| 1 |
On Sun, Dec 24, 2017 at 1:09 AM, Peter Humphrey <peter@××××××××××××.uk> |
| 2 |
wrote: |
| 3 |
|
| 4 |
> Hello list, |
| 5 |
> |
| 6 |
> Now that grsecurity is off-limits, I'm left wondering how to go about |
| 7 |
> hardening a no-multilib box that will be exposed to the Big Bad World. |
| 8 |
> |
| 9 |
> To start with, it's not obvious which profile to use: |
| 10 |
> |
| 11 |
> $ eselect profile list | grep no-multi | grep hardened |
| 12 |
> [23] default/linux/amd64/17.0/no-multilib/hardened |
| 13 |
> [24] default/linux/amd64/17.0/no-multilib/hardened/selinux |
| 14 |
> [29] hardened/linux/amd64/no-multilib |
| 15 |
> [30] hardened/linux/amd64/no-multilib/selinux |
| 16 |
|
| 17 |
|
| 18 |
I'm using default/linux/amd64/17.0/desktop/gnome/systemd and the binaries |
| 19 |
are all pretty much; |
| 20 |
Position Independent Executable: yes |
| 21 |
Stack protected: yes |
| 22 |
Fortify Source functions: yes |
| 23 |
Read-only relocations: yes |
| 24 |
Immediate binding: no, not found! |
| 25 |
|
| 26 |
So i'm wondering how much difference there is between hardened and |
| 27 |
non-hardened profiles these days. |
| 28 |
|
| 29 |
For kernel configs, i'm using these as they sounded sensible on a cursory |
| 30 |
read of the help; (some are quite recent additions to the kernel) |
| 31 |
CONFIG_CC_STACKPROTECTOR=y |
| 32 |
CONFIG_CC_STACKPROTECTOR_STRONG=y |
| 33 |
CONFIG_RANDOMIZE_BASE=y |
| 34 |
CONFIG_RANDOMIZE_MEMORY=y |
| 35 |
CONFIG_HARDENED_USERCOPY=y |
| 36 |
CONFIG_FORTIFY_SOURCE=y |
| 37 |
CONFIG_VMAP_STACK=y |
| 38 |
CONFIG_REFCOUNT_FULL=y |
| 39 |
|
| 40 |
I dont use AppArmour or SELinux, but for an internet facing webserver i'd |
| 41 |
consider using SELinux to more finely lock down permissions on the webroot. |
| 42 |
I also recall that a fully permissive SELinux configuration has a side |
| 43 |
effect that improved security, so CONFIG_SECURITY_SELINUX is on, but i cant |
| 44 |
find any evidence to support my memory on that one. |
| 45 |
|
| 46 |
Lastly, this in /etc/sysctl.conf. SYN cookies is kernel option. The fin |
| 47 |
timeout cut was to clear out tens of thousands of TIME_WAIT sessions. |
| 48 |
net.ipv4.tcp_fin_timeout = 20 |
| 49 |
net.ipv4.tcp_syncookies = 1 |
Archives