| 1 |
Alex Efros wrote: |
| 2 |
> Hi! |
| 3 |
> |
| 4 |
> On Tue, Nov 25, 2008 at 09:02:58PM -0500, 7v5w7go9ub0o wrote: |
| 5 |
>> I run the "old" hardened toolchain, grsecurity-enhanced hardened kernel, |
| 6 |
>> rbac control, and jails for anything that accesses the LAN/WAN.(heh... I |
| 7 |
>> even chroot and kill dhcpcd after 5 seconds). Avira has hundreds of Linux |
| 8 |
>> rootkit signatures in its database, so I run Avira and Dazuko |
| 9 |
>> realtime/on-access scanning on my /home directory, the chroot jails, and on |
| 10 |
>> the portage workspace used during download and compilation. |
| 11 |
> |
| 12 |
> Wow. While I'm a paranoiac in this sense too, I'm too lazy to do most of |
| 13 |
> these things. It's good to know there are potential for me to advance on |
| 14 |
> this way! ;-) |
| 15 |
|
| 16 |
I set this up three+ years ago, and after initial setup, it's been |
| 17 |
really easy to maintain. Every now and then I have to "retrain" RBAC, |
| 18 |
but I use a training script to do that, so it is pretty automatic as well |
| 19 |
|
| 20 |
|
| 21 |
> |
| 22 |
> BTW, is your workstation really was under attack (don't counting ssh worms |
| 23 |
> and the like script kiddie games)? Is there was attacks which was able to |
| 24 |
> break first circle of protection (GrSec+PaX+toolchain)? |
| 25 |
|
| 26 |
I've not had anything break G+P+T. |
| 27 |
|
| 28 |
- I had pax continuously cancel FireFox on a particular site a few years |
| 29 |
ago, and never figured out what it was. It might hae been a browser |
| 30 |
attack, or it may have simply been a badly-written extension. |
| 31 |
|
| 32 |
I now browse with Opera (in a jail), and use Firefox ("fox in a box") in |
| 33 |
a limited way. |
| 34 |
|
| 35 |
- I also today real-time scan the browser jails (which I run in ramdisk, |
| 36 |
so that any unintended changes are discarded at the end of the session) |
| 37 |
with Dazuko/Antivir, and have had a number of suspicious scripts blocked |
| 38 |
by AntiVir before the browser could act on them - so I think that my |
| 39 |
exposure is thereby reduced. |
| 40 |
|
| 41 |
> |
| 42 |
> As for me, I decide not to worry about these things (browser chroot, etc.) |
| 43 |
> for now because on workstation most important information is files in my |
| 44 |
> home directory... and applications I use (like browser, mail client, etc.) |
| 45 |
> MUST have access to these files or these applications because nearly |
| 46 |
> unusable for me. So, even with RSBAC, if my mutt will be owned by some |
| 47 |
> malicious email, and it will delete/damage files it usually have access to |
| 48 |
> (like my mailbox :)), that will be _enough_ and make much more damage for |
| 49 |
> me than installing rootkit. So, I choose to do regular automated backups |
| 50 |
> and run chkrootkit/rkhunter from cron just for the case they detect |
| 51 |
> something interesting to play with. :) |
| 52 |
|
| 53 |
Well, that's a good point - it can be a pain, e.g. copying a document |
| 54 |
into the mail client chroot jail so that I can send it. |
| 55 |
|
| 56 |
I also use numerous, individual, single-purpose users (e.g. |
| 57 |
ooffice:ooffice;, opera:opera, tbird:tbird, etc.) so that, e.g., |
| 58 |
user/jail wireshark:wireshark can not read user tbird:tbird, and vice |
| 59 |
versa. |
| 60 |
|
| 61 |
This can be a pain because I need to change privilege, as well as |
| 62 |
copying things into - e.g., the tbird jail. |
| 63 |
|
| 64 |
Copying downloads out of jails is easy - a script copies all downloads |
| 65 |
from the various jails into a single folder, which is then scanned for |
| 66 |
Trojan signatures. |
| 67 |
|
| 68 |
> |
Archives