On Sun, Dec 24, 2017 at 1:09 AM, Peter Humphrey <pe...@prh.myzen.co.uk> wrote:
> Hello list, > > Now that grsecurity is off-limits, I'm left wondering how to go about > hardening a no-multilib box that will be exposed to the Big Bad World. > > To start with, it's not obvious which profile to use: > > $ eselect profile list | grep no-multi | grep hardened > [23] default/linux/amd64/17.0/no-multilib/hardened > [24] default/linux/amd64/17.0/no-multilib/hardened/selinux > [29] hardened/linux/amd64/no-multilib > [30] hardened/linux/amd64/no-multilib/selinux I'm using default/linux/amd64/17.0/desktop/gnome/systemd and the binaries are all pretty much; Position Independent Executable: yes Stack protected: yes Fortify Source functions: yes Read-only relocations: yes Immediate binding: no, not found! So i'm wondering how much difference there is between hardened and non-hardened profiles these days. For kernel configs, i'm using these as they sounded sensible on a cursory read of the help; (some are quite recent additions to the kernel) CONFIG_CC_STACKPROTECTOR=y CONFIG_CC_STACKPROTECTOR_STRONG=y CONFIG_RANDOMIZE_BASE=y CONFIG_RANDOMIZE_MEMORY=y CONFIG_HARDENED_USERCOPY=y CONFIG_FORTIFY_SOURCE=y CONFIG_VMAP_STACK=y CONFIG_REFCOUNT_FULL=y I dont use AppArmour or SELinux, but for an internet facing webserver i'd consider using SELinux to more finely lock down permissions on the webroot. I also recall that a fully permissive SELinux configuration has a side effect that improved security, so CONFIG_SECURITY_SELINUX is on, but i cant find any evidence to support my memory on that one. Lastly, this in /etc/sysctl.conf. SYN cookies is kernel option. The fin timeout cut was to clear out tens of thousands of TIME_WAIT sessions. net.ipv4.tcp_fin_timeout = 20 net.ipv4.tcp_syncookies = 1