Go to:
Gentoo Home
Documentation
Forums
Lists
Bugs
Planet
Store
Wiki
Get Gentoo!
Gentoo's Bugzilla – Attachment 36956 Details for
Bug 59164
review new hardened docs for mass consumption
Home
|
New
–
[Ex]
|
Browse
|
Search
|
Privacy Policy
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
"Broken" glossary
glossary.xml (text/plain), 5.02 KB, created by
Brandon Hale (RETIRED)
on 2004-08-07 07:31:05 UTC
(
hide
)
Description:
"Broken" glossary
Filename:
MIME Type:
Creator:
Brandon Hale (RETIRED)
Created:
2004-08-07 07:31:05 UTC
Size:
5.02 KB
patch
obsolete
><?xml version='1.0' encoding="UTF-8"?> ><!DOCTYPE guide SYSTEM "/dtd/guide.dtd"> ><guide link="/proj/en/hardened/docs/glossary.xml"> > ><title>Introduction to Gentoo Hardened</title> ><author title="Author"> > <mail link="tseng@gentoo.org">Brandon Hale</mail> ></author> > ><abstract> >This document introduces the Gentoo Hardened project and covers >each of its subprojects in simple terms. ></abstract> > ><!-- The content of this document is licensed under the CC-BY-SA license --> ><!-- See http://creativecommons.org/licenses/by-sa/2.0 --> ><license/> > ><version>1.1</version> ><date>August 07, 2004</date> > ><chapter> ><title>What is Gentoo Hardened?</title> ><section> ><body> > ><p> >Gentoo Hardened is a subproject that works to bring advanced >security features to Gentoo Linux. Hardened is not a single product >but rather a set of complimentary pieces of software intended to cover >many aspects of Linux security. The major components are ACL systems, >PIE/SSP and Intrusion Detection Systems. ></p> > ></body> ></section> ></chapter> > ><chapter id="acl"> ><title>ACL's (Access Control Lists)</title> ><section> ><body> > ><p> >ACL's give the systems administrator a more powerful tool to control access >to various system resources than was possible in traditional UNIX systems. >Such systems allow you to allow/disallow access to all aspects of a system to >users or groups of users, and to create powerful rulesets. ></p> > ><p> >ACL systems supported by Gentoo Hardened include Grsecurity, SELinux, and >Systrace. ></p> > ></body> ></section> ><section id="grsecurity"> ><title>Grsecurity</title> ><body> > ><p> >Grsecurity may be the most common ACL system, and is found in several of >Gentoo's patched kernel source trees. An advantage of Grsecurity is that >it includes more than just an ACL system. It also provides PaX, a kernel >patch that forces memory to be nonexecutable, thwarting common attacks. >It also adds some other hardening features, including more randomness in >memory allocation and TCP packets, and stricter enforcement of chroot. ></p> > ></body> ></section> ><section id="selinux"> ><title>SELinux</title> ><body> > ><p> >SELinux was written by the NSA and can enforce policies on all processes and >objects on a system. Many people, including the Hardened project, are so >confident in its ability to lock down a system that they have setup public >machines and challenge anyone to take down the box (given a root password!) ></p> > ></body> ></section> ><section id="systrace"> ><title>Systrace</title> ><body> > ><p> >Systrace is a lightweight ACL system with an easy to use policy editor and a >gui for on-the-fly policy management. Additionally this allows applications >which require root capabilities to run without setuid and setgid flags. ></p> > ></body> ></section> ></chapter> > ><chapter> ><title>PIE/SSP</title> ><section> ><body> > ><p> >These two hardening features are added to binaries at compile time by GCC. ></p> > ></body> ></section> ><section id="et_dyn"> ><title>PIE/SSP</title> ><body> > ><p> >Another compile time feature to protect a programs space in memory from >exploitation. This feature tells the compiler to create a Position Independent >Executable, which can be used by a PaX (see below) enabled kernel to fully >randomize the executable's memory space. This protection method has no >noticable performance impact, and prevents exploits that are written to >target specific memory addresses. This can be enabled transparently via >hardened-gcc (See Below.) ></p> > ></body> ></section> ><section id="ssp"> ><title>SSP (Stack Smashing Protection)</title> ><body> > ><p> >Known commonly as ProPolice, this GCC patch is included by default in Gentoo, >but not enabled. This protects binaries from malicious code insertion into the >stack. Whenever a buffer (area in memory where a program accepts user input) is >created, ProPolice inserts a cryptographic "canary", and after each write to a >buffer verifies that the canary has not been overwritten. This nullifies a >common attack where a cracker inserts malicious code past the edge of a buffer >and the program blindly executes it. This feature is enabled via the compiler >flag "-fstack-protector" or transparently via hardened-gcc (See Below.) ></p> > ></body> ></section> ><section id="hardened-gcc"> ><title>Hardened GCC</title> ><body> > ><p> >When GCC is built with USE="hardened", modified spec files are installed that allow >for transparent PIE/SSP compiles. Since these options are enabled by the spec file >there is no reason to also add them to CFLAGS. In fact, in the case of PIE this can >even cause problems. ></p> > ></body> ></section> ></chapter> > ><chapter id="ids"> ><title>Instrusion Detection Systems</title> ><section> ><body> > ><p> >This class of programs monitor log files for suspicious activity and report >it to the administrator. ></p> > ></body> ></section> ><section id="prelude"> ><title>Prelude</title> ><body> > ><p> >Prelude is a hybrid intrusion detection system that tracks both network >intrusions and host intrusions with an lml (log monitoring lackey). >Integrating this on a large scale, adding support to certain apps, and adding >rules so that lml can monitor other projects like SELinux. ></p> > ></body> ></section> ></chapter> ></guide>
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=36956">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Actions:
View
Attachments on
bug 59164
:
36645
|
36646
|
36940
|
36941
| 36956
