[gentoo-user] How to harden a system

[gentoo-user] How to harden a system

[Peter Humphrey]

Hello list,

Now that grsecurity is off-limits, I'm left wondering how to go about 
hardening a no-multilib box that will be exposed to the Big Bad World.

To start with, it's not obvious which profile to use:

$ eselect profile list | grep no-multi | grep hardened
  [23]  default/linux/amd64/17.0/no-multilib/hardened
  [24]  default/linux/amd64/17.0/no-multilib/hardened/selinux
  [29]  hardened/linux/amd64/no-multilib
  [30]  hardened/linux/amd64/no-multilib/selinux

The wiki is also now out of date; it still talks about grsecurity, and there 
are too many overlapping guides.

Until that's sorted out, would the panel like to offer some guidance?

-- 
Regards,
Peter.

Re: [gentoo-user] How to harden a system

[Michael Orlitzky]

On 12/23/2017 09:09 AM, Peter Humphrey wrote:
> Hello list,
> 
> Now that grsecurity is off-limits, I'm left wondering how to go about 
> hardening a no-multilib box that will be exposed to the Big Bad World.

You can still use grsec/pax if you're willing to stick with an older
(LTS) kernel:

https://github.com/minipli/linux-unofficial_grsec/tree/linux-4.9.x-unofficial_grsec


> To start with, it's not obvious which profile to use:
> 
> $ eselect profile list | grep no-multi | grep hardened
>   [23]  default/linux/amd64/17.0/no-multilib/hardened
>   [24]  default/linux/amd64/17.0/no-multilib/hardened/selinux

One of those two, depending on whether or not you use SELinux.

Re: [gentoo-user] How to harden a system

[Peter Humphrey]

On Saturday, 23 December 2017 17:46:20 GMT Michael Orlitzky wrote:
> On 12/23/2017 09:09 AM, Peter Humphrey wrote:
> > Hello list,
> > 
> > Now that grsecurity is off-limits, I'm left wondering how to go about
> > hardening a no-multilib box that will be exposed to the Big Bad World.
> 
> You can still use grsec/pax if you're willing to stick with an older
> (LTS) kernel:
> 
> https://github.com/minipli/linux-unofficial_grsec/tree/linux-4.9.x-unoffic
> ial_grsec

Oh, that's good - thanks Michael.

> > To start with, it's not obvious which profile to use:
> > 
> > $ eselect profile list | grep no-multi | grep hardened
> > 
> >   [23]  default/linux/amd64/17.0/no-multilib/hardened
> >   [24]  default/linux/amd64/17.0/no-multilib/hardened/selinux
> 
> One of those two, depending on whether or not you use SELinux.

Thanks again for the advice.

-- 
Regards,
Peter.

Re: [gentoo-user] How to harden a system

[Adam Carter]

[-- Attachment #1: Type: text/plain, Size: 1822 bytes --]

On Sun, Dec 24, 2017 at 1:09 AM, Peter Humphrey <peter@prh.myzen.co.uk>
wrote:

> Hello list,
>
> Now that grsecurity is off-limits, I'm left wondering how to go about
> hardening a no-multilib box that will be exposed to the Big Bad World.
>
> To start with, it's not obvious which profile to use:
>
> $ eselect profile list | grep no-multi | grep hardened
>   [23]  default/linux/amd64/17.0/no-multilib/hardened
>   [24]  default/linux/amd64/17.0/no-multilib/hardened/selinux
>   [29]  hardened/linux/amd64/no-multilib
>   [30]  hardened/linux/amd64/no-multilib/selinux


I'm using default/linux/amd64/17.0/desktop/gnome/systemd and the binaries
are all pretty much;
 Position Independent Executable: yes
 Stack protected: yes
 Fortify Source functions: yes
 Read-only relocations: yes
 Immediate binding: no, not found!

So i'm wondering how much difference there is between hardened and
non-hardened profiles these days.

For kernel configs, i'm using these as they sounded sensible on a cursory
read of the help; (some are quite recent additions to the kernel)
CONFIG_CC_STACKPROTECTOR=y
CONFIG_CC_STACKPROTECTOR_STRONG=y
CONFIG_RANDOMIZE_BASE=y
CONFIG_RANDOMIZE_MEMORY=y
CONFIG_HARDENED_USERCOPY=y
CONFIG_FORTIFY_SOURCE=y
CONFIG_VMAP_STACK=y
CONFIG_REFCOUNT_FULL=y

I dont use AppArmour or SELinux, but for an internet facing webserver i'd
consider using SELinux to more finely lock down permissions on the webroot.
I also recall that a fully permissive SELinux configuration has a side
effect that improved security, so CONFIG_SECURITY_SELINUX is on, but i cant
find any evidence to support my memory on that one.

Lastly, this in /etc/sysctl.conf. SYN cookies is kernel option. The fin
timeout cut was to clear out tens of thousands of TIME_WAIT sessions.
net.ipv4.tcp_fin_timeout = 20
net.ipv4.tcp_syncookies = 1

[-- Attachment #2: Type: text/html, Size: 2695 bytes --]

Re: [gentoo-user] How to harden a system

[Adam Carter]

[-- Attachment #1: Type: text/plain, Size: 860 bytes --]

>
> Lastly, this in /etc/sysctl.conf. SYN cookies is kernel option. The fin
> timeout cut was to clear out tens of thousands of TIME_WAIT sessions.
> net.ipv4.tcp_fin_timeout = 20
> net.ipv4.tcp_syncookies = 1
>

Oh I just noticed that vtv is now default enabled for gcc, so you could try;
CXXFLAGS="${CFLAGS} -fvtable-verify=std"

I tried this on earlier gccs, and there was a fair bit of breakage so i
didnt persue it. Maybe i'll re-try with 7.2 to see how things have
progressed.

"security feature that verifies at run time, for every virtual call, that
the vtable
           pointer through which the call is made is valid for the type of
the
           object, and has not been corrupted or overwritten.  If an invalid
           vtable pointer is detected at run time, an error is reported and
           execution of the program is immediately halted"

[-- Attachment #2: Type: text/html, Size: 1469 bytes --]

Re: [gentoo-user] How to harden a system

[Grant Taylor]

[-- Attachment #1: Type: text/plain, Size: 1116 bytes --]

On 12/24/2017 02:43 AM, Adam Carter wrote:
> Oh I just noticed that vtv is now default enabled for gcc, so you 
> could try;
> 
> CXXFLAGS="${CFLAGS} -fvtable-verify=std"
> 
> I tried this on earlier gccs, and there was a fair bit of breakage so 
> i didnt persue it. Maybe i'll re-try with 7.2 to see how things have 
> progressed.

Would you please elaborate on what types of breakage you saw?

> "security feature that verifies at run time, for every virtual call, 
> that the vtable pointer through which the call is made is valid for the 
> type of the object, and has not been corrupted or overwritten.  If an 
> invalid vtable pointer is detected at run time, an error is reported 
> and execution of the program is immediately halted"

I'm extremely new to these types of thing and don't truly understand the 
failure mode of things like this.  It sound slike vtable-verify will 
conceptually make things more secure.  But I don't know enough to know 
how likely believed to be perfectly happy code will pass or fail such 
vtable verifications.



-- 
Grant. . . .
unix || die


[-- Attachment #2: S/MIME Cryptographic Signature --]
[-- Type: application/pkcs7-signature, Size: 3982 bytes --]

Re: [gentoo-user] How to harden a system

[Taiidan]

I would also consider purchasing a system with libre firmware and 
without ME/PSP such as:

POWER 9:
TALOS 2 (server/workstation, brand new and very high performance - the 
only brand new hardware that is legitimately libre)

x86-64:
(older, pre-PSP AMD - the best CPU's for C32/G34 are equivilant to one 
FX-8310 for the 8 core or almost two FX-8310 for the 16 core)
KGPE-D16 (server)
KCMA-D8 (workstation)
Lenovo G505S (laptop)

It is truly disturbing to think that someone with an ME exploit could 
hack 80% of the computers on the planet.

Re: [gentoo-user] How to harden a system

[R0b0t1]

[-- Attachment #1: Type: text/plain, Size: 215 bytes --]

On Sun, Dec 24, 2017 at 1:44 PM, Taiidan@gmx.com <Taiidan@gmx.com> wrote:
> It is truly disturbing to think that someone with an ME exploit could hack
> 80% of the computers on the planet.
>

And sometimes I wonder

[-- Attachment #2: fair.jpg --]
[-- Type: image/jpeg, Size: 738682 bytes --]

[-- Attachment #3: dice.png --]
[-- Type: image/png, Size: 106951 bytes --]

Re: [gentoo-user] How to harden a system

[R0b0t1]

[-- Attachment #1: Type: text/plain, Size: 318 bytes --]

On Mon, Dec 25, 2017 at 12:55 AM, R0b0t1 <r030t1@gmail.com> wrote:
> On Sun, Dec 24, 2017 at 1:44 PM, Taiidan@gmx.com <Taiidan@gmx.com> wrote:
>> It is truly disturbing to think that someone with an ME exploit could hack
>> 80% of the computers on the planet.
>>
>
> And sometimes I wonder

if it's already been done.

[-- Attachment #2: fair2.png --]
[-- Type: image/png, Size: 2758848 bytes --]

[-- Attachment #3: dice2.png --]
[-- Type: image/png, Size: 3097594 bytes --]

Re: [gentoo-user] How to harden a system

[Michael Orlitzky]

On 12/23/2017 10:20 PM, Adam Carter wrote:
> 
> So i'm wondering how much difference there is between hardened and
> non-hardened profiles these days.
> 

The hardened profiles ensure that PaX works by setting PAX_MARKINGS="XT"
and by making sure that you don't disable xattr support in, say,
coreutils. They also let you build gcc/glibc with USE=hardened, although
what that actually does these days I'm not sure.

Aside from that, the hardened profiles have less stuff enabled by
default. The "desktop" portion is the worst offender there...

  $ cat profiles/targets/desktop/make.defaults

  # Copyright 1999-2017 Gentoo Foundation
  # Distributed under the terms of the GNU General Public License v2

  USE="a52 aac acpi alsa bluetooth branding cairo cdda cdr consolekit
  cups dbus dri dts dvd dvdr emboss encode exif fam firefox flac gif
  glamor gpm gtk jpeg lcms ldap libnotify mad mng mp3 mp4 mpeg ogg
  opengl pango pdf png policykit ppds qt3support qt5 sdl spell startup-
  notification svg tiff truetype vorbis udev udisks unicode upower usb
  wxwidgets X xcb x264 xml xv xvid"

That's as opposed to,

  $ cat profiles/features/hardened/make.defaults
  ...
  USE="${USE} -berkdb -gdbm -tcpd"
  USE="${USE} -fortran"
  USE="${USE} -cli -session"
  USE="${USE} -dri"
  USE="${USE} -modules"

Re: [gentoo-user] How to harden a system

[Frank Steinmetzger]

[-- Attachment #1: Type: text/plain, Size: 796 bytes --]

On Mon, Dec 25, 2017 at 12:56:44AM -0600, R0b0t1 wrote:
> On Mon, Dec 25, 2017 at 12:55 AM, R0b0t1 <r030t1@gmail.com> wrote:
> > On Sun, Dec 24, 2017 at 1:44 PM, Taiidan@gmx.com <Taiidan@gmx.com> wrote:
> >> It is truly disturbing to think that someone with an ME exploit could hack
> >> 80% of the computers on the planet.
> >>
> >
> > And sometimes I wonder
> 
> if it's already been done.

Was it really necessary to send 12 Megs of pictures to hundreds of
subscribers for the information content of a few dozen bytes? Even picture
"apps" on phones are able to resize images.

Just sayin’
-- 
Gruß | Greetings | Qapla’
Please do not share anything from, with or about me on any social network.

“A Melmacian almost never goes back on his word sometimes.” – Alf

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: [gentoo-user] How to harden a system

[Stroller]

> On 25 Dec 2017, at 15:33, Frank Steinmetzger <Warp_7@gmx.de> wrote:
> 
> On Mon, Dec 25, 2017 at 12:56:44AM -0600, R0b0t1 wrote:
>> On Mon, Dec 25, 2017 at 12:55 AM, R0b0t1 <r030t1@gmail.com> wrote:
>>> On Sun, Dec 24, 2017 at 1:44 PM, Taiidan@gmx.com <Taiidan@gmx.com> wrote:
>>>> It is truly disturbing to think that someone with an ME exploit could hack
>>>> 80% of the computers on the planet.
>>>> 
>>> 
>>> And sometimes I wonder
>> 
>> if it's already been done.
> 
> Was it really necessary to send 12 Megs of pictures to hundreds of
> subscribers for the information content of a few dozen bytes? Even picture
> "apps" on phones are able to resize images.

I assumed this was a fat-fingered mistake. How are the pics relevant to the thread?

Stroller.

[gentoo-user] Re: How to harden a system

[Ian Zimmerman]

On 2017-12-24 14:44, Taiidan@gmx.com wrote:

> POWER 9: TALOS 2 (server/workstation, brand new and very high
> performance - the only brand new hardware that is legitimately libre)

This is interesting, but can it run gentoo?  There's a handbook edition
for PPC64, but that's not quite the same, is it?

-- 
Please don't Cc: me privately on mailing lists and Usenet,
if you also post the followup to the list or newsgroup.
To reply privately _only_ on Usenet, fetch the TXT record for the domain.

Re: [gentoo-user] Re: How to harden a system

[Grant Taylor]

[-- Attachment #1: Type: text/plain, Size: 402 bytes --]

On 12/25/2017 04:33 PM, Ian Zimmerman wrote:
> This is interesting, but can it run gentoo?
I don't know about booting Gentoo as released or not.  But I do know 
that the OpenPOWER9 machines won't run AIX.  So they /must/ run Linux. 
(There may be something else that will run on them that I'm not aware of.)

Of course, I may be completely off my rocker.



-- 
Grant. . . .
unix || die


[-- Attachment #2: S/MIME Cryptographic Signature --]
[-- Type: application/pkcs7-signature, Size: 3982 bytes --]

Re: [gentoo-user] Re: How to harden a system

[Taiidan]

On 12/25/2017 06:33 PM, Ian Zimmerman wrote:

> On 2017-12-24 14:44, Taiidan@gmx.com wrote:
>
>> POWER 9: TALOS 2 (server/workstation, brand new and very high
>> performance - the only brand new hardware that is legitimately libre)
> This is interesting, but can it run gentoo?  There's a handbook edition
> for PPC64, but that's not quite the same, is it?
It is.
PPC64 is big endian, PPC64LE is little endian.

POWER8/9 are Bi-Endian so you can use both (most linux distros only 
support little)

PPC64 compile covers PowerPC and POWER.


TALOS 2 is an end user obtainable derivative of the Romulus POWER 9 
development board, there are a variety of modifications and it is more 
open source than Romulus - you can also pay for it with bitcoin.
It supports dual sforza CPU's which have up to 24 cores per socket with 
SMT4 (4 threads at the same time per core)