1 |
Alex Efros wrote: |
2 |
> Hi! |
3 |
> |
4 |
> On Tue, Nov 25, 2008 at 09:02:58PM -0500, 7v5w7go9ub0o wrote: |
5 |
>> I run the "old" hardened toolchain, grsecurity-enhanced hardened kernel, |
6 |
>> rbac control, and jails for anything that accesses the LAN/WAN.(heh... I |
7 |
>> even chroot and kill dhcpcd after 5 seconds). Avira has hundreds of Linux |
8 |
>> rootkit signatures in its database, so I run Avira and Dazuko |
9 |
>> realtime/on-access scanning on my /home directory, the chroot jails, and on |
10 |
>> the portage workspace used during download and compilation. |
11 |
> |
12 |
> Wow. While I'm a paranoiac in this sense too, I'm too lazy to do most of |
13 |
> these things. It's good to know there are potential for me to advance on |
14 |
> this way! ;-) |
15 |
|
16 |
I set this up three+ years ago, and after initial setup, it's been |
17 |
really easy to maintain. Every now and then I have to "retrain" RBAC, |
18 |
but I use a training script to do that, so it is pretty automatic as well |
19 |
|
20 |
|
21 |
> |
22 |
> BTW, is your workstation really was under attack (don't counting ssh worms |
23 |
> and the like script kiddie games)? Is there was attacks which was able to |
24 |
> break first circle of protection (GrSec+PaX+toolchain)? |
25 |
|
26 |
I've not had anything break G+P+T. |
27 |
|
28 |
- I had pax continuously cancel FireFox on a particular site a few years |
29 |
ago, and never figured out what it was. It might hae been a browser |
30 |
attack, or it may have simply been a badly-written extension. |
31 |
|
32 |
I now browse with Opera (in a jail), and use Firefox ("fox in a box") in |
33 |
a limited way. |
34 |
|
35 |
- I also today real-time scan the browser jails (which I run in ramdisk, |
36 |
so that any unintended changes are discarded at the end of the session) |
37 |
with Dazuko/Antivir, and have had a number of suspicious scripts blocked |
38 |
by AntiVir before the browser could act on them - so I think that my |
39 |
exposure is thereby reduced. |
40 |
|
41 |
> |
42 |
> As for me, I decide not to worry about these things (browser chroot, etc.) |
43 |
> for now because on workstation most important information is files in my |
44 |
> home directory... and applications I use (like browser, mail client, etc.) |
45 |
> MUST have access to these files or these applications because nearly |
46 |
> unusable for me. So, even with RSBAC, if my mutt will be owned by some |
47 |
> malicious email, and it will delete/damage files it usually have access to |
48 |
> (like my mailbox :)), that will be _enough_ and make much more damage for |
49 |
> me than installing rootkit. So, I choose to do regular automated backups |
50 |
> and run chkrootkit/rkhunter from cron just for the case they detect |
51 |
> something interesting to play with. :) |
52 |
|
53 |
Well, that's a good point - it can be a pain, e.g. copying a document |
54 |
into the mail client chroot jail so that I can send it. |
55 |
|
56 |
I also use numerous, individual, single-purpose users (e.g. |
57 |
ooffice:ooffice;, opera:opera, tbird:tbird, etc.) so that, e.g., |
58 |
user/jail wireshark:wireshark can not read user tbird:tbird, and vice |
59 |
versa. |
60 |
|
61 |
This can be a pain because I need to change privilege, as well as |
62 |
copying things into - e.g., the tbird jail. |
63 |
|
64 |
Copying downloads out of jails is easy - a script copies all downloads |
65 |
from the various jails into a single folder, which is then scanned for |
66 |
Trojan signatures. |
67 |
|
68 |
> |