[gentoo-hardened] Re: hardened workstation - is that worth it?

[7v5w7go9ub0o <7v5w7go9ub0o@gmail.com>]

Alex Efros wrote:
> Hi!
> 
> On Tue, Nov 25, 2008 at 09:02:58PM -0500, 7v5w7go9ub0o wrote:
>> I run the "old" hardened toolchain, grsecurity-enhanced hardened kernel,
>> rbac control, and jails for anything that accesses the LAN/WAN.(heh... I
>> even chroot and kill dhcpcd after 5 seconds). Avira has hundreds of Linux 
>> rootkit signatures in its database, so I run Avira and Dazuko 
>> realtime/on-access scanning on my /home directory, the chroot jails, and on 
>> the portage workspace used during download and compilation.
> 
> Wow. While I'm a paranoiac in this sense too, I'm too lazy to do most of
> these things. It's good to know there are potential for me to advance on
> this way! ;-)

I set this up three+ years ago, and after initial setup, it's been
really easy to maintain. Every now and then I have to "retrain" RBAC,
but I use a training script to do that, so it is pretty automatic as well


> 
> BTW, is your workstation really was under attack (don't counting ssh worms
> and the like script kiddie games)? Is there was attacks which was able to
> break first circle of protection (GrSec+PaX+toolchain)?

I've not had anything break G+P+T.

- I had pax continuously cancel FireFox on a particular site a few years
ago, and never figured out what it was. It might hae been a browser
attack, or it may have simply been a badly-written extension.

I now browse with Opera (in a jail), and use Firefox ("fox in a box") in
a limited way.

- I also today real-time scan the browser jails (which I run in ramdisk,
so that any unintended changes are discarded at the end of the session)
with Dazuko/Antivir, and have had a number of suspicious scripts blocked
by AntiVir before the browser could act on them - so I think that my
exposure is thereby reduced.

> 
> As for me, I decide not to worry about these things (browser chroot, etc.)
> for now because on workstation most important information is files in my
> home directory... and applications I use (like browser, mail client, etc.)
> MUST have access to these files or these applications because nearly
> unusable for me. So, even with RSBAC, if my mutt will be owned by some
> malicious email, and it will delete/damage files it usually have access to
> (like my mailbox :)), that will be _enough_ and make much more damage for
> me than installing rootkit. So, I choose to do regular automated backups
> and run chkrootkit/rkhunter from cron just for the case they detect
> something interesting to play with. :)

Well, that's a good point - it can be a pain, e.g. copying a document
into the mail client chroot jail so that I can send it.

I also use numerous, individual, single-purpose users (e.g.
ooffice:ooffice;, opera:opera, tbird:tbird, etc.) so that, e.g.,
user/jail wireshark:wireshark can not read user tbird:tbird, and vice
versa.

This can be a pain because I need to change privilege, as well as
copying things into - e.g., the tbird jail.

Copying downloads out of jails is easy - a script copies all downloads
from the various jails into a single folder, which is then scanned for
Trojan signatures.

>