From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([69.77.167.62] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1L59kG-00033F-1v for garchives@archives.gentoo.org; Wed, 26 Nov 2008 02:03:12 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 49BDCE03C9; Wed, 26 Nov 2008 02:03:09 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) by pigeon.gentoo.org (Postfix) with ESMTP id EC487E03C9 for ; Wed, 26 Nov 2008 02:03:08 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp.gentoo.org (Postfix) with ESMTP id 7C0A36446B for ; Wed, 26 Nov 2008 02:03:08 +0000 (UTC) X-Virus-Scanned: amavisd-new at gentoo.org X-Spam-Score: -4.599 X-Spam-Level: X-Spam-Status: No, score=-4.599 required=5.5 tests=[AWL=-2.000, BAYES_00=-2.599] Received: from smtp.gentoo.org ([127.0.0.1]) by localhost (smtp.gentoo.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KBMIJemUZLbs for ; Wed, 26 Nov 2008 02:03:02 +0000 (UTC) Received: from ug-out-1314.google.com (ug-out-1314.google.com [66.249.92.173]) by smtp.gentoo.org (Postfix) with ESMTP id 7CE2D64468 for ; Wed, 26 Nov 2008 02:02:58 +0000 (UTC) Received: by ug-out-1314.google.com with SMTP id a2so1277630ugf.21 for ; Tue, 25 Nov 2008 18:02:57 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from :user-agent:mime-version:to:subject:references:in-reply-to :content-type:content-transfer-encoding; bh=WmEykEZMySj/uTjb7dvbXjQRJuTxXekvZLC1CS+UjnU=; b=eKzOouNVt9XcWqr990fjzNwTek8pi+l/t+GleQ7tpkKfixNGbm/U3IgnmZycSh9qIH Lny5I+2V+QMGtuTSUFe3RD3uzPEquRQ/XCbiSxPW4oY4U1+89edIWevmYslpikRByF8O O6NxsQQVbg94LAibX1v0ZdVKLKXuuK2qbhBuE= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:content-type:content-transfer-encoding; b=n+Xk+7pne+wlDaU69CuxWDOK1aWY+D3QQv9Yw0VenPubixvdWsXY0GKawpO5TskZDO qKokqjKd8Y49/GpRpuKmuoILvwBIVo5Cp4Xcob8bNm4xt7dkJ8uvvC03Xn/btR4YF6ZN ighauidZe+DtBbxBoWZTqn3L/XOkSQxur4dwY= Received: by 10.66.245.2 with SMTP id s2mr3157813ugh.66.1227664977193; Tue, 25 Nov 2008 18:02:57 -0800 (PST) Received: from ?127.0.0.1? (tor-exit.aof.su [216.224.124.124]) by mx.google.com with ESMTPS id e33sm1415223ugd.41.2008.11.25.18.02.53 (version=SSLv3 cipher=RC4-MD5); Tue, 25 Nov 2008 18:02:56 -0800 (PST) Message-ID: <492CAE52.5050709@gmail.com> Date: Tue, 25 Nov 2008 21:02:58 -0500 From: 7v5w7go9ub0o <7v5w7go9ub0o@gmail.com> User-Agent: Thunderbird 2.0.0.17 (X11/20080914) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-hardened@lists.gentoo.org Reply-to: gentoo-hardened@lists.gentoo.org MIME-Version: 1.0 To: gentoo-hardened@lists.gentoo.org Subject: [gentoo-hardened] Re: hardened workstation - is that worth it? References: <200811251700.45540.janklodvan@gmail.com> In-Reply-To: <200811251700.45540.janklodvan@gmail.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Archives-Salt: f77a4bbd-eb4d-47ae-ae37-cd75290ac0ca X-Archives-Hash: 6958734531d9b9c3597238669f8aea8b Jan Klod wrote: > Suppose, I want to take some extra precautions and set up PaX&co and MAC on a > workstation with Xorg and other nice KDE apps (only some of which should be > granted access to files in folder X). I would like to read others opinion, if > I can get considerable security improvements or I will have to make that much > of exceptions to those good rules, as it makes protection too useless? > > Regards, > Jan > > Depends upon your definition of hardening, I guess. I run the "old" hardened toolchain, grsecurity-enhanced hardened kernel, rbac control, and jails for anything that accesses the LAN/WAN.(heh... I even chroot and kill dhcpcd after 5 seconds). Avira has hundreds of Linux rootkit signatures in its database, so I run Avira and Dazuko realtime/on-access scanning on my /home directory, the chroot jails, and on the portage workspace used during download and compilation. I presume that for a desktop user, most attacks come in through the browser, and/or extensions, plugins (e.g. flash), BHO's, etc. Something could also come through the distribution chain from a compromised or spoofed source - therefor the signature scanning. - I presume that pax and/or ssp will protect me against memory attacks that may come in through a L/WAN connection. - If the L/WAN attack comes in through, say, a browser exploit or backdoor it will be confined by RBAC to the areas I trained it to access, and no more. That would be the jail. - If the browser tries to "jail break", it will run up against the anti jailbreak hardening provided by grsecurity, and be terminated. - grsecurity blocks writing to /dev/mem, kmem, port. Judging by the other posts here, someone who knows what he is doing can have my box. Well..... yes! - nothing is 100%. But I'm not trying to protect against him.... I'm worried about 95%: the 0-day browser bugs, compromised extensions, etc. that may allow a Trojan to try its stuff, or may allow an inpatient script-kiddee to have a shell on a Linux box that doesn't have this kernel and binary hardening; that doesn't run applications in hardened jails.