View previous topic :: View next topic |
Author |
Message |
NeverSloppy n00b
Joined: 03 Nov 2022 Posts: 29
|
Posted: Tue Nov 08, 2022 6:02 am Post subject: Gentoo security tips for noob. Advice pls |
|
|
How difficult will maintaining a secure Gentoo install be for a beginner?
Just recently, I stumbled on this blog post in which the person claims Gentoo is a security hazard: http://coldattic.info/post/105/
I don't believe it as Gentoo removes so much bloat that other Distros ship with. But then again I haven't used it for more than a
month some years ago. My hardware was too slow back then so I had to switch.
I've tried Arch, Debian, Fedora, FreeBSD.
I can set up a firewall in Debian and FreeBSD as I occasionally delve into web development.
My goto programming language is Go, but I'm now learning Rust and C.
My goal, switching to Gentoo, is gaining knowledge of the lower level stuff. Hardware and software.
I'm sick of the automagic in other Distros.
Should I just stick with a virtual machine until I'm decent with Gentoo? |
|
Back to top |
|
|
Juippisi Developer
Joined: 30 Sep 2005 Posts: 722 Location: /home
|
Posted: Tue Nov 08, 2022 6:22 am Post subject: Re: Gentoo security tips for noob. Advice pls |
|
|
Did you actually read the post before linking it? Let me quote the relevant part:
"A computer that hasn’t been updated for years, and is open to the network is a security risk."
it has nothing to do with Gentoo itself, but the author neglecting to update their system.
To answer your question, keeping the above site in mind, it's "easy" if you invest the time to learn to use it. |
|
Back to top |
|
|
Goverp Veteran
Joined: 07 Mar 2007 Posts: 1972
|
Posted: Tue Nov 08, 2022 8:58 am Post subject: |
|
|
The blogger was suffering dependency hell in 2017; at a guess the system was a hybrid of stable and leading-edge stuff - my experience is that if you stick to one or the other, you should avoid dependency issues nearly all the time.
One caveat - the blog mentions long compile times; there are some notorious packages that can be hard to avoid; worst are qtwebengine and rust (for the latter, if you need rust, use rust-bin unless you really need the latest versions), then libreoffice (also available as a -bin version). It's an unfortunate side-effect of Moore's Law; packages expand to consume the leading-edge hardware's capabilities - as cpu power doubles, so does the work needed to compile bloated packages... Of course, if you have a water-cooled Threadripper with 128GB memory and wall-to-wall NVMe storage, this isn't an issue.
Oh, and plan to "emerge --update --deep --changed-use @world" at least once a month, better every fortnight, best weekly. The more often, the less work to be done in one big chunk. _________________ Greybeard |
|
Back to top |
|
|
pietinger Moderator
Joined: 17 Oct 2006 Posts: 4019 Location: Bavaria
|
Posted: Tue Nov 08, 2022 10:19 am Post subject: |
|
|
You should never get a dependency hell if you update your Gentoo once in a month (better: once a week) with:
Code: | # emerge -uUDv @world |
If you think you want update only one or some specific packages with "emerge -u PACKAGE" then you should always do this with parameter "-1"
Code: | # emerge -1uDv PACKAGE |
Why ?
If you dont do it with "-1" (--oneshot) this package will be recorded in /var/lib/portage/world ... and this will lead to a dependency hell over time.
See more here: https://forums.gentoo.org/viewtopic-t-1143543-highlight-.html
. |
|
Back to top |
|
|
NeddySeagoon Administrator
Joined: 05 Jul 2003 Posts: 54099 Location: 56N 3W
|
Posted: Tue Nov 08, 2022 10:52 am Post subject: |
|
|
NeverSloppy,
Gentoo is a toolkit. You use it to design and install your own distro. So, is your distro insecure?
Gentoo only gives you what you ask for and what you must have to support what you have asked for.
The corollary is that if you haven't asked for it, its not installed.
This keeps things out that you don't use, which is good.
It's a case of the wider you open the window, the more dirt blows in.
Any neglected install will become insecure with the passage of time. The key here is neglect.
The install has not changed but security problems its always had have become public knowledge.
You can make your install insecure with the choices you make.
e.g. Disable password logins for ssh from the internet. Then all the bots trying to brute force you get nowhere.
Don't run insecure services, like telnet, ftp.
Do run a paranoid boundary firewall, to stop any evil that gets in from phoning home.
That's user space.
Then there is the Kernel Self Protection Project
gentoo-sources provides a patch to enable a choice selection of those settings.
Security and usability is a trade off. You could unplug the network cable.
That's secure but not very usable.
Security needs to be taken in context too.
We have to ask secure against what threats? _________________ Regards,
NeddySeagoon
Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail. |
|
Back to top |
|
|
NeverSloppy n00b
Joined: 03 Nov 2022 Posts: 29
|
Posted: Tue Nov 08, 2022 2:45 pm Post subject: |
|
|
OK got it.. Thanks for the tips.
I do want to build the kernel myself and tweak it to harden it against memory corruption stuff.
Will be learning in a VM for the meantime to learn more about how everything works in Gentoo. |
|
Back to top |
|
|
NeddySeagoon Administrator
Joined: 05 Jul 2003 Posts: 54099 Location: 56N 3W
|
Posted: Tue Nov 08, 2022 3:28 pm Post subject: |
|
|
NeverSloppy,
Memory corruption detection, as I know it, depends on hardware support in the form of ECC RAM.
The extra 8 bits provide single bit Hamming error detection and correction and detection but not correction of two bit errors. _________________ Regards,
NeddySeagoon
Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail. |
|
Back to top |
|
|
pa4wdh l33t
Joined: 16 Dec 2005 Posts: 806
|
Posted: Tue Nov 08, 2022 3:44 pm Post subject: |
|
|
The main reason the blogger got a very insecure setup is that he didn't update because he was scared something would break. I remember having the same fear when i just started with gentoo, but also experience that with other distro's.
New versions bring new bugs and they might just bite you. The solution is not to be scared and have faith you can solve the problems you might run in to.
One of the best things in gentoo is that you can mask individual packages and rollback to a previous (know working) version when needed. I've never seen a binary distro giving that level of control. _________________ The gentoo way of bringing peace to the world:
USE="-war" emerge --newuse @world
My shared code repository: https://code.pa4wdh.nl.eu.org
Music, Free as in Freedom: https://www.jamendo.com |
|
Back to top |
|
|
NeverSloppy n00b
Joined: 03 Nov 2022 Posts: 29
|
Posted: Tue Nov 08, 2022 7:42 pm Post subject: |
|
|
I was thinking more of using Hardened malloc in my Gentoo build. My PC does not have ECC :/ but that
seems to only be helpful against natural causes and not malicious programs. Could be wrong as I'm noob |
|
Back to top |
|
|
pietinger Moderator
Joined: 17 Oct 2006 Posts: 4019 Location: Bavaria
|
|
Back to top |
|
|
Hu Moderator
Joined: 06 Mar 2007 Posts: 21498
|
Posted: Wed Nov 09, 2022 1:36 am Post subject: |
|
|
Error Correction Code memory is intended to let your RAM return the value that ideal RAM would return, even if less than ideal conditions occur in practice. Ideal RAM always returns exactly the data that it was previously told to store. RAM has no way to determine whether the value stored in it is what the ideal software would have stored, so if a logic bug causes logically incorrect data to be stored to RAM, your RAM will remember and later return that incorrect data. ECC cannot help with the presence of logic bugs in the software, because ECC only seeks to return what data your program put there. If your program puts garbage data into RAM, ECC will faithfully return that garbage data on request.
Hardened malloc is intended to cause some types of software bugs to fail in a less dangerous way than non-hardened malloc would fail. As with ECC ram, it is a mitigation for non-ideal operating conditions. If all your software was free of logic bugs, hardened malloc would be unnecessary. |
|
Back to top |
|
|
NeverSloppy n00b
Joined: 03 Nov 2022 Posts: 29
|
Posted: Wed Nov 09, 2022 3:50 am Post subject: |
|
|
So if all programs were written in a functional programming language such as Haskell or Lisp
there would be way way less of all these security bugs?
Not that I know a functional language. Just curious. This post makes me kinda want to
learn a functional langauge, but I'm assuming the learning curve is steep. I did want
to use Haskell as a web server some time back.
https://crypto.stanford.edu/~blynn/haskell/curry-howard.html |
|
Back to top |
|
|
Hu Moderator
Joined: 06 Mar 2007 Posts: 21498
|
Posted: Wed Nov 09, 2022 12:36 pm Post subject: |
|
|
Functional programming languages take away the ability to write certain types of data processing bugs, but it's still very possible to write catastrophically bad security bugs in a functional language. A simple language-independent bug would be failing to validate that the requested action is permitted under the program's security model. For example, suppose someone patched the Linux kernel such that openat never checked mode bits, so any user could open any file read-write, even if the Linux security model says the caller cannot access the file at all. That would be a major security bug, but it can be done in any language because the bug is absence of code that should have been present. |
|
Back to top |
|
|
NeverSloppy n00b
Joined: 03 Nov 2022 Posts: 29
|
Posted: Wed Nov 09, 2022 2:54 pm Post subject: |
|
|
So I should just run Gentoo inside of QubesOS because bugs will always exist?
Or am I insane? |
|
Back to top |
|
|
Hu Moderator
Joined: 06 Mar 2007 Posts: 21498
|
Posted: Wed Nov 09, 2022 3:53 pm Post subject: |
|
|
This comes back to your threat model. Are you worried about someone specifically targeting you, or do you just want to avoid the bulk exploits that circulate on the Internet looking for easy prey? If you are being targeted, how competent is your hypothetical adversary? Describe what you want to stop, then you can determine how to stop it. |
|
Back to top |
|
|
NeverSloppy n00b
Joined: 03 Nov 2022 Posts: 29
|
Posted: Wed Nov 09, 2022 4:37 pm Post subject: |
|
|
Just wanting to develop a thorough understanding of gentoo security options and procedures as I will soon be installing
it on my hardware. Sad that hardened-sources is no longer an option :/ |
|
Back to top |
|
|
alecStewart1 Tux's lil' helper
Joined: 03 Jul 2022 Posts: 103
|
Posted: Wed Nov 09, 2022 5:06 pm Post subject: |
|
|
NeverSloppy,
You don't necessarily need the hardened sources if you're on a hardened profile. If you use the sys-devel/gentoo-kernel you can have
Code: |
sys-kernel/gentoo-kernel hardened
|
in your /etc/portage/package.use.
You can also have it in your make.conf in the USE variable:
Any package that can compile with hardening options will do so, then.
Gentoo does a decent job of enable some secure hardening options for the kernel. You can add/take away things yourself, but be mindful of what you're adding/taking away in your kernel config.
See here for some other options you might want to enable, but again, but cautious of what who add/take away.
I can't remember who, but someone on the Gentoo wiki has a guide for further hardening. |
|
Back to top |
|
|
NeddySeagoon Administrator
Joined: 05 Jul 2003 Posts: 54099 Location: 56N 3W
|
Posted: Wed Nov 09, 2022 10:08 pm Post subject: |
|
|
NeverSloppy
The aim of security is to make it difficult for attackers to get in and difficult for them do do anything useful when (not if) they have the determination to break in.
The idea is to convince them to find an easier target before they break into your system, no keep a determined well resourced attacker, like a government out.
A government would just send the boys round anyway. They would not try to break your security.
Determine your threats, then deploy your defences.
e.g. You probably don't need an encrypted file system on a physically secure system. _________________ Regards,
NeddySeagoon
Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail. |
|
Back to top |
|
|
pjp Administrator
Joined: 16 Apr 2002 Posts: 20054
|
Posted: Thu Nov 10, 2022 3:26 am Post subject: |
|
|
NeverSloppy wrote: | So I should just run Gentoo inside of QubesOS because bugs will always exist?
Or am I insane? | NeverSloppy wrote: | Just wanting to develop a thorough understanding of gentoo security options and procedures as I will soon be installing
it on my hardware. Sad that hardened-sources is no longer an option :/ | It sounds like you are interested in learning rather than having a "real and present danger," so the upside is you don't have to do everything at once. Pick a starting point with one or a few goals, then go from there.
Have you ever used QubesOS? I haven't, but I'm curious about some of their methods. They have or had templates that might be useful for a Gentoo install (https://www.qubes-os.org/doc/templates/). My "some day" list is long. _________________ Quis separabit? Quo animo? |
|
Back to top |
|
|
NeverSloppy n00b
Joined: 03 Nov 2022 Posts: 29
|
Posted: Thu Nov 10, 2022 6:09 pm Post subject: |
|
|
My goal is to become a competent Linux user and to learn the ins and outs of hardening a system.
As a newb I began my journey in Gentoo by learning how to encrypt /root in a VM. This step seems important
as I will soon install on a laptop and laptops are prone to theft.
I have done this before on a raspberry pi in which I set up dropbear in initramfs to ssh into the pi and
decrypt the files. Next time I want to setup wpa_supplicant in initramfs so that I don't have to connect
the pi to ethernet before ssh'ing.
I didn't really understand UUID in my pi so I basically swapped one for the other until it booted. But now
that I've done it on Gentoo I do have a better understanding about how this works!
Also I found the Security Handbook .
https://wiki.gentoo.org/wiki/Security_Handbook/Full |
|
Back to top |
|
|
NeddySeagoon Administrator
Joined: 05 Jul 2003 Posts: 54099 Location: 56N 3W
|
Posted: Thu Nov 10, 2022 7:09 pm Post subject: |
|
|
NeverSloppy,
There are lots of different UUIDs. They all mean something different, so its important to distinguish which UUID you are talking about.
Partitioned whole disks have a Disk identifier. Thats a UUID by another name.
Partitions have a UUID. The kernel calls that PARTUUID.
Filesystems have a UUID. That's normally just UUID.
mdadm raid sets have a UUID. Its common across all members of the set.
Logical Volume Manager Physical Volumes have PV UUID
Logical Volume Manager Logical Volumes have a LV UUID
Some of those I've never used. :) _________________ Regards,
NeddySeagoon
Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail. |
|
Back to top |
|
|
pietinger Moderator
Joined: 17 Oct 2006 Posts: 4019 Location: Bavaria
|
|
Back to top |
|
|
NeverSloppy n00b
Joined: 03 Nov 2022 Posts: 29
|
Posted: Sat Nov 12, 2022 12:16 am Post subject: |
|
|
Today, I discovered the distro Alpine Linux. :/
They seem to have what i am trying to implement in Gentoo. Small with only the bare minimum programs.
Hardened kernel. Gaming occasionally.
I am now torn between using Gentoo's Hardened Stage3 with musl and openrc or learning this other distro.
I do not feel confident that I will be able to edit the kernel with hardened features and have it work
with Steam for the occasional gaming.
Heck I'm currently struggling with getting wayland/sway up and running in a VM let alone trying this on my laptop. Sigh. |
|
Back to top |
|
|
Spanik l33t
Joined: 12 Dec 2003 Posts: 942 Location: Belgium
|
Posted: Sat Nov 12, 2022 11:25 am Post subject: |
|
|
Interesting read, also the links. Keeping your pc updated is a start for security, but I feel that sometimes I'm missing out on a lot of other simple security things because I do know that they exist but I have no clue on how to implement them.
Like you always read "disable telnet". But I have no clue as to how to check if it is active on my pc, even less if it could be activated remotely and wen I find it is there, how to deactivate it. _________________ Expert in non-working solutions |
|
Back to top |
|
|
Leonardo.b Apprentice
Joined: 10 Oct 2020 Posts: 294
|
Posted: Sat Nov 12, 2022 2:54 pm Post subject: |
|
|
Spanik wrote: | Like you always read "disable telnet". But I have no clue as to how to check if it is active on my pc, even less if it could be activated remotely and wen I find it is there, how to deactivate it. |
It depends from your init/service-manager.
Same as sshd, syslogd, or anything else.
Probably you don't have telnetd installed at all.
Also, you can check using ps. |
|
Back to top |
|
|
|