[gentoo-hardened] Re: hardened workstation - is that worth it?

[7v5w7go9ub0o <7v5w7go9ub0o@gmail.com>]

Jan Klod wrote:
> Suppose, I want to take some extra precautions and set up PaX&co and MAC on a 
> workstation with Xorg and other nice KDE apps (only some of which should be 
> granted access to files in folder X). I would like to read others opinion, if 
> I can get considerable security improvements or I will have to make that much 
> of exceptions to those good rules, as it makes protection too useless?
> 
> Regards,
> Jan
> 
> 

Depends upon your definition of hardening, I guess.

I run the "old" hardened toolchain, grsecurity-enhanced hardened kernel,
rbac control, and jails for anything that accesses the LAN/WAN.(heh... I
even chroot and kill dhcpcd after 5 seconds). Avira has hundreds of 
Linux rootkit signatures in its database, so I run Avira and Dazuko 
realtime/on-access scanning on my /home directory, the chroot jails, and 
on the portage workspace used during download and compilation.

I presume that for a desktop user, most attacks come in through the
browser, and/or extensions, plugins (e.g. flash), BHO's, etc. Something 
could also come through the distribution chain from a compromised or 
spoofed source - therefor the signature scanning.

- I presume that pax and/or ssp will protect me against memory attacks
that may come in through a L/WAN connection.

- If the L/WAN attack comes in through, say, a browser exploit or
backdoor it will be confined by RBAC to the areas I trained it to
access, and no more. That would be the jail.

- If the browser tries to "jail break", it will run up against the anti
jailbreak hardening provided by grsecurity, and be terminated.

- grsecurity blocks writing to /dev/mem, kmem, port.

Judging by the other posts here, someone who knows what he is doing can
have my box.

Well..... yes!   - nothing is 100%. But I'm not trying to protect 
against him.... I'm worried about 95%: the 0-day browser bugs, 
compromised extensions, etc. that may allow a Trojan to try its stuff, 
or may allow an inpatient script-kiddee to have a shell on a Linux box 
that doesn't have this kernel and binary hardening; that doesn't run 
applications in hardened jails.