1 |
Encrypted disks are "easy," though some configurations aren't supported |
2 |
elegantly (using a keyfile, or using an encrypted keyfile). Using genkernel |
3 |
to create a ramdisk has worked every time for me, dracut has not. (It is |
4 |
requested Luis Ressel share his ramdisk :) |
5 |
|
6 |
Hardened is more than usable, though some pre-built software and some |
7 |
drivers will either require intervention or not work. The software is |
8 |
usually fixable, stuff that needs to compile against the kernel usually |
9 |
isn't. Sometimes there's patches. |
10 |
|
11 |
Hardened with SELinux is kind of usable, but the docs note a desktop |
12 |
profile isn't supported. I'm not aware of any desktop environments with |
13 |
working policies - they might exist, but I had to modify policies so much |
14 |
I'm not sure if I did that or not. I've not used grsecurity's RBAC. It has |
15 |
a learning mode, but from reading the documentation they seem to both have |
16 |
the same level of involvement, RBAC possibly more (if you want to check |
17 |
everything, instead of blindly accepting what it learned). |
18 |
|
19 |
Regards. |
20 |
|
21 |
|
22 |
|
23 |
On Tue, Aug 12, 2014 at 12:29 AM, jaquilina <jaquilina@×××××××××.net> wrote: |
24 |
|
25 |
> On 2014-08-12 01:23, Luis Ressel wrote: |
26 |
> |
27 |
>> On Mon, 11 Aug 2014 14:17:12 -0700 |
28 |
>> Mark Knecht <markknecht@×××××.com> wrote: |
29 |
>> |
30 |
>> Hi all, |
31 |
>>> Just an introduction. First post here but _longtime_ Gentoo user. |
32 |
>>> (Early 2003 I think...) I ran Redhat before that starting in 1997. |
33 |
>>> |
34 |
>>> I'm a basic desktop end-user type. Self-employed, using KDE, |
35 |
>>> vlc/makemkv/handbrake, and multiple Virtualbox Win 7 VMs for trading |
36 |
>>> in the financial markets. I've converted my wife & 3 generations of my |
37 |
>>> family (parents in the 80's and son in his 20's) to Gentoo. None of |
38 |
>>> use native Windows anymore. I administer all the systems. |
39 |
>>> |
40 |
>> |
41 |
>> Sounds like an OSS "model family". Congrats! ;-) |
42 |
>> |
43 |
>> I'm starting to look down the road to a new main machine for me in |
44 |
>>> 6 months to 1 year. I'd like to start learning about the whole |
45 |
>>> hardened environment - what it can and cannot do, at least easily. If |
46 |
>>> I go this direction it's likely to try to be a fully encrypted disk |
47 |
>>> subsystem, including initrd. I'm not overly performance driven, but |
48 |
>>> that said I want to know where the cycles are going and don't want to |
49 |
>>> waste them if possible. |
50 |
>>> |
51 |
>> |
52 |
>> Regarding system performance, my personal experience has been that the |
53 |
>> various overheads involved in typical "hardened" Linuxes are |
54 |
>> measurable, but not noticeable with most usage patterns. That said, |
55 |
>> there's one kind of "performance" which certainly degrades: |
56 |
>> Administration performance. You've got to have some time to debug all |
57 |
>> these tiny little problems which arise due to badly written software |
58 |
>> being incompatible with the system hardening etc. |
59 |
>> |
60 |
>> I'd always recommend encrypting your HDD, even for otherwise |
61 |
>> non-hardened systems. Performance losses aren't that bad, and the |
62 |
>> advantages are huge. (For example, think about sending in a laptop for |
63 |
>> a warranty repair. You don't want to wipe your hdd before, but you also |
64 |
>> don't want the vendor to be able to read it.) |
65 |
>> |
66 |
>> On the other hand, I've made some bad experiences with the |
67 |
>> initramdisk's required for that. Neither dracut nor genkernel did work |
68 |
>> satisfyingly, especially when SELinux entered the equation. I've been |
69 |
>> told the situation has improved in the meantime, but I've already |
70 |
>> switched to using a custom-written initramdisk. It's rock-solid, easily |
71 |
>> understandable and only does those things I want it to do, but those |
72 |
>> very well. (Of course, I'm willing to share the sources if someone is |
73 |
>> interested.) |
74 |
>> |
75 |
>> Anyway, thought I'd say hi and look for any pointers about what to |
76 |
>>> read for a user such as myself. I'm going through the Gentoo Hardened |
77 |
>>> pages and trying to understand what model to use - grsecurity or |
78 |
>>> selinux. I'm leaning toward grsecurity but I don't have a good reason |
79 |
>>> one way or the other as of yet. |
80 |
>>> |
81 |
>> |
82 |
>> There's much out there on the *net worth a look. Be sure to check out |
83 |
>> the Gentoo wiki: |
84 |
>> |
85 |
>> https://wiki.gentoo.org/index.php?title=Special% |
86 |
>> 3APrefixIndex&prefix=Hardened&namespace=0 |
87 |
>> Oh, and also don't forget reading the help texts of the various |
88 |
>> grsecurity kernel options. Most of them are well-documented. |
89 |
>> |
90 |
>> Concerning "grsecurity vs SELinux", you're mixing up something here. |
91 |
>> There's SELinux, an "mandatory access control" (MAC) system available |
92 |
>> in the main-line kernels. And there's grsecurity/PaX, an extensive set |
93 |
>> of kernel patches which is included in hardened-sources. It includes an |
94 |
>> "RBAC" subsystem which is similar to SELinux in its purpose, but |
95 |
>> grsecurity is much more than that. It has kernel patches for "Kernel |
96 |
>> auditing" and "Chroot jail restrictions" to name only a few (as I |
97 |
>> said, check out the help texts!) and it includes the PaX suite, which |
98 |
>> dictates (among other things) that userland processes can't both write |
99 |
>> to a memory region and execute code from there, thereby avoiding a whole |
100 |
>> class of common exploits. All of those options are independent of your |
101 |
>> using RBAC or SELinux (or no MAC system at all). |
102 |
>> |
103 |
>> For starting out, I'd recommend using PaX and playing around with the |
104 |
>> other grsecurity options, but leaving RBAC and SELinux alone, as they |
105 |
>> add much more complexity and can be really overwhelming at the |
106 |
>> beginning. |
107 |
>> |
108 |
>> Later on, you can still add one of these MAC systems. (I personally do |
109 |
>> recommend SELinux, but that's a matter of taste, and as I said, don't |
110 |
>> worry about that now.) |
111 |
>> |
112 |
>> I am interested in trying to do this in a VBox VM just as a |
113 |
>>> learning exercise and which I understand it won't be as secure as |
114 |
>>> doing it on bare metal I'd be very interested in hearing about others |
115 |
>>> experience in this area. |
116 |
>>> |
117 |
>> |
118 |
>> I've never used Virtualbox, but I know hardened-sources kernels work |
119 |
>> very well in KVM environments. That said, it's certainly a wise |
120 |
>> decision to test substantive system changes beforehand in a virtualized |
121 |
>> environment. |
122 |
>> |
123 |
> |
124 |
> I can also confirm that the hardened sources run really well in a xen |
125 |
> virtualized envrionment with pvgrub. I am using grsec with PAX with no |
126 |
> issues at all. I have asked about setting up hardened with a KDE desktop |
127 |
> environment and was told that will take a bit of work. |
128 |
> |
129 |
> |
130 |
> |
131 |
>> Regards, |
132 |
>> Luis Ressel |
133 |
>> |
134 |
>> PS: Wow, that mail I've just written somehow reminds me of Duncan. |
135 |
>> |
136 |
> |
137 |
> -- |
138 |
> Regards, |
139 |
> Jonathan Aquilina |
140 |
> Founder Eagle Eye T |
141 |
> |
142 |
> |