[ubuntu-hardened] Some thoughts about the hardened schema

Jamie Jones jamie_jones_au at yahoo.com.au
Tue Apr 12 12:40:54 CDT 2005


I've been going over the ubuntu hardened schema here
http://pearls.tuxedo-es.org/misc/ubuntu-hardened-schema.png and I had a
few questions and thoughts I'd like to share. (I did check the the list
so don't flame me too much if I missed something)

1) libsafe is missing from the schema. Does that mean it wasn't
considered or it was rejected for some reason ? I've been using that to
provide ssp like protection for binary only programs (many commercial
games come to mind). I haven't had any major issues with it (well maybe
the amd64 package, should come a 32 bit version to stop OOo from not
starting because there was no 32bit libsafe to load, but to me the bug
is OOo isn't 64bit clean)

2) I noticed that RSBAC and SE Linux are listed, with SE Linux the
default solution. Does SE Linux have an advantages over RSBAC ? It seems
to me that RSBAC is more flexible, with module support for PAX flags,
and other useful features like the Dazuko module. SE Linux might have
similar features but if it has I've missed them. If that's the case
could someone point me in the right direction to check it out.

3) I noticed that PAX and Exec Shield are listed as supported. While I
prefer PAX to Exec Shield, both do ASLR right ? That would mean that
they both drain entropy from the kernel each time they do ASLR right ?
Would Robert Loves netdev-random patch (2.6.10 version found in
http://dev.gentoo.org/~tseng/kernel/hardened-patches-2.6-10.3.tar.bz2 )
be suitable for adding more entropy back into the system (or cutting off
that source if you are suitably paranoid)

Thanks for taking the time to read this.


GPG/PGP signed mail preferred. No HTML mail. No MS Word attachments
PGP Key ID 0x42E2C1E5
Fingerprint 3C77 9621 84C5 C32F D409 A38D A035 7E65 42E2 C1E5
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.ubuntu.com/archives/ubuntu-hardened/attachments/20050413/6e7974e9/attachment.pgp

More information about the ubuntu-hardened mailing list