Re: [gentoo-user] Choosing between system profiles: hardened and desktop for desktop installation.
On 07/04/17 23:16, Walter Dnes wrote: > On Tue, Jul 04, 2017 at 01:37:38PM -0400, james wrote > >> W. Dnes is the king of minimalist here, so when he gives advise >> realize it has decades of experimentation to get to where he is on >> minimization. > > Not exactly "decades". I first started linux in late 1999 or early > 2000. The minimalist approach was a side-effect of me being cheap. > Even though I have a newer machine as my "hot backup" waiting in the > wings, I want to run my older machine into the ground first. 10 years > ago I was running a 450 mhz pentium3 with 256 megabytes of ram. Today > I'm running a 2008 Dell with Core2 Duo and 3 gigs of ram today. I have > a newer i6 with 8 gigs of ram as the hot backup. Running an older > limited machine forces you to optimize. The Gentoo USE flags give me > the control to do the utmost minimization. > > I run the plain default/linux profile, and ICEWM as my WM and no > "desktop environment" (as per my sig). The less attack surface, the > better. Do not run the Flash plugin or the Java plugin. If you > absolutely have to do so, use it inside a VM (e.g. QEMU). I have an > aggressive handcrafted iptables firewall. In addition, my little LAN > sits behind a NAT-ing router, and I disable UPNP. That covers my > approach to security. > > I run mostly stable, except where an app I want/need is only unstable. > Gentoo currently defaults to gcc-5.4.0. I've enabled 6.3.0. I have to > enable ICEWM 1.3.12-r1. The regular stable version built under gcc > 6.3.0 segfaults 1 or 2 seconds after starting. > > I used to run with USE="-* blah blah blah". I no longer do that, but > I aggressively disable USE flags, until something breaks, then I back > off. My current USE line (it's actually one long line)... > > USE="X apng bindist ffmpeg jpeg opengl png szip truetype x264 x265 xorg > threads webp -acl -berkdb -caps -cracklib -crypt -filecaps -gallium > -gdbm -graphite -gstreamer -iconv -introspection -ipc -iptables -ipv6 > -libav -llvm -manpager -nls -openmp -pam -pch -sendmail -tcpd -udev > -udisks -unicode -xinerama" > > Some of the above is over-ridden in package.use. > Well, now that's a good summary (starting point) for a minimized gentoo system. The gentoo-devs have been discussing changes to the profiles, but I'm not certain where that has ended up. I just use the 'default' and go from there, or the simplest 'hardened' profile that is cpu relevant. I'm not sure of the most straight forward way to compare flag setting (the difference) between any two profiles for a new installer to examine; perhaps somebody else has a straight forward method to compare current profiles, within a given architecture? Surely at look at the contents of @system set is a good starting point for a new gentooer to see what he gets no matter which profile he selects? Then there is the 'experimental' profiles that the devs keep moving around; who knows what's up with those mavericks Hopefully the AliceF [1] GSoC work will result in some structure to to follow for a minimized and hardened kernel going forward. Even in the gentoo-sources kernel there is much that can be stripped out, reducing bloat at the least and probably reducing attack venues too. During this process, I keep several bootable kernels available so reverting is easy. Perhaps there is a gentoo wiki page that at least outlines the manual processes (a structured approach) as users go down the pathway of stripping out what their workstation does not need in a kernel? Perhaps someone has a slick, home-spun, tool that readily identifies what can be additionally stripped from the current kernel offerings on the pathway to minimized_nirvana ? Then there's NFTables; not sure anything useful is published on NFTables, nor how effective it is for a workstation firewall... [3] Thanks Watler for sharing. Increasing the population of (OpenRC et. al.) minimalists is always welcome as our numbers are growing every day; not that one is bound to OpenRC to be a gentoo_minimalist. hth, James [1] https://blogs.gentoo.org/alicef/ https://archives.gentoo.org/gentoo-soc/threads/2017-06/ [3] https://wiki.gentoo.org/wiki/Nftables
Re: [gentoo-user] Choosing between system profiles: hardened and desktop for desktop installation.
On Tue, Jul 4, 2017 at 4:12 AM, Peter Humphreywrote: > On Tuesday 04 Jul 2017 05:20:41 Ian Bloss wrote: >> You should use the hardened profile with the harden sources. On terms with >> security you could compile a hardened kernel but you sacrifice ease of >> use by having to manage pax and if you choose an RBAC system like SElinux >> or grsecuritys adds more burden. >> >> Security isn't a product, so I would recommend sticking with regular >> profile with stable packages, and be mindful of what you have opened up to >> the internet. I would also recommend just reading up on linux security in >> general to understand what you're trying to make yourself more secure to. > > I second that last point. I looked into hardened Gentoo some years ago and > came to the conclusion that it wasn't worth all the extra trouble. My > impression (though I could easily be wrong) is that hardening is intended > more for protection against local threats, like someone else sitting in your > seat, than anything coming in over the wires. > The majority of the hardening is applied to kernel structures that most people never interact with and don't know exist. The changes are supposed to make it harder to glean information about the inner workings of the kernel, as many exploits require rather intimate knowledge about what the kernel is doing and when. There were some more noticeable parts that turned certain parts of /sys and /proc off, but you could either whitelist or blacklist a certain group. This is actually one of the more novel additions, as both places provide a lot of information that is useful for attacking a system.[1] Related changes also made things like chroot jails work as intended and prevent data from leaking into or out of them. The additions that do things like prevent USB devices not plugged in since boot as working are mainly intended for server environments, where you don't want technicians or janitors to be able to attack your servers by exploiting faulty USB drivers. This also helps prevent individuals with always-on workstations to some extent, but if that is what you are afraid of you should carry your trusted computer on your person at all times. [1] Depending on what is exposed in /proc any process running as a user can make arbitrary changes to any other process running as that user, so by compromising e.g. a web browser you have effectively become that user. It's worth noting similar functionality is also available via ptrace (the syscall that implements most debugging functions). On Tue, Jul 4, 2017 at 12:44 PM, Toralf Förster wrote: > On 07/04/2017 07:12 AM, Ста Деюс wrote: >> So, I would like to use the >> hardened profile and then add the desktop packages, namely openbox w/o > > I do run a hardened profile at my desktop (KDE) since about 3 years - > almost w/o any trouble. > > Recently I switched just from hardened kernel to vanilla kernel - b/c > the hardened PAX kernel (GRsecurity) isn't any longer freely available > and the vanilla is nowadays at 4.12. > > Works fine so far. > Apparently I misread the initial announcement. It didn't originally look like GRsecurity had withdrawn all nonpaid support, but I guess they have. I will be going back to the vanilla sources if that is the case. Do you know how the concept of a hardened toolchain is going to be preserved going forward?
Re: [gentoo-user] Choosing between system profiles: hardened and desktop for desktop installation.
On Tue, Jul 04, 2017 at 01:37:38PM -0400, james wrote > W. Dnes is the king of minimalist here, so when he gives advise > realize it has decades of experimentation to get to where he is on > minimization. Not exactly "decades". I first started linux in late 1999 or early 2000. The minimalist approach was a side-effect of me being cheap. Even though I have a newer machine as my "hot backup" waiting in the wings, I want to run my older machine into the ground first. 10 years ago I was running a 450 mhz pentium3 with 256 megabytes of ram. Today I'm running a 2008 Dell with Core2 Duo and 3 gigs of ram today. I have a newer i6 with 8 gigs of ram as the hot backup. Running an older limited machine forces you to optimize. The Gentoo USE flags give me the control to do the utmost minimization. I run the plain default/linux profile, and ICEWM as my WM and no "desktop environment" (as per my sig). The less attack surface, the better. Do not run the Flash plugin or the Java plugin. If you absolutely have to do so, use it inside a VM (e.g. QEMU). I have an aggressive handcrafted iptables firewall. In addition, my little LAN sits behind a NAT-ing router, and I disable UPNP. That covers my approach to security. I run mostly stable, except where an app I want/need is only unstable. Gentoo currently defaults to gcc-5.4.0. I've enabled 6.3.0. I have to enable ICEWM 1.3.12-r1. The regular stable version built under gcc 6.3.0 segfaults 1 or 2 seconds after starting. I used to run with USE="-* blah blah blah". I no longer do that, but I aggressively disable USE flags, until something breaks, then I back off. My current USE line (it's actually one long line)... USE="X apng bindist ffmpeg jpeg opengl png szip truetype x264 x265 xorg threads webp -acl -berkdb -caps -cracklib -crypt -filecaps -gallium -gdbm -graphite -gstreamer -iconv -introspection -ipc -iptables -ipv6 -libav -llvm -manpager -nls -openmp -pam -pch -sendmail -tcpd -udev -udisks -unicode -xinerama" Some of the above is over-ridden in package.use. -- Walter DnesI don't run "desktop environments"; I run useful applications
Re: [gentoo-user] Choosing between system profiles: hardened and desktop for desktop installation.
On 07/04/2017 07:12 AM, Ста Деюс wrote: > So, I would like to use the > hardened profile and then add the desktop packages, namely openbox w/o I do run a hardened profile at my desktop (KDE) since about 3 years - almost w/o any trouble. Recently I switched just from hardened kernel to vanilla kernel - b/c the hardened PAX kernel (GRsecurity) isn't any longer freely available and the vanilla is nowadays at 4.12. Works fine so far. -- Toralf PGP 23217DA7 9B888F45 signature.asc Description: OpenPGP digital signature
Re: [gentoo-user] Choosing between system profiles: hardened and desktop for desktop installation.
On 07/04/17 01:12, Ста Деюс wrote: > Hi. > > I'm new to Gentoo, and before new installation on my PC, keep trying to > choose between system profiles. I want to use the PC as desktop, but am > concerned on security and minimalism. So, I would like to use the > hardened profile and then add the desktop packages, namely openbox w/o > any X-session managers -- just logging in w/ text console and then > startx. > > So, is my setup wise, or i miss something because do not know something > on the distro. regarding this points of installation? > > Thank you for your time, > Sthu. Minimalism does reduce attack surfaces, but on a workstation, if later on you want some complex and fancy software, often you have to start adding codes, flags and recompiling quite a lot. On specific task machines, I always go the minimal route, ymmv. I run lxde but it is morphing into lxqt (or at least that's what is commonly posted. I've run openbox and actually now use a mixture of codes to build up one minimized workstation, but it is a pita to get happy. W. Dnes is the king of minimalist here, so when he gives advise realize it has decades of experimentation to get to where he is on minimization. I've been hacking on codes for minimized Hi Performance Computing (HPC) gentoo style, but not ready to release anything as it is a moving target. "Unikernels" are my pathway forward but this path is a huge time sink... Caveat Emptor! Hardened is changing, do to the fact that the patches provided to the linux kernel team, are not being provided for free anymore. There is much angst as to the pathway forward. Much of the work is being carried forward in the kernel, compiler projects and some apps but what to do, post kernel 4.9.x is not clear for gentoo, atm. This thread by blueness on gentoo-dev is a good place to start reading, look in the archives:: [gentoo-dev] The status of grsecurity upstream and hardened-sources downstream Here's the [thread]intro:: "Since late April, grsecurity upstream has stop making their patches available publicly. Without going into details, the reason for their decision revolves around disputes about how their patches were being (ab)used. Since the grsecurity patch formed the main core of our hardened-sources kernel, their decision has serious repercussions for the Hardened Gentoo project. I will no longer be able to support hardened-sources and will have to eventually mask and remove it from the tree. Hardened Gentoo has two sides to it, kernel hardening (done via hardened-sources) and toolchain/executable hardening. The two are interrelated but independent enough that toolchain hardening can continue on its own. The hardened kernel, however, provided PaX protection for executables and this will be lost. We did a lot of work to properly maintain PaX markings in our package management system and there was no part of Gentoo that wasn't touched by issues stemming from PaX support. I waited two months before saying anything because the reasons were more of a political nature than some technical issue. At this point, I think its time to let the community know about the state of affairs with hardened-sources. I can no longer get into the #grsecurity/OFTC channel (nothing personal, they kicked everyone), and so I have not spoken to spengler or pipacs. I don't know if they will ever release grsecurity patches again. My plan then is as follows. I'll wait one more month and then send out a news item and later mask hardened-sources for removal. I don't recommend we remove any of the machinery from Gentoo that deals with PaX markings. " Personally, I'd suggest following Anthony (blueness) as to the gentoo-hardened pathway forward, but surely others in the extended gentoo community are surefooted with gentoo security. (Pentoo) might be of interest as a workstation pathway forward If you cannot block them, join them? ;-) hth, James And more links for your convenience:: https://www.theregister.co.uk/2015/08/27/grsecurity https://www.wilderssecurity.com/threads/grsecurity-patches-going-private.393068/ https://lwn.net/Articles/662219/ https://lwn.net/Articles/698891/ https://grsecurity.net/compare.php https://www.theregister.co.uk/2015/08/27/grsecurity
Re: [gentoo-user] Choosing between system profiles: hardened and desktop for desktop installation.
On Tuesday 04 Jul 2017 05:20:41 Ian Bloss wrote: > You should use the hardened profile with the harden sources. On terms with > security you could compile a hardened kernel but you sacrifice ease of > use by having to manage pax and if you choose an RBAC system like SElinux > or grsecuritys adds more burden. > > Security isn't a product, so I would recommend sticking with regular > profile with stable packages, and be mindful of what you have opened up to > the internet. I would also recommend just reading up on linux security in > general to understand what you're trying to make yourself more secure to. I second that last point. I looked into hardened Gentoo some years ago and came to the conclusion that it wasn't worth all the extra trouble. My impression (though I could easily be wrong) is that hardening is intended more for protection against local threats, like someone else sitting in your seat, than anything coming in over the wires. In the end I just used the stable sources with a decent firewall: shorewall, in fact. If your network setup isn't too unusual, you can use one of their standard sets of configuration files. That's my two-penn'orth, anyway. -- Regards Peter
Re: [gentoo-user] Choosing between system profiles: hardened and desktop for desktop installation.
On Tue, Jul 4, 2017 at 12:12 AM, Ста Деюсwrote: > Hi. > > I'm new to Gentoo, and before new installation on my PC, keep trying to > choose between system profiles. I want to use the PC as desktop, but am > concerned on security and minimalism. So, I would like to use the > hardened profile and then add the desktop packages, namely openbox w/o > any X-session managers -- just logging in w/ text console and then > startx. > > So, is my setup wise, or i miss something because do not know something > on the distro. regarding this points of installation? > > Thank you for your time, > Sthu. > You should select the hardened profile and then install the desktop related packages you want manually. Everything should work by default. If you want to use SELinux, the default policies available assume you are using a login manager. On Tue, Jul 4, 2017 at 12:21 AM, Ian Bloss wrote: > If you want to go with the hardened sources, there's a great wiki article on > it. > I think his question is mostly about how he should approach installing everything: start with a desktop-based system and then harden it, or set up a hardened system and then install the desktop programs. The Gentoo project doesn't actually support doing the former. The latter is far easier. R0b0t1.
Re: [gentoo-user] Choosing between system profiles: hardened and desktop for desktop installation.
If you want to go with the hardened sources, there's a great wiki article on it. On Mon, Jul 3, 2017, 10:20 PM Ian Blosswrote: > You should use the hardened profile with the harden sources. On terms with > security you could compile a hardened kernel but you sacrifice ease of use > by having to manage pax and if you choose an RBAC system like SElinux or > grsecuritys adds more burden. > > Security isn't a product, so I would recommend sticking with regular > profile with stable packages, and be mindful of what you have opened up to > the internet. I would also recommend just reading up on linux security in > general to understand what you're trying to make yourself more secure to. > > On Mon, Jul 3, 2017, 10:13 PM Ста Деюс wrote: > >> Hi. >> >> I'm new to Gentoo, and before new installation on my PC, keep trying to >> choose between system profiles. I want to use the PC as desktop, but am >> concerned on security and minimalism. So, I would like to use the >> hardened profile and then add the desktop packages, namely openbox w/o >> any X-session managers -- just logging in w/ text console and then >> startx. >> >> So, is my setup wise, or i miss something because do not know something >> on the distro. regarding this points of installation? >> >> Thank you for your time, >> Sthu. >> >>
Re: [gentoo-user] Choosing between system profiles: hardened and desktop for desktop installation.
You should use the hardened profile with the harden sources. On terms with security you could compile a hardened kernel but you sacrifice ease of use by having to manage pax and if you choose an RBAC system like SElinux or grsecuritys adds more burden. Security isn't a product, so I would recommend sticking with regular profile with stable packages, and be mindful of what you have opened up to the internet. I would also recommend just reading up on linux security in general to understand what you're trying to make yourself more secure to. On Mon, Jul 3, 2017, 10:13 PM Ста Деюсwrote: > Hi. > > I'm new to Gentoo, and before new installation on my PC, keep trying to > choose between system profiles. I want to use the PC as desktop, but am > concerned on security and minimalism. So, I would like to use the > hardened profile and then add the desktop packages, namely openbox w/o > any X-session managers -- just logging in w/ text console and then > startx. > > So, is my setup wise, or i miss something because do not know something > on the distro. regarding this points of installation? > > Thank you for your time, > Sthu. > >