1 |
On Sun, Dec 24, 2017 at 1:09 AM, Peter Humphrey <peter@××××××××××××.uk> |
2 |
wrote: |
3 |
|
4 |
> Hello list, |
5 |
> |
6 |
> Now that grsecurity is off-limits, I'm left wondering how to go about |
7 |
> hardening a no-multilib box that will be exposed to the Big Bad World. |
8 |
> |
9 |
> To start with, it's not obvious which profile to use: |
10 |
> |
11 |
> $ eselect profile list | grep no-multi | grep hardened |
12 |
> [23] default/linux/amd64/17.0/no-multilib/hardened |
13 |
> [24] default/linux/amd64/17.0/no-multilib/hardened/selinux |
14 |
> [29] hardened/linux/amd64/no-multilib |
15 |
> [30] hardened/linux/amd64/no-multilib/selinux |
16 |
|
17 |
|
18 |
I'm using default/linux/amd64/17.0/desktop/gnome/systemd and the binaries |
19 |
are all pretty much; |
20 |
Position Independent Executable: yes |
21 |
Stack protected: yes |
22 |
Fortify Source functions: yes |
23 |
Read-only relocations: yes |
24 |
Immediate binding: no, not found! |
25 |
|
26 |
So i'm wondering how much difference there is between hardened and |
27 |
non-hardened profiles these days. |
28 |
|
29 |
For kernel configs, i'm using these as they sounded sensible on a cursory |
30 |
read of the help; (some are quite recent additions to the kernel) |
31 |
CONFIG_CC_STACKPROTECTOR=y |
32 |
CONFIG_CC_STACKPROTECTOR_STRONG=y |
33 |
CONFIG_RANDOMIZE_BASE=y |
34 |
CONFIG_RANDOMIZE_MEMORY=y |
35 |
CONFIG_HARDENED_USERCOPY=y |
36 |
CONFIG_FORTIFY_SOURCE=y |
37 |
CONFIG_VMAP_STACK=y |
38 |
CONFIG_REFCOUNT_FULL=y |
39 |
|
40 |
I dont use AppArmour or SELinux, but for an internet facing webserver i'd |
41 |
consider using SELinux to more finely lock down permissions on the webroot. |
42 |
I also recall that a fully permissive SELinux configuration has a side |
43 |
effect that improved security, so CONFIG_SECURITY_SELINUX is on, but i cant |
44 |
find any evidence to support my memory on that one. |
45 |
|
46 |
Lastly, this in /etc/sysctl.conf. SYN cookies is kernel option. The fin |
47 |
timeout cut was to clear out tens of thousands of TIME_WAIT sessions. |
48 |
net.ipv4.tcp_fin_timeout = 20 |
49 |
net.ipv4.tcp_syncookies = 1 |