| View previous topic :: View next topic |
| Author |
Message |
mbar
Veteran
Joined: 19 Jan 2005
Posts: 1991
Location: Poland
|
 Posted: Thu Nov 04, 2010 7:16 am Post subject: Military-grade security for Gentoo Desktop |
 |
|
Let's talk some science-fiction here 
If you were to secure your laptop/desktop computer to the highest possible level (or whatever military-grade may mean) how would you do that? I'm asking because I think I have mastered these:
http://en.gentoo-wiki.com/wiki/DM-Crypt_with_LUKS
http://en.gentoo-wiki.com/wiki/Root_on_LVM_or_EVMS_over_dm-crypt/LUKS
and I have some (unpleasant) experience with hardened, and I'm bored and would like to learn more.
Let's assume we want to protect our computers from Lisbeth Salander
What next? grsecurity? Would a checklist help here?
| Code: | Whole disk DM-Crypt with LUKS ............... Check
Hardened Gentoo ........... Check
Firewall ................... Check
No trace of Internet Explorer .......... Check
Remote login only with SSH ............. Check
.
.
.
.
|
|
|
| Back to top |
|
 |
Letharion
Veteran
Joined: 13 Jun 2005
Posts: 1344
Location: Sweden
|
| Posted: Thu Nov 04, 2010 7:47 am Post subject: |
|
|
| Given that the US NSA is heavily involved in SELinux (or so I think http://www.nsa.gov/research/selinux/), I'd say that's as close to "military grade" as you are likely to get. |
|
| Back to top |
|
|
mbar
Veteran
Joined: 19 Jan 2005
Posts: 1991
Location: Poland
|
| Posted: Thu Nov 04, 2010 7:53 am Post subject: |
|
|
I wondered if mentioning Lisbeth would attract someone from Sweden... and it happened  |
|
| Back to top |
|
|
Letharion
Veteran
Joined: 13 Jun 2005
Posts: 1344
Location: Sweden
|
| Posted: Thu Nov 04, 2010 8:00 am Post subject: |
|
|
I had no idea who she was, I didn't even click the link until now
I've heard of the books and movies of course, but never read or saw them. |
|
| Back to top |
|
|
mbar
Veteran
Joined: 19 Jan 2005
Posts: 1991
Location: Poland
|
|
| Back to top |
|
|
gerard27
Advocate
Joined: 04 Jan 2004
Posts: 2377
Location: Netherlands
|
| Posted: Thu Nov 04, 2010 1:03 pm Post subject: |
|
|
mbar,
Are you seriously considering to make your lappy impenetrable?
I have been using Linux long time (no server).
Went from distro to distro always with the same root passwd.
Never any problem.
Gerard.
_________________
To install Gentoo I use sysrescuecd.Based on Gentoo,has firefox to browse Gentoo docs and mc to browse (and edit) files.
The same disk can be used for 32 and 64 bit installs.
You can follow the Handbook verbatim.
http://www.sysresccd.org/Download |
|
| Back to top |
|
|
Letharion
Veteran
Joined: 13 Jun 2005
Posts: 1344
Location: Sweden
|
| Posted: Thu Nov 04, 2010 1:07 pm Post subject: |
|
|
I quote the OP:
| Quote: | | I'm bored and would like to learn more. |
What better reason could there possibly be, than to pursue knowledge for the sake of fun, and knowledge?
I tried to get my server to use SE-Linux too once, for precisely the same reason, but I didn't have the patience required at that time. |
|
| Back to top |
|
|
tomk
Bodhisattva
Joined: 23 Sep 2003
Posts: 7221
Location: Sat in front of my computer
|
| Posted: Thu Nov 04, 2010 1:18 pm Post subject: |
|
|
Moved from Gentoo Chat to Networking & Security as it fits better here.
_________________
Search | Read | Answer | Report | Strip |
|
| Back to top |
|
|
mbar
Veteran
Joined: 19 Jan 2005
Posts: 1991
Location: Poland
|
| Posted: Thu Nov 04, 2010 1:50 pm Post subject: |
|
|
| Letharion wrote: | | What better reason could there possibly be, than to pursue knowledge for the sake of fun, and knowledge? |
This is exactly the reason for my "quest". I'm a Gentoo user since late 2004 and till today I have installed only one hardened server (not for me, but I'm still helping with updates and administration of that server), that I un-hardened due to trouble with updating some packages. The rest of my Gentoo installs are "default" servers and desktops. None has been "penetrated" as you may say
But I recon that my knowledge of hardened/secure Linux is not full -- time to learn then |
|
| Back to top |
|
|
mr.sande
Tux's lil' helper
Joined: 26 Apr 2010
Posts: 82
Location: Norway
|
| Posted: Thu Nov 04, 2010 11:52 pm Post subject: |
|
|
I am kind of on the same "quest", trying to learn more about linux security. Figured a good way to learn is to live with it.
Up until now I have
-switched to hardened profile
-enabled pax and grsecurity
-rebuilt system
-started auditing with lsat, lynis, rkhunter and other such tools
Since Im new to hardened gentoo this is a learning journey for me. So I was wondering what your plans for hardening is mbar? |
|
| Back to top |
|
|
1clue
Advocate
Joined: 05 Feb 2006
Posts: 2569
|
| Posted: Fri Nov 05, 2010 3:21 am Post subject: |
|
|
First, let me preface this with "I'm not an expert."
That said, just about every encryption book, paper, web site or primer I've ever read claims that "military grade encryption" is a snake oil warning.
The US Military doesn't publish any information about what sort of encryption they use, therefore proving what grade of encryption they provide vs the grade you're looking at is impossible, and while some reputable groups use the term you really need to do your homework.
Other warnings include "trust us, we know what we're doing" and other attempts to obscure what's going on. Good encryption has little to do with method and everything to do with the key. Another would be the permission to export it from the USA.
It has been some years since I looked into it, but I would strongly recommend that you do a bunch of reading on sites or in books which don't use the term.
Good luck and have fun. |
|
| Back to top |
|
|
mbar
Veteran
Joined: 19 Jan 2005
Posts: 1991
Location: Poland
|
| Posted: Fri Nov 05, 2010 7:12 am Post subject: |
|
|
| 1clue wrote: | That said, just about every encryption book, paper, web site or primer I've ever read claims that "military grade encryption" is a snake oil warning.
[...]
It has been some years since I looked into it, but I would strongly recommend that you do a bunch of reading on sites or in books which don't use the term.
|
Of course I'm aware of this issue. Besides, I have a degree (albeit a low one ) in Computer Security, so I have already read few books without the "military grade" statement. And I used "military grade" as somewhat tongue-in-cheek remark. Nonetheless I treat this subject seriously.
| 1clue wrote: | | Good luck and have fun. |
Yeah!
| mr.sande wrote: | | Since Im new to hardened gentoo this is a learning journey for me. So I was wondering what your plans for hardening is mbar? |
No definite plans yet, I'm conducting some trials (i.e. fresh SELinux Gentoo install) on a virtual machine.
BTW I have found this:
http://hardenedgentoo.blogspot.com/
pity it's updated rather rarely. |
|
| Back to top |
|
|
|
Networking & Security
