[Eug-lug] Gentoo hardened

Jacob Meuser jakemsr at jakemsr.com
Thu Aug 5 16:16:53 PDT 2004 

On Thu, Aug 05, 2004 at 03:55:52PM -0700, larry price wrote:
> On Thu, 5 Aug 2004 15:14:19 -0700, Jacob Meuser <jakemsr at jakemsr.com> wrote:
> > If it doesn't break the apps you want to use, it would prbably be
> > useful.  Note the last line of the Project Goals, "These solutions
> > will be available in Gentoo once they've been tested for security
> > and stability by the Hardened team."
> > 
> > In OpenBSD, these things are there by default.  They are tested and
> > they work.  They are part of the default install, and if there are
> > problems, they are fixed.  I wonder how much support you'd get if
> > say, you install mozilla, or kde, and it doesn't work on hardened
> > gentoo, but it does work without the hardened stuff.
> 
> I would be curious to see the difference in performance between the
> hardened gentoo and a plain vanilla install that's been secured to
> adequate standards (no xinetd running wideopen, a standard firewall,
> smtpd basics etc.).

There are immense differences.  The hardened stuff is a whole other
level of security.  It's still important to use firewalls and basic
hardening techniques along with the kernel and ld.so enhancements.

> And or OpenBSD vs. FreeBSD 4.10 vs. Slackware vs. Debian
> 
> It seems like there would be some performance hit for more advanced
> features (like ACL's for instance) and possibly for some of the
> relatively basic things (if it takes 3 times longer to open a file
> under one regime, that's a severe hit for some applications).
> 
> What would be the variables that could be tested that would tell you
> something worthwhile?
> 
> partial list:
> 1. read/write speed (also open, close, and sync)

Heh, 2^10 small reads and writes, then pull the plug.  How long did the
reads and writes take, and did the filesystem get corrupted.

> 2. speed to respond to  a network request ( how many requests/second
> before failure)

what kind of "network request"?

> 3. speed of opening network sockets ( how many open, write, close
> cycles in a given t)

would require "native" code for each platform.

> 4. speed of performing a standard numeric benchmark

standard in what sense?

> 5. fork and exec benchmark (how fast, how many, privilege checking)

would require "native" code for each platform.

> Of course to be at all meaningful all other variable would need to be
> constrained...

Well, for starters, we'd need each OS to have dedicated disks, all
identical.  We couldn't just install them all on the same disk, as
position on the disk would skew disk access times.

> It would be somewhat interesting way to compare OS's 
> if we could count on having a standard reference box available 
> it might be a good clinic project. 

It would be a fun and teaching challenge.  It would probably be
expensive to do it "Really Right" though.

-- 
<jakemsr at jakemsr.com>

More information about the EUGLUG mailing list