1 |
Jan Klod wrote: |
2 |
> Suppose, I want to take some extra precautions and set up PaX&co and MAC on a |
3 |
> workstation with Xorg and other nice KDE apps (only some of which should be |
4 |
> granted access to files in folder X). I would like to read others opinion, if |
5 |
> I can get considerable security improvements or I will have to make that much |
6 |
> of exceptions to those good rules, as it makes protection too useless? |
7 |
> |
8 |
> Regards, |
9 |
> Jan |
10 |
> |
11 |
> |
12 |
|
13 |
Depends upon your definition of hardening, I guess. |
14 |
|
15 |
I run the "old" hardened toolchain, grsecurity-enhanced hardened kernel, |
16 |
rbac control, and jails for anything that accesses the LAN/WAN.(heh... I |
17 |
even chroot and kill dhcpcd after 5 seconds). Avira has hundreds of |
18 |
Linux rootkit signatures in its database, so I run Avira and Dazuko |
19 |
realtime/on-access scanning on my /home directory, the chroot jails, and |
20 |
on the portage workspace used during download and compilation. |
21 |
|
22 |
I presume that for a desktop user, most attacks come in through the |
23 |
browser, and/or extensions, plugins (e.g. flash), BHO's, etc. Something |
24 |
could also come through the distribution chain from a compromised or |
25 |
spoofed source - therefor the signature scanning. |
26 |
|
27 |
- I presume that pax and/or ssp will protect me against memory attacks |
28 |
that may come in through a L/WAN connection. |
29 |
|
30 |
- If the L/WAN attack comes in through, say, a browser exploit or |
31 |
backdoor it will be confined by RBAC to the areas I trained it to |
32 |
access, and no more. That would be the jail. |
33 |
|
34 |
- If the browser tries to "jail break", it will run up against the anti |
35 |
jailbreak hardening provided by grsecurity, and be terminated. |
36 |
|
37 |
- grsecurity blocks writing to /dev/mem, kmem, port. |
38 |
|
39 |
Judging by the other posts here, someone who knows what he is doing can |
40 |
have my box. |
41 |
|
42 |
Well..... yes! - nothing is 100%. But I'm not trying to protect |
43 |
against him.... I'm worried about 95%: the 0-day browser bugs, |
44 |
compromised extensions, etc. that may allow a Trojan to try its stuff, |
45 |
or may allow an inpatient script-kiddee to have a shell on a Linux box |
46 |
that doesn't have this kernel and binary hardening; that doesn't run |
47 |
applications in hardened jails. |