Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Military-grade security for Gentoo Desktop
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
mbar
Veteran
Veteran


Joined: 19 Jan 2005
Posts: 1983
Location: Poland

PostPosted: Thu Nov 04, 2010 7:16 am    Post subject: Military-grade security for Gentoo Desktop Reply with quote

Let's talk some science-fiction here :)

If you were to secure your laptop/desktop computer to the highest possible level (or whatever military-grade may mean) how would you do that? I'm asking because I think I have mastered these:
http://en.gentoo-wiki.com/wiki/DM-Crypt_with_LUKS
http://en.gentoo-wiki.com/wiki/Root_on_LVM_or_EVMS_over_dm-crypt/LUKS
and I have some (unpleasant) experience with hardened, and I'm bored and would like to learn more.

Let's assume we want to protect our computers from Lisbeth Salander

What next? grsecurity? Would a checklist help here?


Code:
Whole disk DM-Crypt with LUKS ............... Check
Hardened Gentoo ........... Check
Firewall ................... Check
No trace of Internet Explorer .......... Check
Remote login only with SSH ............. Check
.
.
.
.
Back to top
View user's profile Send private message
Letharion
Veteran
Veteran


Joined: 13 Jun 2005
Posts: 1333
Location: Sweden

PostPosted: Thu Nov 04, 2010 7:47 am    Post subject: Reply with quote

Given that the US NSA is heavily involved in SELinux (or so I think http://www.nsa.gov/research/selinux/), I'd say that's as close to "military grade" as you are likely to get. :)
Back to top
View user's profile Send private message
mbar
Veteran
Veteran


Joined: 19 Jan 2005
Posts: 1983
Location: Poland

PostPosted: Thu Nov 04, 2010 7:53 am    Post subject: Reply with quote

I wondered if mentioning Lisbeth would attract someone from Sweden... and it happened ;)
Back to top
View user's profile Send private message
Letharion
Veteran
Veteran


Joined: 13 Jun 2005
Posts: 1333
Location: Sweden

PostPosted: Thu Nov 04, 2010 8:00 am    Post subject: Reply with quote

I had no idea who she was, I didn't even click the link until now ;)
I've heard of the books and movies of course, but never read or saw them.
Back to top
View user's profile Send private message
mbar
Veteran
Veteran


Joined: 19 Jan 2005
Posts: 1983
Location: Poland

PostPosted: Thu Nov 04, 2010 8:52 am    Post subject: Reply with quote

/me starts reading http://www.gentoo.org/proj/en/hardened/selinux/selinux-handbook.xml
Back to top
View user's profile Send private message
gerard27
Advocate
Advocate


Joined: 04 Jan 2004
Posts: 2377
Location: Netherlands

PostPosted: Thu Nov 04, 2010 1:03 pm    Post subject: Reply with quote

mbar,
Are you seriously considering to make your lappy impenetrable?
I have been using Linux long time (no server).
Went from distro to distro always with the same root passwd.
Never any problem.
Gerard.
_________________
To install Gentoo I use sysrescuecd.Based on Gentoo,has firefox to browse Gentoo docs and mc to browse (and edit) files.
The same disk can be used for 32 and 64 bit installs.
You can follow the Handbook verbatim.
http://www.sysresccd.org/Download
Back to top
View user's profile Send private message
Letharion
Veteran
Veteran


Joined: 13 Jun 2005
Posts: 1333
Location: Sweden

PostPosted: Thu Nov 04, 2010 1:07 pm    Post subject: Reply with quote

I quote the OP:
Quote:
I'm bored and would like to learn more.

What better reason could there possibly be, than to pursue knowledge for the sake of fun, and knowledge?
I tried to get my server to use SE-Linux too once, for precisely the same reason, but I didn't have the patience required at that time.
Back to top
View user's profile Send private message
tomk
Bodhisattva
Bodhisattva


Joined: 23 Sep 2003
Posts: 7221
Location: Sat in front of my computer

PostPosted: Thu Nov 04, 2010 1:18 pm    Post subject: Reply with quote

Moved from Gentoo Chat to Networking & Security as it fits better here.
_________________
Search | Read | Answer | Report | Strip
Back to top
View user's profile Send private message
mbar
Veteran
Veteran


Joined: 19 Jan 2005
Posts: 1983
Location: Poland

PostPosted: Thu Nov 04, 2010 1:50 pm    Post subject: Reply with quote

Letharion wrote:
What better reason could there possibly be, than to pursue knowledge for the sake of fun, and knowledge?


This is exactly the reason for my "quest". I'm a Gentoo user since late 2004 and till today I have installed only one hardened server (not for me, but I'm still helping with updates and administration of that server), that I un-hardened due to trouble with updating some packages. The rest of my Gentoo installs are "default" servers and desktops. None has been "penetrated" as you may say :)
But I recon that my knowledge of hardened/secure Linux is not full -- time to learn then ;)
Back to top
View user's profile Send private message
mr.sande
Tux's lil' helper
Tux's lil' helper


Joined: 26 Apr 2010
Posts: 82
Location: Norway

PostPosted: Thu Nov 04, 2010 11:52 pm    Post subject: Reply with quote

I am kind of on the same "quest", trying to learn more about linux security. Figured a good way to learn is to live with it.

Up until now I have
-switched to hardened profile
-enabled pax and grsecurity
-rebuilt system
-started auditing with lsat, lynis, rkhunter and other such tools

Since Im new to hardened gentoo this is a learning journey for me. So I was wondering what your plans for hardening is mbar?
Back to top
View user's profile Send private message
1clue
Advocate
Advocate


Joined: 05 Feb 2006
Posts: 2567

PostPosted: Fri Nov 05, 2010 3:21 am    Post subject: Reply with quote

First, let me preface this with "I'm not an expert."

That said, just about every encryption book, paper, web site or primer I've ever read claims that "military grade encryption" is a snake oil warning.

The US Military doesn't publish any information about what sort of encryption they use, therefore proving what grade of encryption they provide vs the grade you're looking at is impossible, and while some reputable groups use the term you really need to do your homework.

Other warnings include "trust us, we know what we're doing" and other attempts to obscure what's going on. Good encryption has little to do with method and everything to do with the key. Another would be the permission to export it from the USA.

It has been some years since I looked into it, but I would strongly recommend that you do a bunch of reading on sites or in books which don't use the term.

Good luck and have fun.
Back to top
View user's profile Send private message
mbar
Veteran
Veteran


Joined: 19 Jan 2005
Posts: 1983
Location: Poland

PostPosted: Fri Nov 05, 2010 7:12 am    Post subject: Reply with quote

1clue wrote:
That said, just about every encryption book, paper, web site or primer I've ever read claims that "military grade encryption" is a snake oil warning.
[...]
It has been some years since I looked into it, but I would strongly recommend that you do a bunch of reading on sites or in books which don't use the term.


Of course I'm aware of this issue. Besides, I have a degree (albeit a low one ;) ) in Computer Security, so I have already read few books without the "military grade" statement. And I used "military grade" as somewhat tongue-in-cheek remark. Nonetheless I treat this subject seriously.

1clue wrote:
Good luck and have fun.

Yeah!

mr.sande wrote:
Since Im new to hardened gentoo this is a learning journey for me. So I was wondering what your plans for hardening is mbar?

No definite plans yet, I'm conducting some trials (i.e. fresh SELinux Gentoo install) on a virtual machine.

BTW I have found this:
http://hardenedgentoo.blogspot.com/
pity it's updated rather rarely.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum