From: Adam Carter <adamcarter3@gmail.com>
To: gentoo-user@lists.gentoo.org
Subject: Re: [gentoo-user] How to harden a system
Date: Sun, 24 Dec 2017 14:20:50 +1100 [thread overview]
Message-ID: <CAC=wYCEWYj8=gFgqZsKsShxHvSZ_Z63cyaSOmcOcLkk2AzBNVQ@mail.gmail.com> (raw)
In-Reply-To: <2022504.K2LgkkC3Iq@peak>
[-- Attachment #1: Type: text/plain, Size: 1822 bytes --]
On Sun, Dec 24, 2017 at 1:09 AM, Peter Humphrey <peter@prh.myzen.co.uk>
wrote:
> Hello list,
>
> Now that grsecurity is off-limits, I'm left wondering how to go about
> hardening a no-multilib box that will be exposed to the Big Bad World.
>
> To start with, it's not obvious which profile to use:
>
> $ eselect profile list | grep no-multi | grep hardened
> [23] default/linux/amd64/17.0/no-multilib/hardened
> [24] default/linux/amd64/17.0/no-multilib/hardened/selinux
> [29] hardened/linux/amd64/no-multilib
> [30] hardened/linux/amd64/no-multilib/selinux
I'm using default/linux/amd64/17.0/desktop/gnome/systemd and the binaries
are all pretty much;
Position Independent Executable: yes
Stack protected: yes
Fortify Source functions: yes
Read-only relocations: yes
Immediate binding: no, not found!
So i'm wondering how much difference there is between hardened and
non-hardened profiles these days.
For kernel configs, i'm using these as they sounded sensible on a cursory
read of the help; (some are quite recent additions to the kernel)
CONFIG_CC_STACKPROTECTOR=y
CONFIG_CC_STACKPROTECTOR_STRONG=y
CONFIG_RANDOMIZE_BASE=y
CONFIG_RANDOMIZE_MEMORY=y
CONFIG_HARDENED_USERCOPY=y
CONFIG_FORTIFY_SOURCE=y
CONFIG_VMAP_STACK=y
CONFIG_REFCOUNT_FULL=y
I dont use AppArmour or SELinux, but for an internet facing webserver i'd
consider using SELinux to more finely lock down permissions on the webroot.
I also recall that a fully permissive SELinux configuration has a side
effect that improved security, so CONFIG_SECURITY_SELINUX is on, but i cant
find any evidence to support my memory on that one.
Lastly, this in /etc/sysctl.conf. SYN cookies is kernel option. The fin
timeout cut was to clear out tens of thousands of TIME_WAIT sessions.
net.ipv4.tcp_fin_timeout = 20
net.ipv4.tcp_syncookies = 1
[-- Attachment #2: Type: text/html, Size: 2695 bytes --]
next prev parent reply other threads:[~2017-12-24 3:21 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-12-23 14:09 [gentoo-user] How to harden a system Peter Humphrey
2017-12-23 17:46 ` Michael Orlitzky
2017-12-23 18:09 ` Peter Humphrey
2017-12-24 3:20 ` Adam Carter [this message]
2017-12-24 9:43 ` Adam Carter
2017-12-24 18:37 ` Grant Taylor
2017-12-25 15:00 ` Michael Orlitzky
2017-12-24 19:44 ` Taiidan
2017-12-25 6:55 ` R0b0t1
2017-12-25 6:56 ` R0b0t1
2017-12-25 15:33 ` Frank Steinmetzger
2017-12-25 18:55 ` Stroller
2017-12-25 23:33 ` [gentoo-user] " Ian Zimmerman
2017-12-25 23:41 ` Grant Taylor
2017-12-26 18:33 ` Taiidan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAC=wYCEWYj8=gFgqZsKsShxHvSZ_Z63cyaSOmcOcLkk2AzBNVQ@mail.gmail.com' \
--to=adamcarter3@gmail.com \
--cc=gentoo-user@lists.gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox