| 1 |
Alex Efros wrote: |
| 2 |
> Hi! |
| 3 |
> |
| 4 |
> On Sun, Feb 24, 2008 at 06:15:22AM -0800, Grant wrote: |
| 5 |
>> Are a hardened profile, kernel, and related USE flags beneficial on a |
| 6 |
>> machine on which only I log in and no ports are open? |
| 7 |
> |
| 8 |
> If you open website, or download and run mp3, or download and open .xls, |
| 9 |
> etc. - do any action which result in receiving and processing complex data |
| 10 |
> format (i.e. not plain text :)), then there may be a security hole in |
| 11 |
> software which will process that data. In this case hardened MAY protect |
| 12 |
> you. |
| 13 |
> |
| 14 |
> To be honest I never heard about hacking Linux workstation this way, Linux |
| 15 |
> is usually hacking by attacking network services. |
| 16 |
> |
| 17 |
> But this way to hack is very popular on Windows, and nobody can guarantee |
| 18 |
> you'll never will be hacked this way on Linux (or course, on Linux only |
| 19 |
> your current user's account will be compromised, but if this attack will |
| 20 |
> result in removing all files in your home directory you will not be very |
| 21 |
> happy with the fact this attack doesn't compromised your root and other |
| 22 |
> user's accounts). |
| 23 |
> |
| 24 |
|
| 25 |
|
| 26 |
Think this is right on. And there are ways in which you can |
| 27 |
significantly leverage the advantages provided by a hardened kernel - |
| 28 |
e.g. the use of the hardened chroot jails provided by GRSecurity. |
| 29 |
|
| 30 |
STM we've turned a corner - thanks to Mepis, PClos, etc. - and there are |
| 31 |
thousands (?) of windows users now annually converting to 'ix and MAC, |
| 32 |
They represent an increasingly visible potential for mischief, |
| 33 |
especially given they take their multi-platform windows tools (FireFox, |
| 34 |
TBird, Pidgeon, etc.) with them. |
| 35 |
|
| 36 |
The "attacks" will come from net clients, not boot sectors nor |
| 37 |
exclusively servers. Browsers seem particularly vulnerable; able to be |
| 38 |
spoofed and/or redirected to malevolent sites that'll explore for |
| 39 |
vulnerabilities. This especially true if you occasionally surf "on the |
| 40 |
wild side" :-) |
| 41 |
|
| 42 |
(Browser indeed. A lot of folks will take a reasonably secure browser - |
| 43 |
Firefox - and load it up with dozens of un-controlled third-party |
| 44 |
extensions and plugins; presuming that the unknown authors of these |
| 45 |
addons have great coding skill (many do not), the best of intentions |
| 46 |
(who knows?), and are using secure web sites to distribute their |
| 47 |
un-hacked code through unspoofed servers.) |
| 48 |
|
| 49 |
The hardened toolchain'll protect you outright against some types of |
| 50 |
memory attacks; GRSEC'll provide additional PAX protections; putting |
| 51 |
net-clients into the much-harder jails provided by some hardened kernels |
| 52 |
(e.g. grsecurity) will confine damage (e.g. my browsers, mail clients, |
| 53 |
media players, chat client, ooffice, etc. are each in their own |
| 54 |
hardened-chroot jail), plus RBAC will stop a browser that suddenly |
| 55 |
decides to browse about the box (well, within the jail :-) ) looking for |
| 56 |
information, or trying to effect changes. |
| 57 |
|
| 58 |
But don't look for a lot of confirmation regarding hardened desktops |
| 59 |
from other 'nix users - most are justifiably thrilled with the dramatic |
| 60 |
security improvements provided by Ubuntu straight out of the box, and |
| 61 |
don't want to consider the possibility of taking additional steps. |
| 62 |
|
| 63 |
-- |
| 64 |
gentoo-hardened@l.g.o mailing list |
Archives