Jan Klod wrote:
Suppose, I want to take some extra precautions and set up PaX&co and MAC on a
workstation with Xorg and other nice KDE apps (only some of which should be
granted access to files in folder X). I would like to read others opinion, if
I can get considerable security improvements or I will have to make that much
of exceptions to those good rules, as it makes protection too useless?
Regards,
Jan
Depends upon your definition of hardening, I guess.
I run the "old" hardened toolchain, grsecurity-enhanced hardened kernel,
rbac control, and jails for anything that accesses the LAN/WAN.(heh... I
even chroot and kill dhcpcd after 5 seconds). Avira has hundreds of
Linux rootkit signatures in its database, so I run Avira and Dazuko
realtime/on-access scanning on my /home directory, the chroot jails, and
on the portage workspace used during download and compilation.
I presume that for a desktop user, most attacks come in through the
browser, and/or extensions, plugins (e.g. flash), BHO's, etc. Something
could also come through the distribution chain from a compromised or
spoofed source - therefor the signature scanning.
- I presume that pax and/or ssp will protect me against memory attacks
that may come in through a L/WAN connection.
- If the L/WAN attack comes in through, say, a browser exploit or
backdoor it will be confined by RBAC to the areas I trained it to
access, and no more. That would be the jail.
- If the browser tries to "jail break", it will run up against the anti
jailbreak hardening provided by grsecurity, and be terminated.
- grsecurity blocks writing to /dev/mem, kmem, port.
Judging by the other posts here, someone who knows what he is doing can
have my box.
Well..... yes! - nothing is 100%. But I'm not trying to protect
against him.... I'm worried about 95%: the 0-day browser bugs,
compromised extensions, etc. that may allow a Trojan to try its stuff,
or may allow an inpatient script-kiddee to have a shell on a Linux box
that doesn't have this kernel and binary hardening; that doesn't run
applications in hardened jails.
