Re: [gentoo-user] Choosing between system profiles: hardened and desktop for desktop installation.

[james]

On 07/04/17 23:16, Walter Dnes wrote:
> On Tue, Jul 04, 2017 at 01:37:38PM -0400, james wrote
> 
>> W. Dnes is the king of minimalist here, so when he gives advise
>> realize it has decades of experimentation to get to where he is on
>> minimization.
> 
>   Not exactly "decades".  I first started linux in late 1999 or early
> 2000.  The minimalist approach was a side-effect of me being cheap.
> Even though I have a newer machine as my "hot backup" waiting in the
> wings, I want to run my older machine into the ground first.  10 years
> ago I was running a 450 mhz pentium3 with 256 megabytes of ram.  Today
> I'm running a 2008 Dell with Core2 Duo and 3 gigs of ram today.  I have
> a newer i6 with 8 gigs of ram as the hot backup.  Running an older
> limited machine forces you to optimize.  The Gentoo USE flags give me
> the control to do the utmost minimization.
> 
>   I run the plain default/linux profile, and ICEWM as my WM and no
> "desktop environment" (as per my sig).  The less attack surface, the
> better.  Do not run the Flash plugin or the Java plugin.  If you
> absolutely have to do so, use it inside a VM (e.g. QEMU).  I have an
> aggressive handcrafted iptables firewall.  In addition, my little LAN
> sits behind a NAT-ing router, and I disable UPNP.  That covers my
> approach to security.
> 
>   I run mostly stable, except where an app I want/need is only unstable.
> Gentoo currently defaults to gcc-5.4.0.  I've enabled 6.3.0.  I have to
> enable ICEWM 1.3.12-r1.  The regular stable version built under gcc
> 6.3.0 segfaults 1 or 2 seconds after starting.
> 
>   I used to run with USE="-* blah blah blah".  I no longer do that, but
> I aggressively disable USE flags, until something breaks, then I back
> off.  My current USE line (it's actually one long line)...
> 
> USE="X apng bindist ffmpeg jpeg opengl png szip truetype x264 x265 xorg
> threads webp -acl -berkdb -caps -cracklib -crypt -filecaps -gallium
> -gdbm -graphite -gstreamer -iconv -introspection -ipc -iptables -ipv6
> -libav -llvm -manpager -nls -openmp -pam -pch -sendmail -tcpd -udev
> -udisks -unicode -xinerama"
> 
>   Some of the above is over-ridden in package.use.
> 

Well, now that's a good summary (starting point) for a minimized gentoo
system. The gentoo-devs have been discussing changes to the profiles,
but I'm not certain where that has ended up. I just use the 'default'
and go from there, or the simplest 'hardened' profile that is cpu
relevant. I'm not sure of the most straight forward way to compare
flag setting (the difference) between any two profiles for a new
installer to examine; perhaps somebody else has a straight forward
method to compare current profiles, within a given architecture?

Surely at look at the contents of @system set is a good starting point
for a new gentooer to see what he gets no matter which profile he
selects?  Then there is the 'experimental' profiles that the devs keep
moving around; who knows what's up with those mavericks


Hopefully the AliceF [1] GSoC work will result in some structure to to
follow for a minimized and hardened kernel going forward. Even in the
gentoo-sources kernel there is much that can be stripped out, reducing
bloat at the least and probably reducing attack venues too. During this
process, I keep several bootable kernels available so reverting is easy.
Perhaps there is a gentoo wiki page that at least outlines the manual
processes (a structured approach) as users go down the pathway of
stripping out what their workstation does not need in a kernel?

Perhaps someone has a slick, home-spun, tool that readily identifies
what can be additionally stripped from the current  kernel offerings on
the pathway to minimized_nirvana ?


Then there's NFTables; not sure anything useful is published on
NFTables, nor how effective it is for a workstation firewall... [3]

Thanks Watler for sharing. Increasing the population of (OpenRC et. al.)
minimalists is always welcome as our numbers are growing every day;
not that one is bound to OpenRC to be a gentoo_minimalist.



hth,
James

[1] https://blogs.gentoo.org/alicef/
https://archives.gentoo.org/gentoo-soc/threads/2017-06/

[3] https://wiki.gentoo.org/wiki/Nftables

Re: [gentoo-user] Choosing between system profiles: hardened and desktop for desktop installation.

[R0b0t1]

On Tue, Jul 4, 2017 at 4:12 AM, Peter Humphrey  wrote:
> On Tuesday 04 Jul 2017 05:20:41 Ian Bloss wrote:
>> You should use the hardened profile with the harden sources. On terms with
>> security you could compile a hardened kernel but you sacrifice ease of
>> use by having to manage pax and if you choose an RBAC system like SElinux
>> or grsecuritys adds more burden.
>>
>> Security isn't a product, so I would recommend sticking with regular
>> profile with stable packages, and be mindful of what you have opened up to
>> the internet. I would also recommend just reading up on linux security in
>> general to understand what you're trying to make yourself more secure to.
>
> I second that last point. I looked into hardened Gentoo some years ago and
> came to the conclusion that it wasn't worth all the extra trouble. My
> impression (though I could easily be wrong) is that hardening is intended
> more for protection against local threats, like someone else sitting in your
> seat, than anything coming in over the wires.
>

The majority of the hardening is applied to kernel structures that
most people never interact with and don't know exist. The changes are
supposed to make it harder to glean information about the inner
workings of the kernel, as many exploits require rather intimate
knowledge about what the kernel is doing and when.

There were some more noticeable parts that turned certain parts of
/sys and /proc off, but you could either whitelist or blacklist a
certain group. This is actually one of the more novel additions, as
both places provide a lot of information that is useful for attacking
a system.[1] Related changes also made things like chroot jails work
as intended and prevent data from leaking into or out of them.

The additions that do things like prevent USB devices not plugged in
since boot as working are mainly intended for server environments,
where you don't want technicians or janitors to be able to attack your
servers by exploiting faulty USB drivers. This also helps prevent
individuals with always-on workstations to some extent, but if that is
what you are afraid of you should carry your trusted computer on your
person at all times.

[1] Depending on what is exposed in /proc any process running as a
user can make arbitrary changes to any other process running as that
user, so by compromising e.g. a web browser you have effectively
become that user. It's worth noting similar functionality is also
available via ptrace (the syscall that implements most debugging
functions).

On Tue, Jul 4, 2017 at 12:44 PM, Toralf Förster  wrote:
> On 07/04/2017 07:12 AM, Ста Деюс wrote:
>> So, I would like to use the
>> hardened profile and then add the desktop packages, namely openbox w/o
>
> I do run a hardened profile at my desktop (KDE) since about 3 years -
> almost w/o any trouble.
>
> Recently I switched just from hardened kernel to vanilla kernel - b/c
> the hardened PAX kernel (GRsecurity) isn't any longer freely available
> and the vanilla is nowadays at 4.12.
>
> Works fine so far.
>

Apparently I misread the initial announcement. It didn't originally
look like GRsecurity had withdrawn all nonpaid support, but I guess
they have. I will be going back to the vanilla sources if that is the
case.

Do you know how the concept of a hardened toolchain is going to be
preserved going forward?

Re: [gentoo-user] Choosing between system profiles: hardened and desktop for desktop installation.

[Walter Dnes]

On Tue, Jul 04, 2017 at 01:37:38PM -0400, james wrote

> W. Dnes is the king of minimalist here, so when he gives advise
> realize it has decades of experimentation to get to where he is on
> minimization.

  Not exactly "decades".  I first started linux in late 1999 or early
2000.  The minimalist approach was a side-effect of me being cheap.
Even though I have a newer machine as my "hot backup" waiting in the
wings, I want to run my older machine into the ground first.  10 years
ago I was running a 450 mhz pentium3 with 256 megabytes of ram.  Today
I'm running a 2008 Dell with Core2 Duo and 3 gigs of ram today.  I have
a newer i6 with 8 gigs of ram as the hot backup.  Running an older
limited machine forces you to optimize.  The Gentoo USE flags give me
the control to do the utmost minimization.

  I run the plain default/linux profile, and ICEWM as my WM and no
"desktop environment" (as per my sig).  The less attack surface, the
better.  Do not run the Flash plugin or the Java plugin.  If you
absolutely have to do so, use it inside a VM (e.g. QEMU).  I have an
aggressive handcrafted iptables firewall.  In addition, my little LAN
sits behind a NAT-ing router, and I disable UPNP.  That covers my
approach to security.

  I run mostly stable, except where an app I want/need is only unstable.
Gentoo currently defaults to gcc-5.4.0.  I've enabled 6.3.0.  I have to
enable ICEWM 1.3.12-r1.  The regular stable version built under gcc
6.3.0 segfaults 1 or 2 seconds after starting.

  I used to run with USE="-* blah blah blah".  I no longer do that, but
I aggressively disable USE flags, until something breaks, then I back
off.  My current USE line (it's actually one long line)...

USE="X apng bindist ffmpeg jpeg opengl png szip truetype x264 x265 xorg
threads webp -acl -berkdb -caps -cracklib -crypt -filecaps -gallium
-gdbm -graphite -gstreamer -iconv -introspection -ipc -iptables -ipv6
-libav -llvm -manpager -nls -openmp -pam -pch -sendmail -tcpd -udev
-udisks -unicode -xinerama"

  Some of the above is over-ridden in package.use.

-- 
Walter Dnes 
I don't run "desktop environments"; I run useful applications

Re: [gentoo-user] Choosing between system profiles: hardened and desktop for desktop installation.

[Toralf Förster]

On 07/04/2017 07:12 AM, Ста Деюс wrote:
> So, I would like to use the
> hardened profile and then add the desktop packages, namely openbox w/o

I do run a hardened profile at my desktop (KDE) since about 3 years -
almost w/o any trouble.

Recently I switched just from hardened kernel to vanilla kernel - b/c
the hardened PAX kernel (GRsecurity) isn't any longer freely available
and the vanilla is nowadays at 4.12.

Works fine so far.

-- 
Toralf
PGP 23217DA7 9B888F45




signature.asc
Description: OpenPGP digital signature

Re: [gentoo-user] Choosing between system profiles: hardened and desktop for desktop installation.

[james]

On 07/04/17 01:12, Ста Деюс wrote:
> Hi.
> 
> I'm new to Gentoo, and before new installation on my PC, keep trying to
> choose between system profiles. I want to use the PC as desktop, but am
> concerned on security and minimalism. So, I would like to use the
> hardened profile and then add the desktop packages, namely openbox w/o
> any X-session managers -- just logging in w/ text console and then
> startx.
> 
> So, is my setup wise, or i miss something because do not know something
> on the distro. regarding this points of installation?
> 
> Thank you for your time,
> Sthu.

Minimalism does reduce attack surfaces, but on a workstation, if later
on you want some complex and fancy software, often you have to start
adding codes, flags and recompiling quite a lot. On specific task
machines, I always go the minimal route, ymmv.  I run lxde but it
is morphing into lxqt (or at least that's what is commonly posted.
I've run openbox and actually now use a mixture of codes to build up
one minimized workstation, but it is a pita to get happy.

W. Dnes is the king of minimalist here, so when he gives advise
realize it has decades of experimentation to get to where he is on
minimization. I've been hacking on codes for minimized Hi Performance
Computing (HPC) gentoo style, but not ready to release anything as it is
a moving target. "Unikernels" are my pathway forward but this path is a
huge time sink... Caveat Emptor!


Hardened is changing, do to the fact that the patches provided to the
linux kernel team, are not being provided for free anymore. There is
much angst as to the pathway forward. Much of the work is being carried
forward in the kernel, compiler projects and some apps but what to do,
post kernel 4.9.x is not clear for gentoo, atm. This thread by blueness
on gentoo-dev is a good place to start reading, look in the archives::

[gentoo-dev] The status of grsecurity upstream and hardened-sources
downstream


Here's the [thread]intro::


"Since late April, grsecurity upstream has stop making their patches
available publicly.  Without going into details, the reason for their
decision revolves around disputes about how their patches were being
(ab)used.

Since the grsecurity patch formed the main core of our hardened-sources
kernel, their decision has serious repercussions for the Hardened Gentoo
project.  I will no longer be able to support hardened-sources and will
have to eventually mask and remove it from the tree.

Hardened Gentoo has two sides to it, kernel hardening (done via
hardened-sources) and toolchain/executable hardening.  The two are
interrelated but independent enough that toolchain hardening can
continue on its own.  The hardened kernel, however, provided PaX
protection for executables and this will be lost.  We did a lot of work
to properly maintain PaX markings in our package management system and
there was no part of Gentoo that wasn't touched by issues stemming from
PaX support.

I waited two months before saying anything because the reasons were more
of a political nature than some technical issue.  At this point, I think
its time to let the community know about the state of affairs with
hardened-sources.

I can no longer get into the #grsecurity/OFTC channel (nothing personal,
they kicked everyone), and so I have not spoken to spengler or pipacs.
I don't know if they will ever release grsecurity patches again.

My plan then is as follows.  I'll wait one more month and then send out
a news item and later mask hardened-sources for removal.  I don't
recommend we remove any of the machinery from Gentoo that deals with PaX
markings. "


Personally, I'd suggest following Anthony (blueness) as to the
gentoo-hardened pathway forward, but surely others in the extended
gentoo community are surefooted with gentoo security. (Pentoo) might be
of interest as a workstation pathway forward If you cannot block them,
join them?

;-) 


hth,
James


And more links for your convenience::

https://www.theregister.co.uk/2015/08/27/grsecurity

https://www.wilderssecurity.com/threads/grsecurity-patches-going-private.393068/

https://lwn.net/Articles/662219/

https://lwn.net/Articles/698891/

https://grsecurity.net/compare.php

https://www.theregister.co.uk/2015/08/27/grsecurity

Re: [gentoo-user] Choosing between system profiles: hardened and desktop for desktop installation.

[Peter Humphrey]

On Tuesday 04 Jul 2017 05:20:41 Ian Bloss wrote:
> You should use the hardened profile with the harden sources. On terms with
> security you could compile a hardened kernel but you sacrifice ease of
> use by having to manage pax and if you choose an RBAC system like SElinux
> or grsecuritys adds more burden.
> 
> Security isn't a product, so I would recommend sticking with regular
> profile with stable packages, and be mindful of what you have opened up to
> the internet. I would also recommend just reading up on linux security in
> general to understand what you're trying to make yourself more secure to.

I second that last point. I looked into hardened Gentoo some years ago and 
came to the conclusion that it wasn't worth all the extra trouble. My 
impression (though I could easily be wrong) is that hardening is intended 
more for protection against local threats, like someone else sitting in your 
seat, than anything coming in over the wires.

In the end I just used the stable sources with a decent firewall: shorewall, 
in fact. If your network setup isn't too unusual, you can use one of their 
standard sets of configuration files.

That's my two-penn'orth, anyway.

-- 
Regards
Peter

Re: [gentoo-user] Choosing between system profiles: hardened and desktop for desktop installation.

[R0b0t1]

On Tue, Jul 4, 2017 at 12:12 AM, Ста Деюс  wrote:
> Hi.
>
> I'm new to Gentoo, and before new installation on my PC, keep trying to
> choose between system profiles. I want to use the PC as desktop, but am
> concerned on security and minimalism. So, I would like to use the
> hardened profile and then add the desktop packages, namely openbox w/o
> any X-session managers -- just logging in w/ text console and then
> startx.
>
> So, is my setup wise, or i miss something because do not know something
> on the distro. regarding this points of installation?
>
> Thank you for your time,
> Sthu.
>

You should select the hardened profile and then install the desktop
related packages you want manually. Everything should work by default.
If you want to use SELinux, the default policies available assume you
are using a login manager.

On Tue, Jul 4, 2017 at 12:21 AM, Ian Bloss  wrote:
> If you want to go with the hardened sources, there's a great wiki article on
> it.
>

I think his question is mostly about how he should approach installing
everything: start with a desktop-based system and then harden it, or
set up a hardened system and then install the desktop programs.

The Gentoo project doesn't actually support doing the former. The
latter is far easier.

R0b0t1.

Re: [gentoo-user] Choosing between system profiles: hardened and desktop for desktop installation.

[Ian Bloss]

If you want to go with the hardened sources, there's a great wiki article
on it.

On Mon, Jul 3, 2017, 10:20 PM Ian Bloss  wrote:

> You should use the hardened profile with the harden sources. On terms with
> security you could compile a hardened kernel but you sacrifice ease of use
> by having to manage pax and if you choose an RBAC system like SElinux or
> grsecuritys adds more burden.
>
> Security isn't a product, so I would recommend sticking with regular
> profile with stable packages, and be mindful of what you have opened up to
> the internet. I would also recommend just reading up on linux security in
> general to understand what you're trying to make yourself more secure to.
>
> On Mon, Jul 3, 2017, 10:13 PM Ста Деюс  wrote:
>
>> Hi.
>>
>> I'm new to Gentoo, and before new installation on my PC, keep trying to
>> choose between system profiles. I want to use the PC as desktop, but am
>> concerned on security and minimalism. So, I would like to use the
>> hardened profile and then add the desktop packages, namely openbox w/o
>> any X-session managers -- just logging in w/ text console and then
>> startx.
>>
>> So, is my setup wise, or i miss something because do not know something
>> on the distro. regarding this points of installation?
>>
>> Thank you for your time,
>> Sthu.
>>
>>

Re: [gentoo-user] Choosing between system profiles: hardened and desktop for desktop installation.

[Ian Bloss]

You should use the hardened profile with the harden sources. On terms with
security you could compile a hardened kernel but you sacrifice ease of use
by having to manage pax and if you choose an RBAC system like SElinux or
grsecuritys adds more burden.

Security isn't a product, so I would recommend sticking with regular
profile with stable packages, and be mindful of what you have opened up to
the internet. I would also recommend just reading up on linux security in
general to understand what you're trying to make yourself more secure to.

On Mon, Jul 3, 2017, 10:13 PM Ста Деюс  wrote:

> Hi.
>
> I'm new to Gentoo, and before new installation on my PC, keep trying to
> choose between system profiles. I want to use the PC as desktop, but am
> concerned on security and minimalism. So, I would like to use the
> hardened profile and then add the desktop packages, namely openbox w/o
> any X-session managers -- just logging in w/ text console and then
> startx.
>
> So, is my setup wise, or i miss something because do not know something
> on the distro. regarding this points of installation?
>
> Thank you for your time,
> Sthu.
>
>