Fernando Rodriguez <frodriguez.develo...@outlook.com> wrote:

> On Sunday, September 06, 2015 1:15:17 PM walt wrote:
> > https://wiki.gentoo.org/wiki/Hardened_Gentoo
> > 
> > That wiki page is very seductive.  It makes me want to drop
> > everything and select a hardened profile and re-emerge everything
> > from scratch.
> > 
> > But I have a feeling I'd soon be in big trouble if I did.  Is this
> > something that only gentoo devs should be messing with, or is this
> > a project that a typical gentoo end-user might hope to accomplish
> > without frequent suicidal thoughts?
> 
> There's different opinions on it, but mine is that while it adds some
> security it's so little that it's not worth it in most cases. It
> provides more security on a binary distro because everyone has the
> same binaries and an attacker don't need to guess where a specific
> piece of code may get loaded but by running a source distro your
> address space is already pretty unique. The only case where it
> provides some security is when an attacker is trying to guess an
> address for an exploit, making the wrong guess will likely crash the
> process and it will be reloaded on a new address. Do you have
> valuable enough data for an attacker to go through that hassle in
> order to get it? If you do then you should use a hardened profile,
> but physical security and disk encryption is more important because
> if it's worth that much it'll be easier to just rob you.

I'm not a security expert, so I'm maybe wrong here, But I think there
are more security functions on gentoo-hardened than just address space
randomization. There are also things like stack smash protection and 
some other restrictions that make it harder to exploit security holes.
 
> Be aware that there's no hardened desktop profile so that alone will
> make it somewhat harder if plan to use it on a desktop.

I never used a desktop profile. I just added the USE flags that I need.

> Another reason is if you want to use something like SELinux (which
> doesn't require a hardened profile) that gives you very fine grained
> control about access control but it's also very restrictive. I think
> it's only worth it for large networks with many users and different
> levels of access to sensitive data.

Yes, SELinux can be very painfull and I also don't use it.
 
> I needed some of SELinux features but settled for using AppArmor in
> an unusual way to accomplish them because SELinux is too much
> trouble. All AppArmor really does is provide process isolation or
> sandboxing. If an attacker gains access through an exploint he will
> only be able to access the files that the exploited service has
> access to. I use it with a catch all profile that prevents execution
> from all world writeable and home directories, and access to ssh/pgp
> keys, keyrings, etc. This works nice for servers and desktops and is
> not too restrictive. And if I need to execute code from my home dir
> for development I can launch an unrestricted shell via sudo. I can
> leave my laptop unlocked with the wallet open (I use the kwallet pam
> module) and it will be really hard for you to get anything like ssh
> keys or passwords (I also have patches for kwallet so it requires a
> password to show saved passwords), but the programs that need them
> have access to them.

I will give AppArmor a try when I have more spare time.

--
Regards
wabe

Reply via email to