You are not logged in.

#1 2017-05-20 17:39:33

Zorbik
Member
Registered: 2016-08-09
Posts: 42

With grsecurity gone, what's the next best option?

I have been a user of the linux-grsec kernel as well as RBAC (with gradm and paxd) to further harden my Arch system. With these key features gone, I feel as if there is a large hole in the middle of systems that need to be secure as there are not many other offerings. The reason this is a whole month after the public support dropped is because I was too busy with university to get linux running on my machines again.

Now that these are not available to the public, I am curious as to what the next best option is. I know for example that the linux-hardened project is aiming to replicate the kernel hardening features that the grsec patchset provided. If I am not misinformed, pax features will eventually be coming to this project, and are currently in the process of being added so I am contempt with waiting.

I am now curious as to the best option for access control. I know that SELinux is a strong option, however I have heard that the learning curve is immense and is a paint to work with. IIRC, AppArmor provides a similar learning feature to grsec's RBAC, however I am not entirely sure how thorough or secure this option is compared to others.

I apologize if this is the wrong place to post this, however I am looking forward to the civil discussion this will hopefully begin about the security of arch and linux as a whole.

Mailing List Announcement: https://lists.archlinux.org/pipermail/a … 43604.html
linux-hardened project: https://github.com/thestinger/linux-hardened/wiki

Offline

#2 2017-05-20 18:05:01

fsckd
Forum Fellow
Registered: 2009-06-15
Posts: 4,173

Re: With grsecurity gone, what's the next best option?

Like with everything else, the answer depends on who you ask. Moving to GNU/Linux Discussion.


aur S & M :: forum rules :: Community Ethos
Resources for Women, POC, LGBT*, and allies

Offline

#3 2017-05-20 18:44:58

Alad
Wiki Admin/IRC Op
From: Bagelstan
Registered: 2014-05-04
Posts: 2,407
Website

Re: With grsecurity gone, what's the next best option?

As the mailing list post you've linked mentions, there's none so far.


Mods are just community members who have the occasionally necessary option to move threads around and edit posts. -- Trilby

Offline

#4 2017-05-20 19:04:56

Zorbik
Member
Registered: 2016-08-09
Posts: 42

Re: With grsecurity gone, what's the next best option?

@fsckd Thank you for bringing this to its proper location.

I wonder if there are any projects in the works that will provide something to fill the role based or labels AC that is more user friendly than SELinux. I would however my knowledge doesn't come close to what is needed to create that.
After reading into it a bit more, I am choosing not to use AppArmor or Tomoyo because the approach it takes to AC seems lacking, due to the fact that the control limitations are set on paths instead on the intended purpose of the given file. If an attacker knew which location on the filesystem gave the permissions they needed (greatly simplifying) they could place the file there and do as they please. I guess I'll have to start learning SELinux in my spare time until an alternative pops up.

Offline

#5 2017-05-20 20:25:56

brebs
Member
Registered: 2007-04-03
Posts: 3,742

Re: With grsecurity gone, what's the next best option?

Zorbik wrote:

they could place the file there and do as they please

Huh? I suspect this is a misunderstanding on your part, rather than a horrendous security weakness.

In AppArmor, we *specify* the files which are allowed to be executed, and the permissions.

Offline

#6 2017-07-15 20:28:04

PrimeArgon
Member
From: Holsworthy, Devon
Registered: 2017-07-14
Posts: 15

Re: With grsecurity gone, what's the next best option?

Hi, to some it up you've now got the linux-hardened package in the repository which is the next best option after the grsecurity being no longer available and its classed as the successor.


Arch + GNOME
------
Please post back your results to help others.

Offline

#7 2017-07-25 12:02:29

NoSuck
Member
Registered: 2015-03-04
Posts: 157
Website

Re: With grsecurity gone, what's the next best option?

It's great to see linux-hardened in the repos already.

Offline

Board footer

Powered by FluxBB