Hardened Gentoo
Encyclopedia
Hardened Gentoo is a project of Gentoo Linux
that is enhancing the distribution with security addons. Current security enhancements to Gentoo Linux can be:
The Mandatory Access Control (MAC) parts of SELinux, RSBAC and grsecurity are usually incompatible to each other.
However, the chroot and network restrictions of grsecurity and the memory protection of PaX can be used with the SELinux MAC model for example.
Gentoo Linux
Gentoo Linux is a computer operating system built on top of the Linux kernel and based on the Portage package management system. It is distributed as free and open source software. Unlike a conventional software distribution, the user compiles the source code locally according to their chosen...
that is enhancing the distribution with security addons. Current security enhancements to Gentoo Linux can be:
- SELinux
- A system of mandatory access controls. SELinux can enforce the security policy over all processes and objects in the system, and is an optional feature in all 2.6 kernel source packages.
- RSBACRSBACRSBAC is an open source access control framework for current Linux kernels, which has been in stable production use since January 2000 .-Features:*Free open source Linux kernel security extension....
- A mandatory access control security system based on Generalized Framework for Access Control (GFAC). It provides several standard and custom (and mixables) access control models. It can enforce operating systemOperating systemAn operating system is a set of programs that manage computer hardware resources and provide common services for application software. The operating system is the most important type of system software in a computer system...
access rules.
- A mandatory access control security system based on Generalized Framework for Access Control (GFAC). It provides several standard and custom (and mixables) access control models. It can enforce operating system
- PaXPaXPaX is a patch for the Linux kernel that implements least privilege protections for memory pages. The least-privilege approach allows computer programs to do only what they have to do in order to be able to execute properly, and nothing more. PaX was first released in 2000.PaX flags data memory as...
/grsecurityGrsecuritygrsecurity is a set of patches for the Linux kernel with an emphasis on enhancing security. Its typical application is in computer systems that accept remote connections from untrusted locations, such as web servers and systems offering shell access to its users.Released under the GNU General...
- grsecurityGrsecuritygrsecurity is a set of patches for the Linux kernel with an emphasis on enhancing security. Its typical application is in computer systems that accept remote connections from untrusted locations, such as web servers and systems offering shell access to its users.Released under the GNU General...
is a complete security solution providing such features as a MACMandatory access controlIn computer security, mandatory access control refers to a type of access control by which the operating system constrains the ability of a subject or initiator to access or generally perform some sort of operation on an object or target...
or RBAC system, chrootChrootA chroot on Unix operating systems is an operation that changes the apparent root directory for the current running process and its children. A program that is run in such a modified environment cannot name files outside the designated directory tree. The term "chroot" may refer to the chroot...
restrictions, address space modification protection (via PaXPaXPaX is a patch for the Linux kernel that implements least privilege protections for memory pages. The least-privilege approach allows computer programs to do only what they have to do in order to be able to execute properly, and nothing more. PaX was first released in 2000.PaX flags data memory as...
), auditing features, randomization features, linking restrictions to prevent file race conditions, ipc protections and much more.
- grsecurity
- Hardened Toolchain
- Transparent implementation of PaXPaXPaX is a patch for the Linux kernel that implements least privilege protections for memory pages. The least-privilege approach allows computer programs to do only what they have to do in order to be able to execute properly, and nothing more. PaX was first released in 2000.PaX flags data memory as...
address space layout randomizationAddress space layout randomizationAddress space layout randomization is a computer security method which involves randomly arranging the positions of key data areas, usually including the base of the executable and position of libraries, heap, and stack, in a process's address space.- Benefits :Address space randomization hinders...
s and stack smashing protections using ELFExecutable and Linkable FormatIn computing, the Executable and Linkable Format is a common standard file format for executables, object code, shared libraries, and core dumps. First published in the System V Application Binary Interface specification, and later in the Tool Interface Standard, it was quickly accepted among...
shared objects as executables.
- Transparent implementation of PaX
- sys-kernel/hardened-sources
- A kernel source package which includes patches for hardened subprojects, and stability/security-oriented patches, including GrsecurityGrsecuritygrsecurity is a set of patches for the Linux kernel with an emphasis on enhancing security. Its typical application is in computer systems that accept remote connections from untrusted locations, such as web servers and systems offering shell access to its users.Released under the GNU General...
.
- A kernel source package which includes patches for hardened subprojects, and stability/security-oriented patches, including Grsecurity
- Bastille LinuxBastille LinuxBastille Unix is an interactive hardening script for selected Linux distributions and other operating systems. It is free software licensed under the GPL. It does not appear to be updated or maintained any longer.-Bastille Linux renamed to Bastille Unix:...
- Bastille LinuxBastille LinuxBastille Unix is an interactive hardening script for selected Linux distributions and other operating systems. It is free software licensed under the GPL. It does not appear to be updated or maintained any longer.-Bastille Linux renamed to Bastille Unix:...
is an interactive application which gives the user suggestions on securing their machine. It will be customized to make suggestions about other Hardened Gentoo subprojects.
- Bastille Linux
The Mandatory Access Control (MAC) parts of SELinux, RSBAC and grsecurity are usually incompatible to each other.
However, the chroot and network restrictions of grsecurity and the memory protection of PaX can be used with the SELinux MAC model for example.
See also
- Security-focused operating system
- Comparison of Linux distributionsComparison of Linux distributionsTechnical variations of Linux distributions include support for different hardware devices and systems or software package configurations. Organizational differences may be motivated by historical reasons...