For those of you who are fresh like myself, Im going to compile some information Ive found on Qubes Kernel hardening. And for the tech savvy Qubes junkies, also like myself, lets have another discussion! Of course anyones welcome to add their 2 cents or drop a dime.
~Things that I think are facts but might not be as of early 2018~ 1. Qubes does not incorporate kernel hardening. 2. GrSecurity is really great security? (Discussion/opinion below) 3. The Coldkernel Team is working on Qubes kernel hardening. 4. GrSecurity is working close with PaX. Q - Why should you care? A - Kernel Hardening protects against many forms of L337 H4X0R5 and monsters. ~More pseudo-phacts~ 5. "PaX is maintained by The PaX Team, whose principal coder is anonymous" -cite: https://en.wikipedia.org/wiki/PaX 6. GrSecurity is really great security but very few distros use it. -Why? An extrapolation on this below. 7. Q - Why is Qubes not integrated with GrSecurity/PaX? A - "Grsec is dead (at least as an open source project), so it doesn't apply anymore." -marmarek (dev) 8. Q - How can we easily incorporate kernel hardening into our Qubes? A - Directly into your qubes just like this: https://coldhak.ca/blog/2016/12/12/coldkernel-qubes-1.html ~On GrSecurity/PaX~ GrSecurity, allegedly, is a really great form of kernel hardening. A brief look at their wikibooks.org page tells you that they have done their homework. Notably, there are features that Qubes users would find very appealing. Upon further investigation, it seems as though this is not an open source project, meaning that only the inner core of developers works on maintaining and updating the code, but the source is still free to distribute so long as its not changed, from my understanding. (cont. below) cite: https://en.wikibooks.org/wiki/Grsecurity/Appendix/Grsecurity_and_PaX_Configuration_Options GrSec doesnt keep their docs well maintained and the setup uses lots of jargon/acronyms that are not for modest users. -misquote, Qubes user, April 2017 -drawbacks to GrSec: -you have to pay for support to keep up-to-date with patches -the likely-hood of users scrutinizing the code is much smaller than open-source development GrSec, while it sounds good, is aimed at a different breed of user-base. I really like the idea of (excuse my lack of proper technical terms) a non-profit that still gets paid. I have no idea how it actually works, but I assume that people that believe in a presented idea donate and developers get paid to preform a civil service. That is a really sound business plan. Sure, lots of people do not donate. Alternately, lots of people DO donate. For instance, Kali Linux. They offer a free to the public open source service: the hacking distro, originally Backtrack Linux. They needed more money, so instead of living off of donations, they created the OffSec brand training and certifications. OffSec and Kali: two mostly different products that do not solely rely on each other. Or I should say, Kali does not rely on OffSec. The difference that Im hinting at is that GrSec does not support this freedom. Its subtly obvious that between not keeping the documentation up-to-date and the software itself being hard to understand, they have made the open source 'project' extremely difficult for the end user. It is only really feasible for enterprises. To reiterate in a somewhat prejudice, unprofessional manner: Theyre not open source because they believe in open source. Their heart isnt in it. Back to business. "In late June, noted open-source programmer Bruce Perens warned that using Grsecurity's Linux kernel security could invite legal trouble." -theregister.co.uk pseudo-facts: Bruce Perens posted a blog article in late June of 2017 that concluded that anyone who compiled their kernel using GrSec was subject to "contributory infringement and breach of contract" due to the GNU policy declining the modification of code. At first glance, it would seem that Perens did slander this company and some would argue that this accusation would be a far-fetched plausability for a company that is only insuring themselves. But as the security community well knows and lawsuits have well-documented, corporations often blur the lines between property dispute. The month after Perens posted his blog, the stated company lashed back as would a person deeply hurt by critique. I wouldnt think that slander would warrant a lawsuit, but a lawsuit it was accusing Bruce, his webhost and others of defamation and business interference. This does not make them stand out from other companies. After all, Cisco sued DefCon in 2005 for similar reasons of exposing vulnerabilities in their routers. But this is the nature of what makes security SECURE. Exposing loopholes and plugging them. And this company acted with a most unbecoming maturity. cite: https://www.theregister.co.uk/2017/08/03/linux_kernel_grsecurity_sues_bruce_perens_for_defamation/ The software is licensed under the GNU GPL version 2 meaning the software is free to distribute as is. The cited article also declares that Perens accuses the company of over-ruling the license agreement by stating that customers who distribute the subscription patches will forfeit their customer rights. GNU GPL v2 section 6: You may not impose any further restrictions on the recipients' exercise of the rights granted herein. You are not responsible for enforcing compliance by third parties to this License. If youre still thinking about using this obviously robust software, I will conclude by restating that GrSec does not have the consumers best interests in mind. And this the the most important consideration when deciding whether to use a product. It should also be well noted that when googling 'GrSec', there are many concerns. Hardened Linux stalwarts Grsecurity pull the pin after legal fight https://www.theregister.co.uk/2015/08/27/grsecurity/ Linux kernel security gurus Grsecurity oust freeloaders from castle https://www.theregister.co.uk/2017/04/26/grsecurity_linux_kernel_freeloaders/ Linus Torvalds slams 'pure garbage' from 'clowns' at Grsecurity https://www.theregister.co.uk/2017/06/26/linus_torvalds_slams_pure_garbage_from_clowns_at_grsecurity/ My mail to the grsecurity team to expose their FUD http://www.openwall.com/lists/kernel-hardening/2017/06/29/7 Beyond #Grsecurity: The Future of Linux security is Brighter than Ever https://www.whonix.org/blog/beyond-grsecurity-future-linux-security-brighter-ever -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to email@example.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/732c454e-784e-4927-8b61-e1992155d878%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.