From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([69.77.167.62] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1L5OOS-0002ot-14 for garchives@archives.gentoo.org; Wed, 26 Nov 2008 17:41:40 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 3BC15E0589; Wed, 26 Nov 2008 17:41:38 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) by pigeon.gentoo.org (Postfix) with ESMTP id DF309E0589 for ; Wed, 26 Nov 2008 17:41:37 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp.gentoo.org (Postfix) with ESMTP id 78015646B2 for ; Wed, 26 Nov 2008 17:41:37 +0000 (UTC) X-Virus-Scanned: amavisd-new at gentoo.org X-Spam-Score: -4.599 X-Spam-Level: X-Spam-Status: No, score=-4.599 required=5.5 tests=[AWL=-2.000, BAYES_00=-2.599] Received: from smtp.gentoo.org ([127.0.0.1]) by localhost (smtp.gentoo.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IgCaO0d4Z9Yw for ; Wed, 26 Nov 2008 17:41:31 +0000 (UTC) Received: from fg-out-1718.google.com (fg-out-1718.google.com [72.14.220.158]) by smtp.gentoo.org (Postfix) with ESMTP id 1D5A5646A4 for ; Wed, 26 Nov 2008 17:41:30 +0000 (UTC) Received: by fg-out-1718.google.com with SMTP id 16so378709fgg.40 for ; Wed, 26 Nov 2008 09:41:30 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from :user-agent:mime-version:to:subject:references:in-reply-to :content-type:content-transfer-encoding; bh=0r1l8D9c8CaCZDSJBUd7bUHnMj96jSRvujQrh8dfHIE=; b=tKuGVf77a+WKLsphbWTDAvsAAcKqNV9s+kf/BGZFiTSwBV1Bi+aNbvhfuq8w3XXyY/ vl1yACaHHiEeoB7idwT6dz/OKcPp114JUnX2JZJ2Cmi4+EreK330CSYtiOlkCsxCjYxO Y8XlKEmMUPXO979uCzKv57lMGvtUucUD5jQaY= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:content-type:content-transfer-encoding; b=xFrq4qCHPWGj/QOeTCFOes1DlSeroeBeabPrG1frQI85GJbPR5P7IrrK1913Dzi0oa hwzNz+hhCur0F49joPDLTg9hkNake0fZFnm2wVZRupXRo7oMqYG1jWI5sS6cM3YDELGM WbIycIo3BGIfDVR8kvDjwO9s2zRuMaxPTVCG4= Received: by 10.181.31.16 with SMTP id i16mr2018959bkj.129.1227721289808; Wed, 26 Nov 2008 09:41:29 -0800 (PST) Received: from ?127.0.0.1? (tor-anonymizer1.dotplex.de [87.118.101.102]) by mx.google.com with ESMTPS id 28sm870945fkx.22.2008.11.26.09.41.22 (version=SSLv3 cipher=RC4-MD5); Wed, 26 Nov 2008 09:41:29 -0800 (PST) Message-ID: <492D8A30.6090101@gmail.com> Date: Wed, 26 Nov 2008 12:41:04 -0500 From: 7v5w7go9ub0o <7v5w7go9ub0o@gmail.com> User-Agent: Thunderbird 2.0.0.17 (X11/20080914) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-hardened@lists.gentoo.org Reply-to: gentoo-hardened@lists.gentoo.org MIME-Version: 1.0 To: gentoo-hardened@lists.gentoo.org Subject: [gentoo-hardened] Re: hardened workstation - is that worth it? References: <200811251700.45540.janklodvan@gmail.com> <492CAE52.5050709@gmail.com> <5ce96da209ed1611d3db108f807a2002.squirrel@atoth.sote.hu> In-Reply-To: <5ce96da209ed1611d3db108f807a2002.squirrel@atoth.sote.hu> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Archives-Salt: 30f1f37a-7b55-495c-938d-68d7df018067 X-Archives-Hash: ce1db32b3a69256f2d9769e46e5bb2fe atoth-J1cgac+wqeJaB7pSnPOuKA@public.gmane.org wrote: > On Sze, November 26, 2008 03:02, 7v5w7go9ub0o wrote: >> I run the "old" hardened toolchain, grsecurity-enhanced hardened kernel, >> rbac control, and jails for anything that accesses the LAN/WAN.(heh... I >> even chroot and kill dhcpcd after 5 seconds). Avira has hundreds of >> Linux rootkit signatures in its database, so I run Avira and Dazuko >> realtime/on-access scanning on my /home directory, the chroot jails, and >> on the portage workspace used during download and compilation. > > patch-dazuko-2.6.26 cannot be applied on 2.6.27 any more, because of some > API changes. There are signs of a redirfs-based patch for 2.6.27. I > haven't downloaded it, yet. Upstream pushes dazukofs. What type of dazuko > setup do you use? What are your experiences with redirfs or dazukofs? Sigh... yes, it becomes murky for me beyond 2.6.26. I'm presently using patch-dazuko-linux-2.6.25.diff.gz on hardened-sources-2.6.25-r10, and don't have any experience with redirfs or dazukofs. ISTM there is now (finally) a LOT of interest in real-time file access control, along with competing approaches including dazuko, dazukofs, redirfs, and "libmalware.so" (under discussion at kerneltrap). Things I'd like to pursue :-) : 1. Signature and heuristic scanning of anything that downloads into my box, or anything that may be compiled from otherwise innocent looking code. Dazuko/Antivir provides that now. 2. "whitelist" scanning. This would be a realtime "integrity management system" challenge/update. So if, for e.g., the MD5 of an LKM or other system file changed, the scanner would stop, popup, and challenge the validity of the modified LKM. 3. "changed folder" monitoring. e.g. if I get activity in a usenet application, I could get a popup and "beep".