Hardened Gentoo: Impressions
I began by expressing a desire to dispel the widespread fear that Hardened is too difficult, or stability, functionality, or system performance is lost. I have already demonstrated what Hardened Gentoo is in general terms, and now let's take a closer look at these concerns.
I have not been involved in setting up the role system (RBAC / SELinux) just because of the complexity. Perhaps, of course, only apparent, and in fact everything is just there too, I don’t know ... :) I, after all, are mostly a programmer, and there is always not enough time to administer. In general, if there is something complicated and demanding a lot of time and attention in Hardened, this is setting up roles.
But everything that I have described before is configured very simply, quickly, once , and gives a fairly strong effect in the form of enhancing the security of the system!
For many years I have been using Hardened in the described form both at home on workstation, and on all servers. There were no problems with the stability of their work because of Hardened during this time, and I did not see any complaints from the maillist on this topic.
')
Regarding the stability of the assembly of Gentoo, because the packages are constantly updated and compiled. A couple of years ago there was a need to use some workarounds — for example, for XWindow to work with ATI firewood, they had to build non-hardened gcc (to automatically switch gcc during the compilation of packages, a simple script was written). Well, even trivial problems arose, but not one critical. Now there are no such problems in principle. Those. you transferred the system to Hardened, and forgot - you can continue to do everything as if nothing happened. Only hacking your server has become much more difficult. :)
Yes, in order for some packages to work, you still need to use the chpax / paxctl utilities to disable some of the hardened protection for specific applications.
But in Gentoo, this operation has long been automated: for these applications, chpax / paxctl is performed during the package installation phase. So you don't have to worry about it anymore.
And with the exception of this nuance (that for some applications, part of the protection is turned off), all applications work in Hardened Gentoo without problems (at least with the kernel settings I mentioned in the previous part).
Honestly, I didn’t measure it myself. And what and how to measure is not entirely clear. As far as I understand from Ineta, you can expect up to 3-4% loss of performance in the worst case, and usually it will be less than a percent.
But, again, depending on what features to include. If you turn on SeLinux or RBAC, then you can lose these 3-4%, but I haven’t got to set them up yet. :(
Visually, after switching to Hardened, there is no difference either on the home machine or on the servers.
Of course, some performance was probably lost due to the switch to -O2.
I also came across the fact that when choosing the "wrong" option when configuring the kernel of these two:
there were noticeable brakes. Now I don’t see the first option in the core (which I liked to slow down on some types of processors).
In general, you have a real opportunity to significantly increase the safety of your cars by spending once a couple of hours of your time on switching to Hardened and a day of machine time (until the system is completely redesigned).
“Think for yourself, decide for yourself - to have or not to have.” :)
Start. The second part of. The third part.
Complexity
I have not been involved in setting up the role system (RBAC / SELinux) just because of the complexity. Perhaps, of course, only apparent, and in fact everything is just there too, I don’t know ... :) I, after all, are mostly a programmer, and there is always not enough time to administer. In general, if there is something complicated and demanding a lot of time and attention in Hardened, this is setting up roles.
But everything that I have described before is configured very simply, quickly, once , and gives a fairly strong effect in the form of enhancing the security of the system!
Stability
For many years I have been using Hardened in the described form both at home on workstation, and on all servers. There were no problems with the stability of their work because of Hardened during this time, and I did not see any complaints from the maillist on this topic.
')
Regarding the stability of the assembly of Gentoo, because the packages are constantly updated and compiled. A couple of years ago there was a need to use some workarounds — for example, for XWindow to work with ATI firewood, they had to build non-hardened gcc (to automatically switch gcc during the compilation of packages, a simple script was written). Well, even trivial problems arose, but not one critical. Now there are no such problems in principle. Those. you transferred the system to Hardened, and forgot - you can continue to do everything as if nothing happened. Only hacking your server has become much more difficult. :)
Functionality
Yes, in order for some packages to work, you still need to use the chpax / paxctl utilities to disable some of the hardened protection for specific applications.
But in Gentoo, this operation has long been automated: for these applications, chpax / paxctl is performed during the package installation phase. So you don't have to worry about it anymore.
And with the exception of this nuance (that for some applications, part of the protection is turned off), all applications work in Hardened Gentoo without problems (at least with the kernel settings I mentioned in the previous part).
Performance
Honestly, I didn’t measure it myself. And what and how to measure is not entirely clear. As far as I understand from Ineta, you can expect up to 3-4% loss of performance in the worst case, and usually it will be less than a percent.
But, again, depending on what features to include. If you turn on SeLinux or RBAC, then you can lose these 3-4%, but I haven’t got to set them up yet. :(
Visually, after switching to Hardened, there is no difference either on the home machine or on the servers.
Of course, some performance was probably lost due to the switch to -O2.
I also came across the fact that when choosing the "wrong" option when configuring the kernel of these two:
[ ] Paging based non-executable pages
[*] Segmentation based non-executable pages
there were noticeable brakes. Now I don’t see the first option in the core (which I liked to slow down on some types of processors).
findings
In general, you have a real opportunity to significantly increase the safety of your cars by spending once a couple of hours of your time on switching to Hardened and a day of machine time (until the system is completely redesigned).
“Think for yourself, decide for yourself - to have or not to have.” :)
Start. The second part of. The third part.
Source: https://habr.com/ru/post/13098/
All Articles