View previous topic :: View next topic |
Author |
Message |
moisespedro n00b
Joined: 01 Jan 2014 Posts: 71
|
Posted: Wed Feb 26, 2014 2:41 pm Post subject: Hardened desktop profile? |
|
|
Hi, I was thinking about switching to a hardened gentoo but there is no hardened desktop profile. Why not? |
|
Back to top |
|
|
SirRobin2318 Apprentice
Joined: 24 Apr 2004 Posts: 241 Location: Strasbourg, france.
|
|
Back to top |
|
|
moisespedro n00b
Joined: 01 Jan 2014 Posts: 71
|
Posted: Wed Feb 26, 2014 5:09 pm Post subject: |
|
|
Oh, thanks for the link. Found it a bit complicated |
|
Back to top |
|
|
SirRobin2318 Apprentice
Joined: 24 Apr 2004 Posts: 241 Location: Strasbourg, france.
|
Posted: Wed Feb 26, 2014 5:16 pm Post subject: |
|
|
If I were you, I'd go and ask the people involved in the project as to what the best course of action would be.
#gentoo-hardened on irc (freenode). And then come back and tell us |
|
Back to top |
|
|
Massimo B. Veteran
Joined: 09 Feb 2005 Posts: 1759 Location: PB, Germany
|
Posted: Thu Jun 26, 2014 1:15 pm Post subject: |
|
|
Is changing a Desktop machine from default/linux/amd64/13.0/desktop to default/linux/amd64/13.0/selinux or even hardened/linux/amd64/selinux appropriate and worth the effort? Any performance drawbacks? Do I need to follow the complete SELinux handbook?
Just curious that there is only sys-kernel/hardened-sources without Gentoo patches (?) but definitly without other patches I need, as I'm using sys-kernel/ck-sources right now and would even like to combine that with sys-kernel/aufs-sources. So maybe hardened sources is not that flexible for feature rich desktops? _________________ HP ZBook Power 15.6" G8 i7-11800H|HP EliteDesk 800G1 i7-4790|HP Compaq Pro 6300 i7-3770 |
|
Back to top |
|
|
Tractor Girl Apprentice
Joined: 16 May 2013 Posts: 159
|
Posted: Thu Jun 26, 2014 10:14 pm Post subject: |
|
|
The question is: are you familiar with selinux? If not, it can be pretty frustrating thing.
If you want only Selinux, it is present in every kernel sources - you don't need to switch to hardened-sources to use it. What you probably want in that case is default/linux/amd64/13.0/selinux profile, to make sure that you'll have proper support during compilation and all the policies.
But keep in mind that selinux is just a MAC and nothing more.
On the other hand hardened profiles and hardened-sources offer MUCH more security features.
And saying that, if you switch to hardened-sources, and you're not selinux guru, it's probably much more reasonable to use grsecurity's RBAC as a MAC instead of selinux.
In my opinion there's not much sense in switching from default/desktop to default/selinux if you're not completely in love in selinux.
On the contrary switching to hardened profile is perfectly reasonable. If you love selinux, choose hardened/selinux, if not, choose regular hardened profile and use Grsecurity's RBAC as MAC (it has nice learning mode). |
|
Back to top |
|
|
N8Fear Tux's lil' helper
Joined: 15 Apr 2013 Posts: 140 Location: Berlin (Germany)
|
Posted: Thu Jun 26, 2014 11:04 pm Post subject: |
|
|
There are many ways to a hardened system. First you should think about what you actually want. There are many options that don't require each other:
1. SELinux - it's a MAC system and requires some dedication to get into. If you're not willing to invest some time I'd advise against it. It requires a special profile and a bunch of kernel options. There are also other implementations of the LSM interface like AppAmor or Tomoyo. They use different approaches than SELinux to achive a similar goal.
2. A hardened profile - this one is a little bit tricky. It activates and deactivates certain useflags (most prominent is the 'hardened' flag). You mainly get a hardened toolchain from it (which will make certain userland vulnerabilites harder to exploit. Note: the hardened profile has nothing to do with SELinux - there are hardened and non-hardened SELinux profiles.
3. hardened-sources - they introduce PaX and grsecurity as configurable options. You should note that even with every PaX/grsec-feature disabled you can experience behaviour that a vanilla kernel doesn't show because the patch is very invasive. On the other hand this patch is imho the strong point of a hardened system and even if there is a performance loss involved I'd strongly recommend to use it if you want a hardened system. grsecurity also includes RBAC which is a MAC system like SELinux but in contrast to it it doesn't implement the LSM interface and therefore can be used in combination with SELinux or one of the other LSM implementations.
You see: you can harden your system by either one of this options or by a combination of it (which from a security standpoint would be the recommended choice). You'll have to decide what to use.
Switching to a hardened profile will be the easiest thing with no or nearly no breakage. The other options may require some adjustments and effort depending on your setup.
Concerning the question why there are no hardened desktop profiles (anymore) - the way profiles work (the stack) leads to breakage in certain situations and hardened and desktop was such a situation. Since the desktop profiles doesn't do much more that setting a basic set of desktop related useflags I'd recommend to switch to a hardened profile and select the useflags manually (via make.conf). There are some flags that shouldn't be enabled (at least if PaX is used - this is for example jit). |
|
Back to top |
|
|
Massimo B. Veteran
Joined: 09 Feb 2005 Posts: 1759 Location: PB, Germany
|
Posted: Fri Jun 27, 2014 7:34 am Post subject: |
|
|
N8Fear wrote: | Switching to a hardened profile will be the easiest thing with no or nearly no breakage. The other options may require some adjustments and effort depending on your setup. | Thank you both for that clarification. I'm going for that option for now.
Hm, what do I want to achieve. I mainly fear user land exploits by non-Portage applications (mostly java). Portage stuff is checksum checked but even on official sources there are often exploits possible. _________________ HP ZBook Power 15.6" G8 i7-11800H|HP EliteDesk 800G1 i7-4790|HP Compaq Pro 6300 i7-3770 |
|
Back to top |
|
|
HerrSchafer Tux's lil' helper
Joined: 18 May 2011 Posts: 139
|
Posted: Fri Aug 22, 2014 3:55 pm Post subject: |
|
|
Hi! I'm also having my first time with hardened gentoo. First thing I've noticed was a HUGE increase of compiling time (one whole night wasn't enough to install the DE).I think it is because the toolchain was modified to produce hardened packages, so I wonder there must be a lot of flags set/unset deeper than a normal profile and this is the cause of slow compiling. Am I right? Is the overall performance also so affected?
I've read a lot about hardened gentoo and AFAIK I'm not bounded to use SELinux. Right? _________________ “Long is the way, and hard, that out of hell leads up to light.”
― John Milton |
|
Back to top |
|
|
Massimo B. Veteran
Joined: 09 Feb 2005 Posts: 1759 Location: PB, Germany
|
Posted: Mon Mar 02, 2015 8:51 am Post subject: |
|
|
HerrSchafer wrote: | ...First thing I've noticed was a HUGE increase of compiling time (one whole night wasn't enough to install the DE).I think it is because the toolchain was modified to produce hardened packages, so I wonder there must be a lot of flags set/unset deeper than a normal profile and this is the cause of slow compiling. Am I right? Is the overall performance also so affected? | Interesting question, does anybody know? _________________ HP ZBook Power 15.6" G8 i7-11800H|HP EliteDesk 800G1 i7-4790|HP Compaq Pro 6300 i7-3770 |
|
Back to top |
|
|
BlueFusion Guru
Joined: 08 Mar 2006 Posts: 371
|
Posted: Mon Mar 02, 2015 4:04 pm Post subject: |
|
|
I've switched to the hardened profile and kernels a few months ago on all of my desktops, servers, and laptop. I haven't noticed any difference in compile time. Run-time definitely seems the same as before. I have not timed anything, but I have not noticed as a daily user of the systems. |
|
Back to top |
|
|
|