| 1 |
Jan Klod wrote: |
| 2 |
> Suppose, I want to take some extra precautions and set up PaX&co and MAC on a |
| 3 |
> workstation with Xorg and other nice KDE apps (only some of which should be |
| 4 |
> granted access to files in folder X). I would like to read others opinion, if |
| 5 |
> I can get considerable security improvements or I will have to make that much |
| 6 |
> of exceptions to those good rules, as it makes protection too useless? |
| 7 |
> |
| 8 |
> Regards, |
| 9 |
> Jan |
| 10 |
> |
| 11 |
> |
| 12 |
|
| 13 |
Depends upon your definition of hardening, I guess. |
| 14 |
|
| 15 |
I run the "old" hardened toolchain, grsecurity-enhanced hardened kernel, |
| 16 |
rbac control, and jails for anything that accesses the LAN/WAN.(heh... I |
| 17 |
even chroot and kill dhcpcd after 5 seconds). Avira has hundreds of |
| 18 |
Linux rootkit signatures in its database, so I run Avira and Dazuko |
| 19 |
realtime/on-access scanning on my /home directory, the chroot jails, and |
| 20 |
on the portage workspace used during download and compilation. |
| 21 |
|
| 22 |
I presume that for a desktop user, most attacks come in through the |
| 23 |
browser, and/or extensions, plugins (e.g. flash), BHO's, etc. Something |
| 24 |
could also come through the distribution chain from a compromised or |
| 25 |
spoofed source - therefor the signature scanning. |
| 26 |
|
| 27 |
- I presume that pax and/or ssp will protect me against memory attacks |
| 28 |
that may come in through a L/WAN connection. |
| 29 |
|
| 30 |
- If the L/WAN attack comes in through, say, a browser exploit or |
| 31 |
backdoor it will be confined by RBAC to the areas I trained it to |
| 32 |
access, and no more. That would be the jail. |
| 33 |
|
| 34 |
- If the browser tries to "jail break", it will run up against the anti |
| 35 |
jailbreak hardening provided by grsecurity, and be terminated. |
| 36 |
|
| 37 |
- grsecurity blocks writing to /dev/mem, kmem, port. |
| 38 |
|
| 39 |
Judging by the other posts here, someone who knows what he is doing can |
| 40 |
have my box. |
| 41 |
|
| 42 |
Well..... yes! - nothing is 100%. But I'm not trying to protect |
| 43 |
against him.... I'm worried about 95%: the 0-day browser bugs, |
| 44 |
compromised extensions, etc. that may allow a Trojan to try its stuff, |
| 45 |
or may allow an inpatient script-kiddee to have a shell on a Linux box |
| 46 |
that doesn't have this kernel and binary hardening; that doesn't run |
| 47 |
applications in hardened jails. |
Archives