On Mon, 11 Aug 2014 14:17:12 -0700
Mark Knecht <[email protected]> wrote:
Hi all,
Just an introduction. First post here but _longtime_ Gentoo user.
(Early 2003 I think...) I ran Redhat before that starting in 1997.
I'm a basic desktop end-user type. Self-employed, using KDE,
vlc/makemkv/handbrake, and multiple Virtualbox Win 7 VMs for trading
in the financial markets. I've converted my wife & 3 generations of
my
family (parents in the 80's and son in his 20's) to Gentoo. None of
use native Windows anymore. I administer all the systems.
Sounds like an OSS "model family". Congrats! ;-)
I'm starting to look down the road to a new main machine for me
in
6 months to 1 year. I'd like to start learning about the whole
hardened environment - what it can and cannot do, at least easily.
If
I go this direction it's likely to try to be a fully encrypted disk
subsystem, including initrd. I'm not overly performance driven, but
that said I want to know where the cycles are going and don't want
to
waste them if possible.
Regarding system performance, my personal experience has been that
the
various overheads involved in typical "hardened" Linuxes are
measurable, but not noticeable with most usage patterns. That said,
there's one kind of "performance" which certainly degrades:
Administration performance. You've got to have some time to debug all
these tiny little problems which arise due to badly written software
being incompatible with the system hardening etc.
I'd always recommend encrypting your HDD, even for otherwise
non-hardened systems. Performance losses aren't that bad, and the
advantages are huge. (For example, think about sending in a laptop
for
a warranty repair. You don't want to wipe your hdd before, but you
also
don't want the vendor to be able to read it.)
On the other hand, I've made some bad experiences with the
initramdisk's required for that. Neither dracut nor genkernel did
work
satisfyingly, especially when SELinux entered the equation. I've been
told the situation has improved in the meantime, but I've already
switched to using a custom-written initramdisk. It's rock-solid,
easily
understandable and only does those things I want it to do, but those
very well. (Of course, I'm willing to share the sources if someone is
interested.)
Anyway, thought I'd say hi and look for any pointers about what
to
read for a user such as myself. I'm going through the Gentoo
Hardened
pages and trying to understand what model to use - grsecurity or
selinux. I'm leaning toward grsecurity but I don't have a good
reason
one way or the other as of yet.
There's much out there on the *net worth a look. Be sure to check out
the Gentoo wiki:
https://wiki.gentoo.org/index.php?title=Special%3APrefixIndex&prefix=Hardened&namespace=0
Oh, and also don't forget reading the help texts of the various
grsecurity kernel options. Most of them are well-documented.
Concerning "grsecurity vs SELinux", you're mixing up something here.
There's SELinux, an "mandatory access control" (MAC) system available
in the main-line kernels. And there's grsecurity/PaX, an extensive
set
of kernel patches which is included in hardened-sources. It includes
an
"RBAC" subsystem which is similar to SELinux in its purpose, but
grsecurity is much more than that. It has kernel patches for "Kernel
auditing" and "Chroot jail restrictions" to name only a few (as I
said, check out the help texts!) and it includes the PaX suite, which
dictates (among other things) that userland processes can't both
write
to a memory region and execute code from there, thereby avoiding a
whole
class of common exploits. All of those options are independent of
your
using RBAC or SELinux (or no MAC system at all).
For starting out, I'd recommend using PaX and playing around with the
other grsecurity options, but leaving RBAC and SELinux alone, as they
add much more complexity and can be really overwhelming at the
beginning.
Later on, you can still add one of these MAC systems. (I personally
do
recommend SELinux, but that's a matter of taste, and as I said, don't
worry about that now.)
I am interested in trying to do this in a VBox VM just as a
learning exercise and which I understand it won't be as secure as
doing it on bare metal I'd be very interested in hearing about
others
experience in this area.
I've never used Virtualbox, but I know hardened-sources kernels work
very well in KVM environments. That said, it's certainly a wise
decision to test substantive system changes beforehand in a
virtualized
environment.
