From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([69.77.167.62] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1L5OFO-0001dA-Aa for garchives@archives.gentoo.org; Wed, 26 Nov 2008 17:32:18 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id B65C7E064A; Wed, 26 Nov 2008 17:32:16 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) by pigeon.gentoo.org (Postfix) with ESMTP id 6C7FFE064A for ; Wed, 26 Nov 2008 17:32:16 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp.gentoo.org (Postfix) with ESMTP id ECBD9646BA for ; Wed, 26 Nov 2008 17:32:15 +0000 (UTC) X-Virus-Scanned: amavisd-new at gentoo.org X-Spam-Score: -0.639 X-Spam-Level: X-Spam-Status: No, score=-0.639 required=5.5 tests=[BAYES_00=-2.599, RCVD_IN_BL_SPAMCOP_NET=1.96] Received: from smtp.gentoo.org ([127.0.0.1]) by localhost (smtp.gentoo.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DPmPY6w4BVDg for ; Wed, 26 Nov 2008 17:32:09 +0000 (UTC) Received: from ey-out-1920.google.com (ey-out-1920.google.com [74.125.78.148]) by smtp.gentoo.org (Postfix) with ESMTP id E06D8646C1 for ; Wed, 26 Nov 2008 17:32:08 +0000 (UTC) Received: by ey-out-1920.google.com with SMTP id 4so237514eyg.6 for ; Wed, 26 Nov 2008 09:32:07 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from :user-agent:mime-version:to:subject:references:in-reply-to :content-type:content-transfer-encoding; bh=wXBHQG2ZI8piuvgC6pXDMM++8KSo+QW0y+Ue9Xh2Hfo=; b=K2rN7ZVSxPWe4LuXvHhTx918UrIrfKHy61hAXeVIg61WcdOVRbwdNv1HgvHRwMVu+U omHauhMdrwhpXcTrCPXkDkAfUQrSjX9JUkex0+/uESTB9gLzwh+WWgcWJlMSb0AjPPzH V4/Y6qX11B9zJNAlZxW/pWpJJYTUaw/eglBw8= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:content-type:content-transfer-encoding; b=KU6MmKYKtHpEiLR0JBthMw1YCsufNjlaxAUzCMIQ5G/3nt8hcqv07Yn6LcdXJkPxyQ vKHngSw1QneCge1PyUNJNHNtKK1MQE0GvvJmi6blcC+zk2wtimDDHfA76T/YpBhXv0LX R5MSGFCgahTGWQr/ehcpXAzOF0qjD/jBq/M2w= Received: by 10.187.223.14 with SMTP id a14mr1348675far.66.1227720727671; Wed, 26 Nov 2008 09:32:07 -0800 (PST) Received: from ?127.0.0.1? ([85.31.186.104]) by mx.google.com with ESMTPS id e17sm730906fke.12.2008.11.26.09.31.53 (version=SSLv3 cipher=RC4-MD5); Wed, 26 Nov 2008 09:32:06 -0800 (PST) Message-ID: <492D87DD.4090203@gmail.com> Date: Wed, 26 Nov 2008 12:31:09 -0500 From: 7v5w7go9ub0o <7v5w7go9ub0o@gmail.com> User-Agent: Thunderbird 2.0.0.17 (X11/20080914) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-hardened@lists.gentoo.org Reply-to: gentoo-hardened@lists.gentoo.org MIME-Version: 1.0 To: gentoo-hardened@lists.gentoo.org Subject: [gentoo-hardened] Re: hardened workstation - is that worth it? References: <200811251700.45540.janklodvan@gmail.com> <492CAE52.5050709@gmail.com> <20081126023421.GQ1806@home.power> In-Reply-To: <20081126023421.GQ1806@home.power> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Archives-Salt: 2e57a100-b212-43d8-a676-d458ce40747f X-Archives-Hash: 9cf6b918c907a4456d161071bbf29cde Alex Efros wrote: > Hi! > > On Tue, Nov 25, 2008 at 09:02:58PM -0500, 7v5w7go9ub0o wrote: >> I run the "old" hardened toolchain, grsecurity-enhanced hardened kernel, >> rbac control, and jails for anything that accesses the LAN/WAN.(heh... I >> even chroot and kill dhcpcd after 5 seconds). Avira has hundreds of Linux >> rootkit signatures in its database, so I run Avira and Dazuko >> realtime/on-access scanning on my /home directory, the chroot jails, and on >> the portage workspace used during download and compilation. > > Wow. While I'm a paranoiac in this sense too, I'm too lazy to do most of > these things. It's good to know there are potential for me to advance on > this way! ;-) I set this up three+ years ago, and after initial setup, it's been really easy to maintain. Every now and then I have to "retrain" RBAC, but I use a training script to do that, so it is pretty automatic as well > > BTW, is your workstation really was under attack (don't counting ssh worms > and the like script kiddie games)? Is there was attacks which was able to > break first circle of protection (GrSec+PaX+toolchain)? I've not had anything break G+P+T. - I had pax continuously cancel FireFox on a particular site a few years ago, and never figured out what it was. It might hae been a browser attack, or it may have simply been a badly-written extension. I now browse with Opera (in a jail), and use Firefox ("fox in a box") in a limited way. - I also today real-time scan the browser jails (which I run in ramdisk, so that any unintended changes are discarded at the end of the session) with Dazuko/Antivir, and have had a number of suspicious scripts blocked by AntiVir before the browser could act on them - so I think that my exposure is thereby reduced. > > As for me, I decide not to worry about these things (browser chroot, etc.) > for now because on workstation most important information is files in my > home directory... and applications I use (like browser, mail client, etc.) > MUST have access to these files or these applications because nearly > unusable for me. So, even with RSBAC, if my mutt will be owned by some > malicious email, and it will delete/damage files it usually have access to > (like my mailbox :)), that will be _enough_ and make much more damage for > me than installing rootkit. So, I choose to do regular automated backups > and run chkrootkit/rkhunter from cron just for the case they detect > something interesting to play with. :) Well, that's a good point - it can be a pain, e.g. copying a document into the mail client chroot jail so that I can send it. I also use numerous, individual, single-purpose users (e.g. ooffice:ooffice;, opera:opera, tbird:tbird, etc.) so that, e.g., user/jail wireshark:wireshark can not read user tbird:tbird, and vice versa. This can be a pain because I need to change privilege, as well as copying things into - e.g., the tbird jail. Copying downloads out of jails is easy - a script copies all downloads from the various jails into a single folder, which is then scanned for Trojan signatures. >