1 |
Alex Efros wrote: |
2 |
> Hi! |
3 |
> |
4 |
> On Sun, Feb 24, 2008 at 06:15:22AM -0800, Grant wrote: |
5 |
>> Are a hardened profile, kernel, and related USE flags beneficial on a |
6 |
>> machine on which only I log in and no ports are open? |
7 |
> |
8 |
> If you open website, or download and run mp3, or download and open .xls, |
9 |
> etc. - do any action which result in receiving and processing complex data |
10 |
> format (i.e. not plain text :)), then there may be a security hole in |
11 |
> software which will process that data. In this case hardened MAY protect |
12 |
> you. |
13 |
> |
14 |
> To be honest I never heard about hacking Linux workstation this way, Linux |
15 |
> is usually hacking by attacking network services. |
16 |
> |
17 |
> But this way to hack is very popular on Windows, and nobody can guarantee |
18 |
> you'll never will be hacked this way on Linux (or course, on Linux only |
19 |
> your current user's account will be compromised, but if this attack will |
20 |
> result in removing all files in your home directory you will not be very |
21 |
> happy with the fact this attack doesn't compromised your root and other |
22 |
> user's accounts). |
23 |
> |
24 |
|
25 |
|
26 |
Think this is right on. And there are ways in which you can |
27 |
significantly leverage the advantages provided by a hardened kernel - |
28 |
e.g. the use of the hardened chroot jails provided by GRSecurity. |
29 |
|
30 |
STM we've turned a corner - thanks to Mepis, PClos, etc. - and there are |
31 |
thousands (?) of windows users now annually converting to 'ix and MAC, |
32 |
They represent an increasingly visible potential for mischief, |
33 |
especially given they take their multi-platform windows tools (FireFox, |
34 |
TBird, Pidgeon, etc.) with them. |
35 |
|
36 |
The "attacks" will come from net clients, not boot sectors nor |
37 |
exclusively servers. Browsers seem particularly vulnerable; able to be |
38 |
spoofed and/or redirected to malevolent sites that'll explore for |
39 |
vulnerabilities. This especially true if you occasionally surf "on the |
40 |
wild side" :-) |
41 |
|
42 |
(Browser indeed. A lot of folks will take a reasonably secure browser - |
43 |
Firefox - and load it up with dozens of un-controlled third-party |
44 |
extensions and plugins; presuming that the unknown authors of these |
45 |
addons have great coding skill (many do not), the best of intentions |
46 |
(who knows?), and are using secure web sites to distribute their |
47 |
un-hacked code through unspoofed servers.) |
48 |
|
49 |
The hardened toolchain'll protect you outright against some types of |
50 |
memory attacks; GRSEC'll provide additional PAX protections; putting |
51 |
net-clients into the much-harder jails provided by some hardened kernels |
52 |
(e.g. grsecurity) will confine damage (e.g. my browsers, mail clients, |
53 |
media players, chat client, ooffice, etc. are each in their own |
54 |
hardened-chroot jail), plus RBAC will stop a browser that suddenly |
55 |
decides to browse about the box (well, within the jail :-) ) looking for |
56 |
information, or trying to effect changes. |
57 |
|
58 |
But don't look for a lot of confirmation regarding hardened desktops |
59 |
from other 'nix users - most are justifiably thrilled with the dramatic |
60 |
security improvements provided by Ubuntu straight out of the box, and |
61 |
don't want to consider the possibility of taking additional steps. |
62 |
|
63 |
-- |
64 |
gentoo-hardened@l.g.o mailing list |