[gentoo-user] Anyone running a hardened profile?

[gentoo-user] Anyone running a hardened profile?

[walt]

https://wiki.gentoo.org/wiki/Hardened_Gentoo

That wiki page is very seductive.  It makes me want to drop everything
and select a hardened profile and re-emerge everything from scratch.

But I have a feeling I'd soon be in big trouble if I did.  Is this
something that only gentoo devs should be messing with, or is this
a project that a typical gentoo end-user might hope to accomplish
without frequent suicidal thoughts?

[gentoo-user] Re: Anyone running a hardened profile?

[James]

walt <w41ter <at> gmail.com> writes:


> https://wiki.gentoo.org/wiki/Hardened_Gentoo

> That wiki page is very seductive.  It makes me want to drop everything
> and select a hardened profile and re-emerge everything from scratch.

Blueness has some interesting builds that might be worth taking for
a test drive before you commit to hardened?  Read up on them
to ensure they meet your needs, if you do not have a second, older
computer to install on and test. [1] 


> But I have a feeling I'd soon be in big trouble if I did.  Is this
> something that only gentoo devs should be messing with, or is this
> a project that a typical gentoo end-user might hope to accomplish
> without frequent suicidal thoughts?

Scary thoughts..... I keep old systems around to test things out
first. ymmv.

Also Pentoo (by dev zerochaos) has an installer and is hardened.n [2] 

James


[1] http://releases.freeharbor.net/

[2] http://www.pentoo.ch/download/

Re: [gentoo-user] Anyone running a hardened profile?

[Hinnerk van Bruinehsen]

Hello walt,

I've running hardened (hardened profile + kernel (including pax and grsec)) for
at least 5 years on all my boxes except one (my gaming only box).
It's been quite a while that I had an issue caused by the hardened profile that
wasn't due to my fiddeling around with stuff like SELinux and the like. Even
these problems were all relatively easy to solve.
Truth be told: I guess that you won't even notice the hardened profile unless
you also run a hardened kernel (while still having increased security).

On Sun, Sep 06, 2015 at 01:15:17PM -0700, walt wrote:
> https://wiki.gentoo.org/wiki/Hardened_Gentoo
> 
> That wiki page is very seductive.  It makes me want to drop everything
> and select a hardened profile and re-emerge everything from scratch.
> 
> But I have a feeling I'd soon be in big trouble if I did.  Is this
> something that only gentoo devs should be messing with, or is this
> a project that a typical gentoo end-user might hope to accomplish
> without frequent suicidal thoughts?

Re: [gentoo-user] Anyone running a hardened profile?

[Fernando Rodriguez]

On Sunday, September 06, 2015 1:15:17 PM walt wrote:
> https://wiki.gentoo.org/wiki/Hardened_Gentoo
> 
> That wiki page is very seductive.  It makes me want to drop everything
> and select a hardened profile and re-emerge everything from scratch.
> 
> But I have a feeling I'd soon be in big trouble if I did.  Is this
> something that only gentoo devs should be messing with, or is this
> a project that a typical gentoo end-user might hope to accomplish
> without frequent suicidal thoughts?

There's different opinions on it, but mine is that while it adds some security 
it's so little that it's not worth it in most cases. It provides more security 
on a binary distro because everyone has the same binaries and an attacker 
don't need to guess where a specific piece of code may get loaded but by 
running a source distro your address space is already pretty unique. The only 
case where it provides some security is when an attacker is trying to guess an 
address for an exploit, making the wrong guess will likely crash the process 
and it will be reloaded on a new address. Do you have valuable enough data for 
an attacker to go through that hassle in order to get it? If you do then you 
should use a hardened profile, but physical security and disk encryption is 
more important because if it's worth that much it'll be easier to just rob 
you.

Be aware that there's no hardened desktop profile so that alone will make it 
somewhat harder if plan to use it on a desktop.

Another reason is if you want to use something like SELinux (which doesn't 
require a hardened profile) that gives you very fine grained control about 
access control but it's also very restrictive. I think it's only worth it for 
large networks with many users and different levels of access to sensitive 
data.

I needed some of SELinux features but settled for using AppArmor in an unusual 
way to accomplish them because SELinux is too much trouble. All AppArmor 
really does is provide process isolation or sandboxing. If an attacker gains 
access through an exploint he will only be able to access the files that the 
exploited service has access to. I use it with a catch all profile that 
prevents execution from all world writeable and home directories, and access 
to ssh/pgp keys, keyrings, etc. This works nice for servers and desktops and 
is not too restrictive. And if I need to execute code from my home dir for 
development I can launch an unrestricted shell via sudo. I can leave my laptop 
unlocked with the wallet open (I use the kwallet pam module) and it will be 
really hard for you to get anything like ssh keys or passwords (I also have 
patches for kwallet so it requires a password to show saved passwords), but 
the programs that need them have access to them.


-- 
Fernando Rodriguez

Re: [gentoo-user] Anyone running a hardened profile?

[Michael Orlitzky]

On 09/06/2015 04:15 PM, walt wrote:
> https://wiki.gentoo.org/wiki/Hardened_Gentoo
> 
> That wiki page is very seductive.  It makes me want to drop everything
> and select a hardened profile and re-emerge everything from scratch.
> 
> But I have a feeling I'd soon be in big trouble if I did.  Is this
> something that only gentoo devs should be messing with, or is this
> a project that a typical gentoo end-user might hope to accomplish
> without frequent suicidal thoughts?

It depends on how many hardening features you want to enable. It's a lot
easier than it used to be because there's a kernel config thingy that
lets you pick safe options without understanding all the details. You
can get a lot of protection for very little risk by enabling pax/grsec
and checking a few boxes in the hardened kernel config.

Just beware that there are kernel options that will clobber things like
cpupower and others that will slow down specific programs like clamav
with JIT. Anyway, we're all here because we like to tinker with things
until they're broken, right? Give it a try and be sure to read the
kernel help pages carefully and have fun. You can always switch back to
a non-hardened kernel and everything will go back to normal.

Re: [gentoo-user] Anyone running a hardened profile?

[Andreas K. Huettel]

> But I have a feeling I'd soon be in big trouble if I did.  Is this
> something that only gentoo devs should be messing with, or is this
> a project that a typical gentoo end-user might hope to accomplish
> without frequent suicidal thoughts?

In most cases hardened just works. 

You may/will run into trouble when binary-only software (e.g. skype, nvidia-
drivers, ...) is used. If you can get along with an opensource-only system you 
will most likely be fine.

It's useful to be familiar with bugzilla, bug reporting procedures, ... and 
hang out on #gentoo-hardened in clase of trouble.


-- 

Andreas K. Huettel
Gentoo Linux developer 
dilfridge@gentoo.org
http://www.akhuettel.de/

Re: [gentoo-user] Anyone running a hardened profile?

[wabenbau]

Fernando Rodriguez <frodriguez.developer@outlook.com> wrote:

> On Sunday, September 06, 2015 1:15:17 PM walt wrote:
> > https://wiki.gentoo.org/wiki/Hardened_Gentoo
> > 
> > That wiki page is very seductive.  It makes me want to drop
> > everything and select a hardened profile and re-emerge everything
> > from scratch.
> > 
> > But I have a feeling I'd soon be in big trouble if I did.  Is this
> > something that only gentoo devs should be messing with, or is this
> > a project that a typical gentoo end-user might hope to accomplish
> > without frequent suicidal thoughts?
> 
> There's different opinions on it, but mine is that while it adds some
> security it's so little that it's not worth it in most cases. It
> provides more security on a binary distro because everyone has the
> same binaries and an attacker don't need to guess where a specific
> piece of code may get loaded but by running a source distro your
> address space is already pretty unique. The only case where it
> provides some security is when an attacker is trying to guess an
> address for an exploit, making the wrong guess will likely crash the
> process and it will be reloaded on a new address. Do you have
> valuable enough data for an attacker to go through that hassle in
> order to get it? If you do then you should use a hardened profile,
> but physical security and disk encryption is more important because
> if it's worth that much it'll be easier to just rob you.

I'm not a security expert, so I'm maybe wrong here, But I think there
are more security functions on gentoo-hardened than just address space
randomization. There are also things like stack smash protection and 
some other restrictions that make it harder to exploit security holes.
 
> Be aware that there's no hardened desktop profile so that alone will
> make it somewhat harder if plan to use it on a desktop.

I never used a desktop profile. I just added the USE flags that I need.

> Another reason is if you want to use something like SELinux (which
> doesn't require a hardened profile) that gives you very fine grained
> control about access control but it's also very restrictive. I think
> it's only worth it for large networks with many users and different
> levels of access to sensitive data.

Yes, SELinux can be very painfull and I also don't use it.
 
> I needed some of SELinux features but settled for using AppArmor in
> an unusual way to accomplish them because SELinux is too much
> trouble. All AppArmor really does is provide process isolation or
> sandboxing. If an attacker gains access through an exploint he will
> only be able to access the files that the exploited service has
> access to. I use it with a catch all profile that prevents execution
> from all world writeable and home directories, and access to ssh/pgp
> keys, keyrings, etc. This works nice for servers and desktops and is
> not too restrictive. And if I need to execute code from my home dir
> for development I can launch an unrestricted shell via sudo. I can
> leave my laptop unlocked with the wallet open (I use the kwallet pam
> module) and it will be really hard for you to get anything like ssh
> keys or passwords (I also have patches for kwallet so it requires a
> password to show saved passwords), but the programs that need them
> have access to them.

I will give AppArmor a try when I have more spare time.

--
Regards
wabe

Re: [gentoo-user] Anyone running a hardened profile?

[wabenbau]

walt <w41ter@gmail.com> wrote:

> https://wiki.gentoo.org/wiki/Hardened_Gentoo
> 
> That wiki page is very seductive.  It makes me want to drop everything
> and select a hardened profile and re-emerge everything from scratch.
> 
> But I have a feeling I'd soon be in big trouble if I did.  Is this
> something that only gentoo devs should be messing with, or is this
> a project that a typical gentoo end-user might hope to accomplish
> without frequent suicidal thoughts?

I'm using hardened-profile and hardened sources for many years on a
stable gentoo system. I don't have any binary packages installed.
Everything works fine. No headache and no suicidal tendencies so far.

There is a ML for gentoo-hardened (gentoo-hardened@lists.gentoo.org).
I think it would be a good idea to ask the guys there, because some 
of them have a very deep knowledge of the underlaying technique.

--
Regards
wabe

Re: [gentoo-user] Anyone running a hardened profile?

[wabenbau]

Michael Orlitzky <mjo@gentoo.org> wrote:

> On 09/06/2015 04:15 PM, walt wrote:
> > https://wiki.gentoo.org/wiki/Hardened_Gentoo
> > 
> > That wiki page is very seductive.  It makes me want to drop
> > everything and select a hardened profile and re-emerge everything
> > from scratch.
> > 
> > But I have a feeling I'd soon be in big trouble if I did.  Is this
> > something that only gentoo devs should be messing with, or is this
> > a project that a typical gentoo end-user might hope to accomplish
> > without frequent suicidal thoughts?
> 
> It depends on how many hardening features you want to enable. It's a
> lot easier than it used to be because there's a kernel config thingy
> that lets you pick safe options without understanding all the
> details. You can get a lot of protection for very little risk by
> enabling pax/grsec and checking a few boxes in the hardened kernel
> config.
> 
> Just beware that there are kernel options that will clobber things
> like cpupower and others that will slow down specific programs like
> clamav with JIT. Anyway, we're all here because we like to tinker
> with things until they're broken, right? Give it a try and be sure to
> read the kernel help pages carefully and have fun. You can always
> switch back to a non-hardened kernel and everything will go back to
> normal.

I don't think so (but maybe I'm wrong). You have to compile your entire 
system with a hardened toolchain to get full hardened support (SSP and
maybe some other things). I think, to go back to a "normal state", you
have to recompile everything again with a non hardened toolchain.

--
Regards
wabe

Re: [gentoo-user] Anyone running a hardened profile?

[Michael Orlitzky]

On 09/07/2015 01:10 PM, wabenbau@gmail.com wrote:
> Michael Orlitzky <mjo@gentoo.org> wrote:
> 
> I don't think so (but maybe I'm wrong). You have to compile your entire 
> system with a hardened toolchain to get full hardened support (SSP and
> maybe some other things). I think, to go back to a "normal state", you
> have to recompile everything again with a non hardened toolchain.
> 

GCC 4.8 already defaults to -fstack-protector, but you do need to
recompile to get -fstack-protector-all and you're right that you would
need to recompile again to make it go away. The full SSP is considered
safe though, and only slows things down a bit.

For PaX, the markings may exist on your filesystem, but if you switch to
a non-hardened kernel they cease to have any effect. Grsec just goes away.

Re: [gentoo-user] Anyone running a hardened profile?

[Fernando Rodriguez]

On Monday, September 07, 2015 7:02:45 PM wabenbau@gmail.com wrote:
> Fernando Rodriguez <frodriguez.developer@outlook.com> wrote:
> 
> > On Sunday, September 06, 2015 1:15:17 PM walt wrote:
> > > https://wiki.gentoo.org/wiki/Hardened_Gentoo
> > > 
> > > That wiki page is very seductive.  It makes me want to drop
> > > everything and select a hardened profile and re-emerge everything
> > > from scratch.
> > > 
> > > But I have a feeling I'd soon be in big trouble if I did.  Is this
> > > something that only gentoo devs should be messing with, or is this
> > > a project that a typical gentoo end-user might hope to accomplish
> > > without frequent suicidal thoughts?
> > 
> > There's different opinions on it, but mine is that while it adds some
> > security it's so little that it's not worth it in most cases. It
> > provides more security on a binary distro because everyone has the
> > same binaries and an attacker don't need to guess where a specific
> > piece of code may get loaded but by running a source distro your
> > address space is already pretty unique. The only case where it
> > provides some security is when an attacker is trying to guess an
> > address for an exploit, making the wrong guess will likely crash the
> > process and it will be reloaded on a new address. Do you have
> > valuable enough data for an attacker to go through that hassle in
> > order to get it? If you do then you should use a hardened profile,
> > but physical security and disk encryption is more important because
> > if it's worth that much it'll be easier to just rob you.
> 
> I'm not a security expert, so I'm maybe wrong here, But I think there
> are more security functions on gentoo-hardened than just address space
> randomization. There are also things like stack smash protection and 
> some other restrictions that make it harder to exploit security holes.

AFAIU about everything else you get is better defaults, nothing you can't do 
yourself through CFLAGS, etc. SSP for example is enabled by default on recent 
GCC versions as mentioned by Michael. It will make some exploits harder but 
IMO not enough to be worth it for the average user.

-- 
Fernando Rodriguez

[gentoo-user] Re: Anyone running a hardened profile?

[walt]

On Mon, 7 Sep 2015 14:27:38 -0400
Michael Orlitzky <mjo@gentoo.org> wrote:

> On 09/07/2015 01:10 PM, wabenbau@gmail.com wrote:
> > Michael Orlitzky <mjo@gentoo.org> wrote:
> > 
> > I don't think so (but maybe I'm wrong). You have to compile your
> > entire system with a hardened toolchain to get full hardened
> > support (SSP and maybe some other things). I think, to go back to a
> > "normal state", you have to recompile everything again with a non
> > hardened toolchain. 
> 
> GCC 4.8 already defaults to -fstack-protector, but you do need to
> recompile to get -fstack-protector-all and you're right that you would
> need to recompile again to make it go away. The full SSP is considered
> safe though, and only slows things down a bit.

Full SSP is something I want and I'll gladly suffer the speed penalty
to get it.  Can I just add -fstack-protector-all to my CFLAGS in
make.conf?   Or is it more complicated than that?

Hmm.  Quoting from the gcc man page:

  -fstack-protector-strong
    Like -fstack-protector but includes additional functions to
    be protected --- those that have local array definitions, or
    have references to local frame addresses.

     NOTE: In Gentoo GCC 4.9.0 and later versions this option is
      enabled by default for C, C++, ObjC, ObjC++, if neither
     -fno-stack-protector, -nostdlib, -ffreestanding,
     -fstack-protector, -fstack-protector-strong or
     -fstack-protector-all are found.   <=====  are found *where*?

English is my native tongue and I confess I can't make any sense of
that advice.

The words 'enabled' and 'are found' don't tell me what I need to *do*
to wind up with full/strong SSP in my compiled code.  Does gcc add the
appropriate SSP flags without my intervention when building my sources,
or do I need to invoke those flags myself, e.g. by adding them to CFLAGS
as I asked above?

<sigh>  Communicating is hard to do:

https://en.wikipedia.org/wiki/Breaking_Up_Is_Hard_to_Do

Re: [gentoo-user] Re: Anyone running a hardened profile?

[Fernando Rodriguez]

On Monday, September 07, 2015 6:15:06 PM walt wrote:
> On Mon, 7 Sep 2015 14:27:38 -0400
> Michael Orlitzky <mjo@gentoo.org> wrote:
> 
> > On 09/07/2015 01:10 PM, wabenbau@gmail.com wrote:
> > > Michael Orlitzky <mjo@gentoo.org> wrote:
> > > 
> > > I don't think so (but maybe I'm wrong). You have to compile your
> > > entire system with a hardened toolchain to get full hardened
> > > support (SSP and maybe some other things). I think, to go back to a
> > > "normal state", you have to recompile everything again with a non
> > > hardened toolchain. 
> > 
> > GCC 4.8 already defaults to -fstack-protector, but you do need to
> > recompile to get -fstack-protector-all and you're right that you would
> > need to recompile again to make it go away. The full SSP is considered
> > safe though, and only slows things down a bit.
> 
> Full SSP is something I want and I'll gladly suffer the speed penalty
> to get it.  Can I just add -fstack-protector-all to my CFLAGS in
> make.conf?   Or is it more complicated than that?
> 
> Hmm.  Quoting from the gcc man page:
> 
>   -fstack-protector-strong
>     Like -fstack-protector but includes additional functions to
>     be protected --- those that have local array definitions, or
>     have references to local frame addresses.
> 
>      NOTE: In Gentoo GCC 4.9.0 and later versions this option is
>       enabled by default for C, C++, ObjC, ObjC++, if neither
>      -fno-stack-protector, -nostdlib, -ffreestanding,
>      -fstack-protector, -fstack-protector-strong or
>      -fstack-protector-all are found.   <=====  are found *where*?
> 
> English is my native tongue and I confess I can't make any sense of
> that advice.
> 
> The words 'enabled' and 'are found' don't tell me what I need to *do*
> to wind up with full/strong SSP in my compiled code.  Does gcc add the
> appropriate SSP flags without my intervention when building my sources,
> or do I need to invoke those flags myself, e.g. by adding them to CFLAGS
> as I asked above?
> 
> <sigh>  Communicating is hard to do:
> 
> https://en.wikipedia.org/wiki/Breaking_Up_Is_Hard_to_Do

It means if they're not found on the command line (or CFLAGS which ends up on 
the command line). So just add -fstack-protector-all to your CFLAGS to get 
full stack protection regardless of GCC version.

-- 
Fernando Rodriguez

Re: [gentoo-user] Re: Anyone running a hardened profile?

[Michael Orlitzky]

On 09/07/2015 09:15 PM, walt wrote:
> 
> Full SSP is something I want and I'll gladly suffer the speed penalty
> to get it.  Can I just add -fstack-protector-all to my CFLAGS in
> make.conf? 
> 

Basically, but to save yourself some headaches, you should switch to a
hardened profile instead. Otherwise you'll get build failures of things
like glibc. The profile takes care of that for you, but otherwise
enables full SSP.

The binary distros are all moving towards -fstack-protector-strong now
so support for this stuff is getting better upstream.


> Hmm.  Quoting from the gcc man page:
> 
>   -fstack-protector-strong
>     Like -fstack-protector but includes additional functions to
>     be protected --- those that have local array definitions, or
>     have references to local frame addresses.
> 
>      NOTE: In Gentoo GCC 4.9.0 and later versions this option is
>       enabled by default for C, C++, ObjC, ObjC++, if neither
>      -fno-stack-protector, -nostdlib, -ffreestanding,
>      -fstack-protector, -fstack-protector-strong or
>      -fstack-protector-all are found.   <=====  are found *where*?
> 
> English is my native tongue and I confess I can't make any sense of
> that advice.
> 

You'll get the "strong" stack protection unless you ask for some other
level of protection via CFLAGS or CXXFLAGS or wherever else. Note that
"strong" is still less than "all"!

Re: [gentoo-user] Re: Anyone running a hardened profile?

[Fernando Rodriguez]

On Monday, September 07, 2015 9:38:25 PM Michael Orlitzky wrote:
> On 09/07/2015 09:15 PM, walt wrote:
> > 
> > Full SSP is something I want and I'll gladly suffer the speed penalty
> > to get it.  Can I just add -fstack-protector-all to my CFLAGS in
> > make.conf? 
> > 
> 
> Basically, but to save yourself some headaches, you should switch to a
> hardened profile instead. Otherwise you'll get build failures of things
> like glibc. The profile takes care of that for you, but otherwise
> enables full SSP.

I have -fstack-protector-all enabled in my router/firewall for over a year and 
I don't remember any build failures. I don't have a lot of packages in it but 
I certainly have glibc. I think it just overrides the setting.

> The binary distros are all moving towards -fstack-protector-strong now
> so support for this stuff is getting better upstream.
> 
> 
> > Hmm.  Quoting from the gcc man page:
> > 
> >   -fstack-protector-strong
> >     Like -fstack-protector but includes additional functions to
> >     be protected --- those that have local array definitions, or
> >     have references to local frame addresses.
> > 
> >      NOTE: In Gentoo GCC 4.9.0 and later versions this option is
> >       enabled by default for C, C++, ObjC, ObjC++, if neither
> >      -fno-stack-protector, -nostdlib, -ffreestanding,
> >      -fstack-protector, -fstack-protector-strong or
> >      -fstack-protector-all are found.   <=====  are found *where*?
> > 
> > English is my native tongue and I confess I can't make any sense of
> > that advice.
> > 
> 
> You'll get the "strong" stack protection unless you ask for some other
> level of protection via CFLAGS or CXXFLAGS or wherever else. Note that
> "strong" is still less than "all"!
> 
> 
> 

-- 
Fernando Rodriguez