ></section> > ><section> ><title>SSP (Stack Smashing Protection)</title> ><body> ><p> >Known commonly as ProPolice, this GCC patch is included by default in Gentoo, >but not enabled. This protects binaries from malicious code insertion into the >stack. Whenever a buffer (area in memory where a program accepts user input) is created, ProPolice inserts a cryptographic "canary", and after each write to a buffer verifies that the canary has not been overwritten. This nullifies a >common attack where a cracker inserts malicious code past the edge of a buffer >and the program blindly executes it. This feature is enabled via the compiler >flag "-fstack-protector" or transparently via hardened-gcc (See Below.) ></p> ></body> ></section> > ><section> ><title>Hardened GCC</title> ><body> ><p> >This is a shell script written by the Gentoo Hardened project to easily >enable/disable SSP and/or ET_DYN building of binaries. This is done >transparently using gcc spec files, so applies to all compiles, not just >Portage. ></p> ></body> ></section> ></chapter> > ><chapter> ><title>Instrusion Detection Systems</title> > ><section> ><body> ><p> >This class of programs monitor log files for suspicious activity and report >it to the administrator. ></p> ></body> ></section> > ><section> ><title>Prelude</title> ><body> ><p> >Prelude is a hybrid intrusion detection system that tracks both network >intrusions and host intrusions with an lml (log monitoring lackey). >Integrating this on a large scale, adding support to certain apps, and adding >rules so that lml can monitor other projects like SELinux. ></p> ></body> ></section> ></chapter> ></guide>
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=36645">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Actions:
View
Attachments on
bug 59164
:
36645
|
36646
|
36940
|
36941
|
36956
