[opensuse-security] Security features of current openSUSE versions?
Dear openSUSE developers or Experts! In these days I am mostly engaged in the task of choosing a free and secure Linux ditribution for our university. I prefer openSUSE but it's security is unclean for me in some aspects. As far as i know, opesSUSE has compile time and runtime userland protection agains memory related exploits (gcc / Fortify Source), runtime SSP (gcc / -fstack-protector), and LSM based MAC framework (AppArmor). But I wonder if you could tell me if: -openSUSE 10.3 or older versions have all packages compiled as PIE or PIC to utilize the ASLR capabilities of the 2.6.20 and newer Linux kernels? (Does openSUSE 10.3 have an ASLR capability comparable to that of PaX?) -openSUSE has W^X capabilities (similar to the capabilities provided by PaX or ExecShield patches)? On which architectures and how extensively? -openSUSE packages are linked with BIND_NOW option to make the -z relro linking option even more effective? -openSUSE systems have some extra chroot restrictions, /dev/mem, /dev/kmem, /dev/port, /proc/<PID>/stat, /proc/<PID>maps, Linux privileged I/O related or other security enhancements beyond to the security of the vanilla Linux kernel? Thank you for the invaluable information! Best regards: Nemeth, Tamas IT administrator University of West-Hungary, Sopron, Hungary --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
On Thu, May 24, 2007 at 04:32:24PM +0200, Németh Tamás wrote:
Dear openSUSE developers or Experts!
In these days I am mostly engaged in the task of choosing a free and secure Linux ditribution for our university. I prefer openSUSE but it's security is unclean for me in some aspects. As far as i know, opesSUSE has compile time and runtime userland protection agains memory related exploits (gcc / Fortify Source), runtime SSP (gcc / -fstack-protector), and LSM based MAC framework (AppArmor). But I wonder if you could tell me if:
-openSUSE 10.3 or older versions have all packages compiled as PIE or PIC to utilize the ASLR capabilities of the 2.6.20 and newer Linux kernels? (Does openSUSE 10.3 have an ASLR capability comparable to that of PaX?)
We have a selected set of packages (but not all) compiled as PIE since 10.1. The kernel has various parts of ASLR: - MMAP and Stack location: is in the kernel since 10.1 - PIE binaries location: is not in the mainline kernel yet, so we do not have it. We are however working on bringing binary location randomization into the mainline kernel.
-openSUSE has W^X capabilities (similar to the capabilities provided by PaX or ExecShield patches)? On which architectures and how extensively?
All AMD64 systems, all x86 systems with the "bigsmp" kernel if the hardware supports it, not sure about the other architectures (PPC, S390, IA64...). We do not support Software NX. Almost all packages use non-executable heap and stack. Exception are binary only packages, OpenOffice_org and some other minor packages.
-openSUSE packages are linked with BIND_NOW option to make the -z relro linking option even more effective?
Not at this time, the performance cost was considered too high.
-openSUSE systems have some extra chroot restrictions, /dev/mem, /dev/kmem, /dev/port, /proc/<PID>/stat, /proc/<PID>maps, Linux privileged I/O related or other security enhancements beyond to the security of the vanilla Linux kernel?
For those we do not have additional protection features. http://en.opensuse.org/Security_Features has a summary. Ciao, Marcus --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
You may like to try Fedora Core, sponsored by Red Hat: http://fedoraproject.org/wiki/Overview It has an option called SELinux which you might like. http://fedoraproject.org/wiki/SELinux Regards Keith On Thu, 24 May 2007, Németh Tamás wrote:
To: opensuse-security@opensuse.org From: "[iso-8859-2] Németh Tamás" <nice@titanic.nyme.hu> Subject: [opensuse-security] Security features of current openSUSE versions?
Dear openSUSE developers or Experts!
In these days I am mostly engaged in the task of choosing a free and secure Linux ditribution for our university. I prefer openSUSE but it's security is unclean for me in some aspects. As far as i know, opesSUSE has compile time and runtime userland protection agains memory related exploits (gcc / Fortify Source), runtime SSP (gcc / -fstack-protector), and LSM based MAC framework (AppArmor). But I wonder if you could tell me if:
-openSUSE 10.3 or older versions have all packages compiled as PIE or PIC to utilize the ASLR capabilities of the 2.6.20 and newer Linux kernels? (Does openSUSE 10.3 have an ASLR capability comparable to that of PaX?)
-openSUSE has W^X capabilities (similar to the capabilities provided by PaX or ExecShield patches)? On which architectures and how extensively?
-openSUSE packages are linked with BIND_NOW option to make the -z relro linking option even more effective?
-openSUSE systems have some extra chroot restrictions, /dev/mem, /dev/kmem, /dev/port, /proc/<PID>/stat, /proc/<PID>maps, Linux privileged I/O related or other security enhancements beyond to the security of the vanilla Linux kernel?
Thank you for the invaluable information! Best regards:
Nemeth, Tamas IT administrator University of West-Hungary, Sopron, Hungary --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
------------------------------------------------------------ http://www.karsites.net http://www.raised-from-the-dead.org.uk This email address is challenge-response protected with http://www.tmda.net ------------------------------------------------------------
Yes, it seems to me, that Fedora is more security-oriented than the SuSE family, but SuSE is close. Beside this, the criticized AppArmor may be a better choise for simple minded IT administrators (like me) than SELinux. Moreover, a hungarian IT administrator told me that SuSE can be administrated easier via SSH. Bye: Tamas 2007. május 24. 19.57 dátummal Keith Roberts ezt írta:
You may like to try Fedora Core, sponsored by Red Hat:
http://fedoraproject.org/wiki/Overview
It has an option called SELinux which you might like.
http://fedoraproject.org/wiki/SELinux
Regards
Keith
On Thu, 24 May 2007, Németh Tamás wrote:
To: opensuse-security@opensuse.org From: "[iso-8859-2] Németh Tamás" <nice@titanic.nyme.hu> Subject: [opensuse-security] Security features of current openSUSE versions?
Dear openSUSE developers or Experts!
In these days I am mostly engaged in the task of choosing a free and secure Linux ditribution for our university. I prefer openSUSE but it's security is unclean for me in some aspects. As far as i know, opesSUSE has compile time and runtime userland protection agains memory related exploits (gcc / Fortify Source), runtime SSP (gcc / -fstack-protector), and LSM based MAC framework (AppArmor). But I wonder if you could tell me if:
-openSUSE 10.3 or older versions have all packages compiled as PIE or PIC to utilize the ASLR capabilities of the 2.6.20 and newer Linux kernels? (Does openSUSE 10.3 have an ASLR capability comparable to that of PaX?)
-openSUSE has W^X capabilities (similar to the capabilities provided by PaX or ExecShield patches)? On which architectures and how extensively?
-openSUSE packages are linked with BIND_NOW option to make the -z relro linking option even more effective?
-openSUSE systems have some extra chroot restrictions, /dev/mem, /dev/kmem, /dev/port, /proc/<PID>/stat, /proc/<PID>maps, Linux privileged I/O related or other security enhancements beyond to the security of the vanilla Linux kernel?
Thank you for the invaluable information! Best regards:
Nemeth, Tamas IT administrator University of West-Hungary, Sopron, Hungary --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
------------------------------------------------------------ http://www.karsites.net http://www.raised-from-the-dead.org.uk
This email address is challenge-response protected with http://www.tmda.net ------------------------------------------------------------
To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
Németh Tamás wrote:
Yes, it seems to me, that Fedora is more security-oriented than the SuSE family, but SuSE is close. Beside this, the criticized AppArmor may be a better choise for simple minded IT administrators (like me) than SELinux.
That's one way to put it. Another way to put it is that there are only 2 kinds of Fedora users: * those that run the system as configured out of the box, no changes, no new applications * those that have disabled SELinux AppArmor is for more than simple minded IT administrators like you :-) it is for administrators who don't have time to be a full-time SELinux admin, because they have something else to do. You can tell, because SuSE Linux Enterprise support includes support for AppArmor, while RHEL support just tells you to turn SELinux off if it troubles you. To get help creating or modifying a security policy, RH wants you to buy a consulting agreement. We expect users to be able to use AppArmor, and RH apparently does not share the same confidence in SELinux. I argue that openSUSE machines with AppArmor enabled are considerably more secure than Fedora machines with SELinux disabled. Crispin -- Crispin Cowan, Ph.D. http://crispincowan.com/~crispin/ Director of Software Engineering http://novell.com Security: It's not linear --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Monday 2007-05-28 at 22:53 -0700, Crispin Cowan wrote:
I argue that openSUSE machines with AppArmor enabled are considerably more secure than Fedora machines with SELinux disabled.
Obviously! ;-) - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Made with pgp4pine 1.76 iD8DBQFGW/YVtTMYHG2NR9URAn7kAJ0RoEUe+XP+vFgME+ZD5PAnYgNuHgCgh4XZ Wf1gzjvPTh9aJTaNG44M1zQ= =0ig8 -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
Crispin Cowan wrote:
Németh Tamás wrote:
Yes, it seems to me, that Fedora is more security-oriented than the SuSE family, but SuSE is close. Beside this, the criticized AppArmor may be a better choise for simple minded IT administrators (like me) than SELinux.
That's one way to put it.
Another way to put it is that there are only 2 kinds of Fedora users:
* those that run the system as configured out of the box, no changes, no new applications * those that have disabled SELinux
AppArmor is for more than simple minded IT administrators like you :-) it is for administrators who don't have time to be a full-time SELinux admin, because they have something else to do.
This is self-serving crap. I have no direct training in SELinux, but I have administered Fedora boxes and modified the security policy for new apps with no more help than a few Google searches. You see, SELinux is open source software, just like AppArmor, and there is plenty of help out there if you need it.
I argue that openSUSE machines with AppArmor enabled are considerably more secure than Fedora machines with SELinux disabled.
You're not arguing it, you are stating it. And it's a specious statement in any case. There is no need to disable SELinux. You've given me yet another reason to dump openSUSE. Arrogance bred from self-assurance is no way to be secure. Adios, Lee Brotzman --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
Lee Brotzman wrote:
Crispin Cowan wrote:
I argue that openSUSE machines with AppArmor enabled are considerably more secure than Fedora machines with SELinux disabled.
You're not arguing it, you are stating it. And it's a specious statement in any case. There is no need to disable SELinux. Actually, the above statement is trivially true. The controversial implication is that most RH/Fedora users need to turn SELinux off.
That is a hard thing to prove, but it seems to bear out when ever I talk to users. Your opinions may vary :) One more statistical anecdote was at a technical lecture at MIT, where one assumes the audience is mostly pretty high tech. One of Novell's engineers asked for a show of hands, and of 15 RH/Fedora users, 2 still had SELinux enabled.
You've given me yet another reason to dump openSUSE. Arrogance bred from self-assurance is no way to be secure. I'm sorry to see you go, but I object to the arrogance and self-serving charges. It seems to me that it is the SELinux community that overtly asserts that end users should not be writing security policy, and thus they have made no attempt to make policy authoring accessible to end users. Instead, the enhanced GUI tools are ways to enable and disable existing SELinux policy. "You're too dumb for this, let the professionals handle it." seems much more arrogant than anything I have ever said.
Crispin -- Crispin Cowan, Ph.D. http://crispincowan.com/~crispin/ Director of Software Engineering http://novell.com Security: It's not linear --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
participants (6)
-
Carlos E. R. -
Crispin Cowan -
Keith Roberts -
Lee Brotzman -
Marcus Meissner -
Németh Tamás