On Mon, 11 Aug 2014 14:17:12 -0700 Mark Knecht <[email protected]> wrote:
> Hi all, > Just an introduction. First post here but _longtime_ Gentoo user. > (Early 2003 I think...) I ran Redhat before that starting in 1997. > > I'm a basic desktop end-user type. Self-employed, using KDE, > vlc/makemkv/handbrake, and multiple Virtualbox Win 7 VMs for trading > in the financial markets. I've converted my wife & 3 generations of my > family (parents in the 80's and son in his 20's) to Gentoo. None of > use native Windows anymore. I administer all the systems. Sounds like an OSS "model family". Congrats! ;-) > I'm starting to look down the road to a new main machine for me in > 6 months to 1 year. I'd like to start learning about the whole > hardened environment - what it can and cannot do, at least easily. If > I go this direction it's likely to try to be a fully encrypted disk > subsystem, including initrd. I'm not overly performance driven, but > that said I want to know where the cycles are going and don't want to > waste them if possible. Regarding system performance, my personal experience has been that the various overheads involved in typical "hardened" Linuxes are measurable, but not noticeable with most usage patterns. That said, there's one kind of "performance" which certainly degrades: Administration performance. You've got to have some time to debug all these tiny little problems which arise due to badly written software being incompatible with the system hardening etc. I'd always recommend encrypting your HDD, even for otherwise non-hardened systems. Performance losses aren't that bad, and the advantages are huge. (For example, think about sending in a laptop for a warranty repair. You don't want to wipe your hdd before, but you also don't want the vendor to be able to read it.) On the other hand, I've made some bad experiences with the initramdisk's required for that. Neither dracut nor genkernel did work satisfyingly, especially when SELinux entered the equation. I've been told the situation has improved in the meantime, but I've already switched to using a custom-written initramdisk. It's rock-solid, easily understandable and only does those things I want it to do, but those very well. (Of course, I'm willing to share the sources if someone is interested.) > Anyway, thought I'd say hi and look for any pointers about what to > read for a user such as myself. I'm going through the Gentoo Hardened > pages and trying to understand what model to use - grsecurity or > selinux. I'm leaning toward grsecurity but I don't have a good reason > one way or the other as of yet. There's much out there on the *net worth a look. Be sure to check out the Gentoo wiki: https://wiki.gentoo.org/index.php?title=Special%3APrefixIndex&prefix=Hardened&namespace=0 Oh, and also don't forget reading the help texts of the various grsecurity kernel options. Most of them are well-documented. Concerning "grsecurity vs SELinux", you're mixing up something here. There's SELinux, an "mandatory access control" (MAC) system available in the main-line kernels. And there's grsecurity/PaX, an extensive set of kernel patches which is included in hardened-sources. It includes an "RBAC" subsystem which is similar to SELinux in its purpose, but grsecurity is much more than that. It has kernel patches for "Kernel auditing" and "Chroot jail restrictions" to name only a few (as I said, check out the help texts!) and it includes the PaX suite, which dictates (among other things) that userland processes can't both write to a memory region and execute code from there, thereby avoiding a whole class of common exploits. All of those options are independent of your using RBAC or SELinux (or no MAC system at all). For starting out, I'd recommend using PaX and playing around with the other grsecurity options, but leaving RBAC and SELinux alone, as they add much more complexity and can be really overwhelming at the beginning. Later on, you can still add one of these MAC systems. (I personally do recommend SELinux, but that's a matter of taste, and as I said, don't worry about that now.) > I am interested in trying to do this in a VBox VM just as a > learning exercise and which I understand it won't be as secure as > doing it on bare metal I'd be very interested in hearing about others > experience in this area. I've never used Virtualbox, but I know hardened-sources kernels work very well in KVM environments. That said, it's certainly a wise decision to test substantive system changes beforehand in a virtualized environment. Regards, Luis Ressel PS: Wow, that mail I've just written somehow reminds me of Duncan.
signature.asc
Description: PGP signature
