Alex Efros wrote:
Hi!
On Tue, Nov 25, 2008 at 09:02:58PM -0500, 7v5w7go9ub0o wrote:
I run the "old" hardened toolchain, grsecurity-enhanced hardened kernel,
rbac control, and jails for anything that accesses the LAN/WAN.(heh... I
even chroot and kill dhcpcd after 5 seconds). Avira has hundreds of Linux
rootkit signatures in its database, so I run Avira and Dazuko
realtime/on-access scanning on my /home directory, the chroot jails, and on
the portage workspace used during download and compilation.
Wow. While I'm a paranoiac in this sense too, I'm too lazy to do most of
these things. It's good to know there are potential for me to advance on
this way! ;-)
I set this up three+ years ago, and after initial setup, it's been
really easy to maintain. Every now and then I have to "retrain" RBAC,
but I use a training script to do that, so it is pretty automatic as well
BTW, is your workstation really was under attack (don't counting ssh worms
and the like script kiddie games)? Is there was attacks which was able to
break first circle of protection (GrSec+PaX+toolchain)?
I've not had anything break G+P+T.
- I had pax continuously cancel FireFox on a particular site a few years
ago, and never figured out what it was. It might hae been a browser
attack, or it may have simply been a badly-written extension.
I now browse with Opera (in a jail), and use Firefox ("fox in a box") in
a limited way.
- I also today real-time scan the browser jails (which I run in ramdisk,
so that any unintended changes are discarded at the end of the session)
with Dazuko/Antivir, and have had a number of suspicious scripts blocked
by AntiVir before the browser could act on them - so I think that my
exposure is thereby reduced.
As for me, I decide not to worry about these things (browser chroot, etc.)
for now because on workstation most important information is files in my
home directory... and applications I use (like browser, mail client, etc.)
MUST have access to these files or these applications because nearly
unusable for me. So, even with RSBAC, if my mutt will be owned by some
malicious email, and it will delete/damage files it usually have access to
(like my mailbox :)), that will be _enough_ and make much more damage for
me than installing rootkit. So, I choose to do regular automated backups
and run chkrootkit/rkhunter from cron just for the case they detect
something interesting to play with. :)
Well, that's a good point - it can be a pain, e.g. copying a document
into the mail client chroot jail so that I can send it.
I also use numerous, individual, single-purpose users (e.g.
ooffice:ooffice;, opera:opera, tbird:tbird, etc.) so that, e.g.,
user/jail wireshark:wireshark can not read user tbird:tbird, and vice
versa.
This can be a pain because I need to change privilege, as well as
copying things into - e.g., the tbird jail.
Copying downloads out of jails is easy - a script copies all downloads
from the various jails into a single folder, which is then scanned for
Trojan signatures.
