Re: [gentoo-user] How to harden a system
> On 25 Dec 2017, at 15:33, Frank Steinmetzger wrote: > > On Mon, Dec 25, 2017 at 12:56:44AM -0600, R0b0t1 wrote: >> On Mon, Dec 25, 2017 at 12:55 AM, R0b0t1 wrote: >>> On Sun, Dec 24, 2017 at 1:44 PM, taii...@gmx.com wrote: It is truly disturbing to think that someone with an ME exploit could hack 80% of the computers on the planet. >>> >>> And sometimes I wonder >> >> if it's already been done. > > Was it really necessary to send 12 Megs of pictures to hundreds of > subscribers for the information content of a few dozen bytes? Even picture > "apps" on phones are able to resize images. I assumed this was a fat-fingered mistake. How are the pics relevant to the thread? Stroller.
Re: [gentoo-user] How to harden a system
On Mon, Dec 25, 2017 at 12:56:44AM -0600, R0b0t1 wrote: > On Mon, Dec 25, 2017 at 12:55 AM, R0b0t1 wrote: > > On Sun, Dec 24, 2017 at 1:44 PM, taii...@gmx.com wrote: > >> It is truly disturbing to think that someone with an ME exploit could hack > >> 80% of the computers on the planet. > >> > > > > And sometimes I wonder > > if it's already been done. Was it really necessary to send 12 Megs of pictures to hundreds of subscribers for the information content of a few dozen bytes? Even picture "apps" on phones are able to resize images. Just sayin’ -- Gruß | Greetings | Qapla’ Please do not share anything from, with or about me on any social network. “A Melmacian almost never goes back on his word sometimes.” – Alf signature.asc Description: Digital signature
Re: [gentoo-user] How to harden a system
On 12/23/2017 10:20 PM, Adam Carter wrote:
>
> So i'm wondering how much difference there is between hardened and
> non-hardened profiles these days.
>
The hardened profiles ensure that PaX works by setting PAX_MARKINGS="XT"
and by making sure that you don't disable xattr support in, say,
coreutils. They also let you build gcc/glibc with USE=hardened, although
what that actually does these days I'm not sure.
Aside from that, the hardened profiles have less stuff enabled by
default. The "desktop" portion is the worst offender there...
$ cat profiles/targets/desktop/make.defaults
# Copyright 1999-2017 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
USE="a52 aac acpi alsa bluetooth branding cairo cdda cdr consolekit
cups dbus dri dts dvd dvdr emboss encode exif fam firefox flac gif
glamor gpm gtk jpeg lcms ldap libnotify mad mng mp3 mp4 mpeg ogg
opengl pango pdf png policykit ppds qt3support qt5 sdl spell startup-
notification svg tiff truetype vorbis udev udisks unicode upower usb
wxwidgets X xcb x264 xml xv xvid"
That's as opposed to,
$ cat profiles/features/hardened/make.defaults
...
USE="${USE} -berkdb -gdbm -tcpd"
USE="${USE} -fortran"
USE="${USE} -cli -session"
USE="${USE} -dri"
USE="${USE} -modules"
Re: [gentoo-user] How to harden a system
I would also consider purchasing a system with libre firmware and without ME/PSP such as: POWER 9: TALOS 2 (server/workstation, brand new and very high performance - the only brand new hardware that is legitimately libre) x86-64: (older, pre-PSP AMD - the best CPU's for C32/G34 are equivilant to one FX-8310 for the 8 core or almost two FX-8310 for the 16 core) KGPE-D16 (server) KCMA-D8 (workstation) Lenovo G505S (laptop) It is truly disturbing to think that someone with an ME exploit could hack 80% of the computers on the planet.
Re: [gentoo-user] How to harden a system
On 12/24/2017 02:43 AM, Adam Carter wrote:
Oh I just noticed that vtv is now default enabled for gcc, so you
could try;
CXXFLAGS="${CFLAGS} -fvtable-verify=std"
I tried this on earlier gccs, and there was a fair bit of breakage so
i didnt persue it. Maybe i'll re-try with 7.2 to see how things have
progressed.
Would you please elaborate on what types of breakage you saw?
"security feature that verifies at run time, for every virtual call,
that the vtable pointer through which the call is made is valid for the
type of the object, and has not been corrupted or overwritten. If an
invalid vtable pointer is detected at run time, an error is reported
and execution of the program is immediately halted"
I'm extremely new to these types of thing and don't truly understand the
failure mode of things like this. It sound slike vtable-verify will
conceptually make things more secure. But I don't know enough to know
how likely believed to be perfectly happy code will pass or fail such
vtable verifications.
--
Grant. . . .
unix || die
smime.p7s
Description: S/MIME Cryptographic Signature
Re: [gentoo-user] How to harden a system
>
> Lastly, this in /etc/sysctl.conf. SYN cookies is kernel option. The fin
> timeout cut was to clear out tens of thousands of TIME_WAIT sessions.
> net.ipv4.tcp_fin_timeout = 20
> net.ipv4.tcp_syncookies = 1
>
Oh I just noticed that vtv is now default enabled for gcc, so you could try;
CXXFLAGS="${CFLAGS} -fvtable-verify=std"
I tried this on earlier gccs, and there was a fair bit of breakage so i
didnt persue it. Maybe i'll re-try with 7.2 to see how things have
progressed.
"security feature that verifies at run time, for every virtual call, that
the vtable
pointer through which the call is made is valid for the type of
the
object, and has not been corrupted or overwritten. If an invalid
vtable pointer is detected at run time, an error is reported and
execution of the program is immediately halted"
Re: [gentoo-user] How to harden a system
On Sun, Dec 24, 2017 at 1:09 AM, Peter Humphrey wrote: > Hello list, > > Now that grsecurity is off-limits, I'm left wondering how to go about > hardening a no-multilib box that will be exposed to the Big Bad World. > > To start with, it's not obvious which profile to use: > > $ eselect profile list | grep no-multi | grep hardened > [23] default/linux/amd64/17.0/no-multilib/hardened > [24] default/linux/amd64/17.0/no-multilib/hardened/selinux > [29] hardened/linux/amd64/no-multilib > [30] hardened/linux/amd64/no-multilib/selinux I'm using default/linux/amd64/17.0/desktop/gnome/systemd and the binaries are all pretty much; Position Independent Executable: yes Stack protected: yes Fortify Source functions: yes Read-only relocations: yes Immediate binding: no, not found! So i'm wondering how much difference there is between hardened and non-hardened profiles these days. For kernel configs, i'm using these as they sounded sensible on a cursory read of the help; (some are quite recent additions to the kernel) CONFIG_CC_STACKPROTECTOR=y CONFIG_CC_STACKPROTECTOR_STRONG=y CONFIG_RANDOMIZE_BASE=y CONFIG_RANDOMIZE_MEMORY=y CONFIG_HARDENED_USERCOPY=y CONFIG_FORTIFY_SOURCE=y CONFIG_VMAP_STACK=y CONFIG_REFCOUNT_FULL=y I dont use AppArmour or SELinux, but for an internet facing webserver i'd consider using SELinux to more finely lock down permissions on the webroot. I also recall that a fully permissive SELinux configuration has a side effect that improved security, so CONFIG_SECURITY_SELINUX is on, but i cant find any evidence to support my memory on that one. Lastly, this in /etc/sysctl.conf. SYN cookies is kernel option. The fin timeout cut was to clear out tens of thousands of TIME_WAIT sessions. net.ipv4.tcp_fin_timeout = 20 net.ipv4.tcp_syncookies = 1
Re: [gentoo-user] How to harden a system
On Saturday, 23 December 2017 17:46:20 GMT Michael Orlitzky wrote: > On 12/23/2017 09:09 AM, Peter Humphrey wrote: > > Hello list, > > > > Now that grsecurity is off-limits, I'm left wondering how to go about > > hardening a no-multilib box that will be exposed to the Big Bad World. > > You can still use grsec/pax if you're willing to stick with an older > (LTS) kernel: > > https://github.com/minipli/linux-unofficial_grsec/tree/linux-4.9.x-unoffic > ial_grsec Oh, that's good - thanks Michael. > > To start with, it's not obvious which profile to use: > > > > $ eselect profile list | grep no-multi | grep hardened > > > > [23] default/linux/amd64/17.0/no-multilib/hardened > > [24] default/linux/amd64/17.0/no-multilib/hardened/selinux > > One of those two, depending on whether or not you use SELinux. Thanks again for the advice. -- Regards, Peter.
Re: [gentoo-user] How to harden a system
On 12/23/2017 09:09 AM, Peter Humphrey wrote: > Hello list, > > Now that grsecurity is off-limits, I'm left wondering how to go about > hardening a no-multilib box that will be exposed to the Big Bad World. You can still use grsec/pax if you're willing to stick with an older (LTS) kernel: https://github.com/minipli/linux-unofficial_grsec/tree/linux-4.9.x-unofficial_grsec > To start with, it's not obvious which profile to use: > > $ eselect profile list | grep no-multi | grep hardened > [23] default/linux/amd64/17.0/no-multilib/hardened > [24] default/linux/amd64/17.0/no-multilib/hardened/selinux One of those two, depending on whether or not you use SELinux.
