Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Setup Hardened/SE-Linux
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
Spargeltarzan
Guru
Guru


Joined: 23 Jul 2017
Posts: 325

PostPosted: Thu Dec 21, 2017 9:25 pm    Post subject: Setup Hardened/SE-Linux Reply with quote

Hello dear community,

I want to setup hardened and selinux and I planned to follow this Hardened Guide

I use profile 17 with gnome/systemd.

Will I need to change to default/linux/amd64/17.0/hardened/selinux? (how can I ensure gnome/systemd still works?) Or should I stay on gnome/systemd and add somehow hardened features (since PIE is already enabled)?

As I understand the Wiki right, I miss PaX, SELinux and Integrity. However, for PaX and Integrity it seams the kernel needs to be rebuild, is this done automatically when I choose the right profile?

ADD: What is the role of AppArmor for hardened?
"AppArmor is a MAC (Mandatory Access Control) system, implemented upon LSM (Linux Security Modules)." --> sounds like I should want it (I thought AppArmor is only for Ubuntu)

What is the best way to change my Notebook to a fully hardened system with selinux enabled?

ADD: Is hardened indeed a dead project now, will we not be able to use it with recent kernels?
_________________
___________________
Regards

Spargeltarzan

Notebook: Lenovo YOGA 900-13ISK: Gentoo stable amd64, GNOME systemd, KVM/QEMU
Desktop-PC: Intel Core i7-4770K, 8GB Ram, AMD Radeon R9 280X, ZFS Storage, GNOME openrc, Dantrell, Xen


Last edited by Spargeltarzan on Fri Dec 22, 2017 8:52 am; edited 1 time in total
Back to top
View user's profile Send private message
littletux
n00b
n00b


Joined: 08 Dec 2003
Posts: 74

PostPosted: Fri Dec 22, 2017 12:04 am    Post subject: Reply with quote

As I know both ways are possible, and both ways need a lot of changes to do so all your USEFLAG related things can be resolved after.

If you change to the hardened profile, you will have to add a lot of USEFLAGS related to gnome, because the hardened profile is only a standard profile with all security related flags added.
If you rest on your actual profile, you have to find out yourself which USEFLAGS are set on the hardened profile.

So in my opinion, it will be easier to change to hardened, and then find out the now missing USEFLAGS for gnome. But be aware if you do a
Code:
emerge -uDN world
after changing the profile, your system will give you first tons of messages like
Quote:
package bla needs USEFLAG foo


If you would decide to use the hardened/selinux profile it would be also a lot more complicated. because then you have to find out which additional packages are needed if you not decide to install all packages that have a selinux in packagename. So if you want have the hardened/selinux profile maybe it would be easier to do a fresh install to prevent you from installing a lot of unnecessary packages.
Back to top
View user's profile Send private message
Spargeltarzan
Guru
Guru


Joined: 23 Jul 2017
Posts: 325

PostPosted: Fri Dec 22, 2017 9:23 am    Post subject: Reply with quote

littletux wrote:

So in my opinion, it will be easier to change to hardened, and then find out the now missing USEFLAGS for gnome. But be aware if you do a
Code:
emerge -uDN world
after changing the profile, your system will give you first tons of messages like
Quote:
package bla needs USEFLAG foo


If you would decide to use the hardened/selinux profile it would be also a lot more complicated. because then you have to find out which additional packages are needed if you not decide to install all packages that have a selinux in packagename. So if you want have the hardened/selinux profile maybe it would be easier to do a fresh install to prevent you from installing a lot of unnecessary packages.


not sure if I fully understand this - Is it not possible, when I change to hardened/selinux profile, that my existing packages become compiled with selinux? All additional packages necessary for selinux can of course be installed, simply "all packages that have selinux in packagename" would for me mean all packages in tree of hardened/selinux, so many what I would not need (and do not want)

Why does a profile change pull in unnecessary packages?

Question for the hardened kernel, due to the crsecurity maintenance stop, currently only kernel 4.9 is marked as stable, so I will need to downgrade the kernel?
The Gentoo hardened project has now a "stopped" on project-site too, does it than even make sense to start using it since my system might be depreciated soon?
Selinux support is still in maintenance?

I actually really want to avoid a full reinstall, but I also do not want a wasted system
_________________
___________________
Regards

Spargeltarzan

Notebook: Lenovo YOGA 900-13ISK: Gentoo stable amd64, GNOME systemd, KVM/QEMU
Desktop-PC: Intel Core i7-4770K, 8GB Ram, AMD Radeon R9 280X, ZFS Storage, GNOME openrc, Dantrell, Xen
Back to top
View user's profile Send private message
littletux
n00b
n00b


Joined: 08 Dec 2003
Posts: 74

PostPosted: Sat Dec 23, 2017 2:35 pm    Post subject: Reply with quote

Quote:
Why does a profile change pull in unnecessary packages?

It doesn't , but for example you have had before change to the hardened/selinux profile a standard profile so the nessessary packages are not installed, and the profile change has the consequence, that you now have to install some packages that are a dependency now. This dependencies unfortunately will not be resolved by itselfs, so you either have to find out all really needed packages by yourself, or installing all and maybe some ( or a lot)= are not needed

I have done a while ago a test myself to change from standart profile to hardened/selinux, and after change i had done a
Code:
emerge -pvuDN world --with-bdeps=y


The result was that it says me for a lot packages that not are installed and they should be. So I have decided thats the easier way for me , only change to hardened and not to hardened/selinux.

Quote:


Question for the hardened kernel, due to the crsecurity maintenance stop, currently only kernel 4.9 is marked as stable, so I will need to downgrade the kernel?
The Gentoo hardened project has now a "stopped" on project-site too, does it than even make sense to start using it since my system might be depreciated soon?
Selinux support is still in maintenance?


After I have studied about that, my opinion in this time:
"It would be better to wait before you make a decision, what you wanna do." indeed would it be nessessary to downgrade to the last hardened-source if you would like to use grsec
Back to top
View user's profile Send private message
Spargeltarzan
Guru
Guru


Joined: 23 Jul 2017
Posts: 325

PostPosted: Thu Dec 28, 2017 5:21 pm    Post subject: Reply with quote

Thank you for your support!

I will wait until we have got a documented approach. Does somebody have insights in Gentoo-Hardened and knows what they plan? Did someone change to hardened/selinux these days?

Following NeddySeagoons advice to identify threats firstly, I have collected:
-) Firewall Protection against attacks, especially because I am in untrusted networks regularily. (university, hotels, coffee shops, ...)
-) Using a VPN when I am in these networks to protect my traffic
-) encryption of my system for protection agains thiefs (I have got ext4 currently. Would consider changing to ZFS, but I do not rely to use it as a root pool - for my data pool it is excellent, Btrfs is too unmature for me)
-) Protection against malicious code on my system
-) isolation of activities (e.g. banking I want to do in a fully trusted zone/virtual machine)
_________________
___________________
Regards

Spargeltarzan

Notebook: Lenovo YOGA 900-13ISK: Gentoo stable amd64, GNOME systemd, KVM/QEMU
Desktop-PC: Intel Core i7-4770K, 8GB Ram, AMD Radeon R9 280X, ZFS Storage, GNOME openrc, Dantrell, Xen
Back to top
View user's profile Send private message
Shoaloak
n00b
n00b


Joined: 05 Nov 2016
Posts: 48

PostPosted: Fri Jan 05, 2018 2:09 pm    Post subject: Reply with quote

I am currently running a Gentoo system with Systemd, Gnome and some Hardening.

What I did was combine two profiles, I named it hardened/linux/amd64/13.0/desktop/gnome/systemd.
It's only to get the basic compiler added protection, since SELinux requires quite some config. (still have to add it when i have the time :lol: )
Also, grsecurity and/or PaX are now a paid, GPL infringing service and their devs are jerkoffs, so unless you want to stick to an older kernel, I wouldn't recommend it.
Also, sticking to an older kernel isn't probably the best idea with the Spectre and Meltdown attacks going on.

Anywho, after succesfully creating a new profile (from combining two others), recompile to get moar security:
Code:
emerge -1av sys-devel/binutils sys-devel/gcc sys-libs/glibc


add pax markings:
Code:
PAX_MARKINGS="none"
# or XT, if you decided for PaX/grsecurity
#PAX_MARKINGS="XT"


Make sure correct GCC profile is selected:
Code:
gcc-config -l # make sure hardened (already selected in this example)
 [1] x86_64-pc-linux-gnu-5.4.0 *
 [2] x86_64-pc-linux-gnu-5.4.0-hardenednopie
 [3] x86_64-pc-linux-gnu-5.4.0-hardenednopiessp
 [4] x86_64-pc-linux-gnu-5.4.0-hardenednossp
 [5] x86_64-pc-linux-gnu-5.4.0-vanilla


recompile everything (is gonna take some time)
Code:
emerge -ev @system
emerge -ev @world


and now you have the basic hardening, add a MAC like SELinux to hearts content.
Spargeltarzan wrote:
What is the role of AppArmor for hardened?

AppArmor is a MAC implementation, just like SELinux is.
iirc, SELinux is more complex but has more control/features. AppArmor is more straightforward but lacks control/features.

Hope this helps you.

EDIT
I just read (hadn't updated my system in a while)
2017-11-30-new-17-profiles
Title New 17.0 profiles in the Gentoo repository

It seems that the hardened profile is being merged into the 17.0 profile.
_________________
Happy hacking.
Back to top
View user's profile Send private message
Spargeltarzan
Guru
Guru


Joined: 23 Jul 2017
Posts: 325

PostPosted: Fri Jan 05, 2018 8:24 pm    Post subject: Reply with quote

Shoaloak,

Thank you for your detailed help! Yes, I am already on profile 17.0 with PIE enabled.

When I consult the Hardened Project Page, the following would be possible:
1) Enabling specific options in the toolchain (compiler, linker ...) such as forcing position-independent executables (PIE), stack smashing protection and compile-time buffer checks.
2) Enabling PaX extensions in the Linux kernel, which offer additional protection measures like address space layout randomization and non-executable memory.
3) Enabling grSecurity extensions in the Linux kernel, including additional chroot restrictions, additional auditing, process restrictions, etc..
4) Enabling SELinux extensions in the Linux kernel, which offers a Mandatory Access Control system enhancing the standard Linux permission restrictions.
5) Enabling Integrity related technologies, such as Integrity Measurement Architecture, for making systems resilient against tampering

In 1) we have got PIE with profile 17.0, but what's about "stack smashing protection" and "compile-time buffer checks"?
2) 3) is dead in the moment unless using the old 4.9 kernel; yes, I want to stay on a newer one like you also recommend
4) Same for me, when I have got the time for it I will play around and consider it
Finally, what's about 5) in profile 17.0?

To protect against Spectre and Meltdown I have found a Gentoo User Mail recommending to activate a kernel option, but this will also mean a performance hit. On 9th of January Ubuntu will provide a patch to fix this issue, probably without a performance hit. We will see if the patch will be in Gentoo repos soon too.

Additionally, I am working on mount options and a firewall.
_________________
___________________
Regards

Spargeltarzan

Notebook: Lenovo YOGA 900-13ISK: Gentoo stable amd64, GNOME systemd, KVM/QEMU
Desktop-PC: Intel Core i7-4770K, 8GB Ram, AMD Radeon R9 280X, ZFS Storage, GNOME openrc, Dantrell, Xen


Last edited by Spargeltarzan on Sat Jan 06, 2018 9:16 am; edited 1 time in total
Back to top
View user's profile Send private message
Hu
Administrator
Administrator


Joined: 06 Mar 2007
Posts: 22696

PostPosted: Sat Jan 06, 2018 1:20 am    Post subject: Reply with quote

I think you may have misparsed some ambiguous phrasing in that mail. The advice is to "Remove the kernel mapping in user mode". The implementation of that advice is to enable (not deactivate, as you said above) CONFIG_PAGE_TABLE_ISOLATION.
Back to top
View user's profile Send private message
Spargeltarzan
Guru
Guru


Joined: 23 Jul 2017
Posts: 325

PostPosted: Sat Jan 06, 2018 9:17 am    Post subject: Reply with quote

Hu,

Thank you!!!
_________________
___________________
Regards

Spargeltarzan

Notebook: Lenovo YOGA 900-13ISK: Gentoo stable amd64, GNOME systemd, KVM/QEMU
Desktop-PC: Intel Core i7-4770K, 8GB Ram, AMD Radeon R9 280X, ZFS Storage, GNOME openrc, Dantrell, Xen
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum