[Eug-lug] Gentoo hardened
larry price
laprice at gmail.com
Thu Aug 5 17:41:16 PDT 2004
On Thu, 5 Aug 2004 16:15:53 -0701, Jacob Meuser <jakemsr at jakemsr.com> wrote:
> On Thu, Aug 05, 2004 at 03:55:52PM -0700, larry price wrote:
> > I would be curious to see the difference in performance between the
> > hardened gentoo and a plain vanilla install that's been secured to
> > adequate standards (no xinetd running wideopen, a standard firewall,
> > smtpd basics etc.).
>
> There are immense differences. The hardened stuff is a whole other
> level of security. It's still important to use firewalls and basic
> hardening techniques along with the kernel and ld.so enhancements.
>
Yes, one would expect a hit, but it's not a necessary hit in every case
after all the speed of an algorithm is not necessarily coupled with
it's security.
> > What would be the variables that could be tested that would tell you
> > something worthwhile?
> >
> > partial list:
> > 1. read/write speed (also open, close, and sync)
>
> Heh, 2^10 small reads and writes, then pull the plug. How long did the
> reads and writes take, and did the filesystem get corrupted.
>
Or N reads/writes/close on /mnt/tmp; umount /mnt/tmp; mount
/mnt/tmp; check files
> > 2. speed to respond to a network request ( how many requests/second
> > before failure)
>
> what kind of "network request"?
>
apache serving a standard page?
echo request.; chargen ?
> > 3. speed of opening network sockets ( how many open, write, close
> > cycles in a given t)
>
> would require "native" code for each platform.
>
I would think a perl or python script, or a posix-compliant C program
would work,
this would be more in the nature of testing "real world performance"
so a scripting language would actually be a good measure of likely
performance.
> > 4. speed of performing a standard numeric benchmark
>
> standard in what sense?
well there is the LINPACK benchmark, or the calculation of a set
number of digits of pi
>
> > 5. fork and exec benchmark (how fast, how many, privilege checking)
>
> would require "native" code for each platform.
>
see #3 above
> > Of course to be at all meaningful all other variable would need to be
> > constrained...
>
> Well, for starters, we'd need each OS to have dedicated disks, all
> identical. We couldn't just install them all on the same disk, as
> position on the disk would skew disk access times.
>
> > It would be somewhat interesting way to compare OS's
> > if we could count on having a standard reference box available
> > it might be a good clinic project.
>
> It would be a fun and teaching challenge. It would probably be
> expensive to do it "Really Right" though.
>
well, I'll ask around and see if we can get OPN to loan us a low-end
box and just do one OS a week for several weeks, on the premise that
actually hitting the limits of a slower older box will tell us more
about the overhead imposed by the OS.
Just went to set up a wiki page to edit benchmark, but wiki is gone, oh well.
More information about the EUGLUG
mailing list