1 |
On 2014-08-12 01:23, Luis Ressel wrote: |
2 |
> On Mon, 11 Aug 2014 14:17:12 -0700 |
3 |
> Mark Knecht <markknecht@×××××.com> wrote: |
4 |
> |
5 |
>> Hi all, |
6 |
>> Just an introduction. First post here but _longtime_ Gentoo user. |
7 |
>> (Early 2003 I think...) I ran Redhat before that starting in 1997. |
8 |
>> |
9 |
>> I'm a basic desktop end-user type. Self-employed, using KDE, |
10 |
>> vlc/makemkv/handbrake, and multiple Virtualbox Win 7 VMs for trading |
11 |
>> in the financial markets. I've converted my wife & 3 generations of |
12 |
>> my |
13 |
>> family (parents in the 80's and son in his 20's) to Gentoo. None of |
14 |
>> use native Windows anymore. I administer all the systems. |
15 |
> |
16 |
> Sounds like an OSS "model family". Congrats! ;-) |
17 |
> |
18 |
>> I'm starting to look down the road to a new main machine for me |
19 |
>> in |
20 |
>> 6 months to 1 year. I'd like to start learning about the whole |
21 |
>> hardened environment - what it can and cannot do, at least easily. |
22 |
>> If |
23 |
>> I go this direction it's likely to try to be a fully encrypted disk |
24 |
>> subsystem, including initrd. I'm not overly performance driven, but |
25 |
>> that said I want to know where the cycles are going and don't want |
26 |
>> to |
27 |
>> waste them if possible. |
28 |
> |
29 |
> Regarding system performance, my personal experience has been that |
30 |
> the |
31 |
> various overheads involved in typical "hardened" Linuxes are |
32 |
> measurable, but not noticeable with most usage patterns. That said, |
33 |
> there's one kind of "performance" which certainly degrades: |
34 |
> Administration performance. You've got to have some time to debug all |
35 |
> these tiny little problems which arise due to badly written software |
36 |
> being incompatible with the system hardening etc. |
37 |
> |
38 |
> I'd always recommend encrypting your HDD, even for otherwise |
39 |
> non-hardened systems. Performance losses aren't that bad, and the |
40 |
> advantages are huge. (For example, think about sending in a laptop |
41 |
> for |
42 |
> a warranty repair. You don't want to wipe your hdd before, but you |
43 |
> also |
44 |
> don't want the vendor to be able to read it.) |
45 |
> |
46 |
> On the other hand, I've made some bad experiences with the |
47 |
> initramdisk's required for that. Neither dracut nor genkernel did |
48 |
> work |
49 |
> satisfyingly, especially when SELinux entered the equation. I've been |
50 |
> told the situation has improved in the meantime, but I've already |
51 |
> switched to using a custom-written initramdisk. It's rock-solid, |
52 |
> easily |
53 |
> understandable and only does those things I want it to do, but those |
54 |
> very well. (Of course, I'm willing to share the sources if someone is |
55 |
> interested.) |
56 |
> |
57 |
>> Anyway, thought I'd say hi and look for any pointers about what |
58 |
>> to |
59 |
>> read for a user such as myself. I'm going through the Gentoo |
60 |
>> Hardened |
61 |
>> pages and trying to understand what model to use - grsecurity or |
62 |
>> selinux. I'm leaning toward grsecurity but I don't have a good |
63 |
>> reason |
64 |
>> one way or the other as of yet. |
65 |
> |
66 |
> There's much out there on the *net worth a look. Be sure to check out |
67 |
> the Gentoo wiki: |
68 |
> |
69 |
> https://wiki.gentoo.org/index.php?title=Special%3APrefixIndex&prefix=Hardened&namespace=0 |
70 |
> Oh, and also don't forget reading the help texts of the various |
71 |
> grsecurity kernel options. Most of them are well-documented. |
72 |
> |
73 |
> Concerning "grsecurity vs SELinux", you're mixing up something here. |
74 |
> There's SELinux, an "mandatory access control" (MAC) system available |
75 |
> in the main-line kernels. And there's grsecurity/PaX, an extensive |
76 |
> set |
77 |
> of kernel patches which is included in hardened-sources. It includes |
78 |
> an |
79 |
> "RBAC" subsystem which is similar to SELinux in its purpose, but |
80 |
> grsecurity is much more than that. It has kernel patches for "Kernel |
81 |
> auditing" and "Chroot jail restrictions" to name only a few (as I |
82 |
> said, check out the help texts!) and it includes the PaX suite, which |
83 |
> dictates (among other things) that userland processes can't both |
84 |
> write |
85 |
> to a memory region and execute code from there, thereby avoiding a |
86 |
> whole |
87 |
> class of common exploits. All of those options are independent of |
88 |
> your |
89 |
> using RBAC or SELinux (or no MAC system at all). |
90 |
> |
91 |
> For starting out, I'd recommend using PaX and playing around with the |
92 |
> other grsecurity options, but leaving RBAC and SELinux alone, as they |
93 |
> add much more complexity and can be really overwhelming at the |
94 |
> beginning. |
95 |
> |
96 |
> Later on, you can still add one of these MAC systems. (I personally |
97 |
> do |
98 |
> recommend SELinux, but that's a matter of taste, and as I said, don't |
99 |
> worry about that now.) |
100 |
> |
101 |
>> I am interested in trying to do this in a VBox VM just as a |
102 |
>> learning exercise and which I understand it won't be as secure as |
103 |
>> doing it on bare metal I'd be very interested in hearing about |
104 |
>> others |
105 |
>> experience in this area. |
106 |
> |
107 |
> I've never used Virtualbox, but I know hardened-sources kernels work |
108 |
> very well in KVM environments. That said, it's certainly a wise |
109 |
> decision to test substantive system changes beforehand in a |
110 |
> virtualized |
111 |
> environment. |
112 |
|
113 |
I can also confirm that the hardened sources run really well in a xen |
114 |
virtualized envrionment with pvgrub. I am using grsec with PAX with no |
115 |
issues at all. I have asked about setting up hardened with a KDE desktop |
116 |
environment and was told that will take a bit of work. |
117 |
|
118 |
> |
119 |
> Regards, |
120 |
> Luis Ressel |
121 |
> |
122 |
> PS: Wow, that mail I've just written somehow reminds me of Duncan. |
123 |
|
124 |
-- |
125 |
Regards, |
126 |
Jonathan Aquilina |
127 |
Founder Eagle Eye T |