Any advantage using 'hardened' for the desktop user?

[jwjones]

I'm getting ready to install Funtoo to my new (to me) Core2 Duo desktop. Is there any advantage for an average desktop user such as myself to using the 'hardened' mix-in? I tend to run a bit on the paranoid side in terms of security, but perhaps this is only really useful in server settings? Just wondering if anyone uses/recommends this for the desktop.

[666threesixes666]

ive never used it.  im in a fairly good situation with security in the first place though by omitting sensitive data.  a good firewall stops bogus traffic, a fairly long password with caps numbers and symbols.  disable ssh access, or run sshguard.  close all unused ports.  security problems then start flowing from individual programs bugs, but i have a separate $HOME, so / is a throw away os install.  i can format and be up and funtooing in 12 hours or less.

 

the cia has a live usb distro so you can boot to a secure environment. id use that to then access more hardened servers with sensitive content in the background of the datacenter.  as in use a live distro to turn the computer accessing sensitive content into a dumb terminal...

 

security is a strange beast, there are many angles you can take with security.

[spectromas]

Are there any wiki pages that explain those steps you outline? I would be quite interested in setting some of that up.

 

[666threesixes666]

sshguard yes...  the others not so much because they are general infra deployment techniques.  i imagine hardened is for shared webserver systems that have tons of users, as far as i know its just more granular permission settings.  i guess it should go to a securing a funtoo install wiki page that would outline several packages/tutorials.

 

LPS "lightweight portable security" is the DOD linux distro, not cia.  what should the page be named, security tips below hardened...  security blueprints?  i like security blueprints for the title of a page of security tips / links to security articles / tutorials.

[spectromas]

Would it be good (or relevant at all) to have some mention of whether it is being targeted towards server security or desktop user security?

 

desktop security and server security maybe?

[swamprabbit]

Threesixes and spectromas, I'd be more than happy to assist with something like this as well. :)

 

Security Blueprints sounds good but what about Security Configuration Guides?

 

It could be good to lay it out in a Defense in Depth matter:

Physical Security

BIOS Configurations

Kernel Configurations

Network Configurations

Application Configurations

Etc, etc.

 

If you really want to kick off some brainstorming and what not please feel free to PM and I can provide some info on my background in relation to this sort of thing.

[swamprabbit]

jwjones, my apologies, I just realized  that I went rolling on with the ideas 666threesixes666 and spectromas brought up, without providing some info to your question.

I am still new to Funtoo/Gentoo specific things, but I think I can add more to what threesixes said in the first post, I'll try and be broad and focused at this same time, because I also don't know paranoid and security focused you are.  Or maybe it will answer something for someone else. ;)

 

I'm getting ready to install Funtoo to my new (to me) Core2 Duo desktop. Is there any advantage for an average desktop user such as myself to using the 'hardened' mix-in? I tend to run a bit on the paranoid side in terms of security, but perhaps this is only really useful in server settings? Just wondering if anyone uses/recommends this for the desktop.

In general there are advantages to a user running an "hardened" desktop, but there are also disadvantages such as consuming time to configure it so that everything "just works".  Security mechanisms can often get in the way of a user's needs or forces them modify how they use their system in order to accommodate the protections that are put in place.

 

The key for "average desktop user" that likes to keep a security focused mindset is to find balance when implementing security in relation to the cost of the data or user's time and the risks that are out there.

Much of this is preference, but like you mentioned in your post, servers often held to higher preferences because of the cost of the data/resource and the server administrator's time.  But some people like to run their desktops with the same level of protection.  In the business world more often than not all of this is evaluated through a Business Impact Assessment and security mechanisms are developed and implemented based on this.

 

For example, 666threesixes666 explained some of the security mechanisms and configurations that they find reasonable for their situations and usage.

For your "average desktop user" or desktop system that is used for surfing the web, playing games, creating non-sensitive documents; things like 666threesixes666 explained are usually enough.  Things like were mentioned: a long complex password, a good host firewall, not running un-needed services that create risk (ssh, avahi, samba, ftp, telnet, etc), using separate partitions for data separation.  These are considered typical security configurations because most security people think of these first and they work well at protecting the "average desktop users" without getting in the way really.

 

A "average desktop user" can take things a step further without running the hardened mix-in or compiling a hardened kernel by using security related applications like sshguard, fail2ban, denyhosts, rkhunter, aide, tripwire, dnscrypt, apparmor, sudo, etc, etc.

These types of things are I consider "piling on security", this falls under "hardening" in general.  But I like to call it "piling on security" because you are just adding security mechanisms "on top" of the base system and it helps people understand.

 

A user can take it a step further by doing some extra configuration changes as well; these are usually focused strictly on the base system.  Such as: configuring password complexity, aging, and lockout options, modifying hosts.deny and host.allow for use with tcpwrappers, adding egress filtering to the firewall, modifying /etc/sysctl.conf, using Bastille and or Lynis for extra hardening options, and using openscap and or cvechecker to continuously monitor system vulnerabilities based on installed software.  There are so many others that are for specific applications a user may use, too many to add right now.

 

The last option or step is to take it to the extreme or partially there.  This is using hardened mix-in and or a hardened kernel.

 

The Funtoo Flavors and Mix-ins page states the Hardened Mix-in "enables hardened support."

Now because I am still new to all the ways of Funtoo/Gentoo, I am going to assume this relates to what Gentoo has in their wiki. "By choosing the hardened profile, certain package management settings (masks, USE flags, etc) become default for your system. This applies to many packages, including the toolchain. The toolchain is used for building/compiling your programs, and includes: the GNU Compiler Collection (GCC), binutils (linker, etc.), and the GNU C library (glibc). By re-emerging the toolchain, these new default settings will apply to the toolchain, which will allow all future package compiling to be done in a hardened way.  I believe this is what the hardened mix-in offers because when I used it it did not include grsecurity options in the kernel .config (see below).

 

By using the hardened-sources versus gentoo-sources or anything other, includes the Hardened Gentoo Toolchain into the kernel.  The Hardened Gentoo Toolchain includes: PaX, PIE/SSP, grsecurity kernel patches, Mandatory Access Controls (gersecurity, SELinux, RSBAC, Tomoyo), Linux Integrity Measurement Architecture in conjunction with Extended Verification Module subsystem.

 

 

I am currently "tinkering" with a build using both the hardened mix-in, gentoo's hardened-sources with Funtoo, and a bunch of what I talked about above and it seems to be working fine so far.  Do I need it for everyday use, absolutely not.  :ph34r:

 

 

So the advantages for you personally using the hardened mix-in is really up to you, your system, and its use.  Technically there is an advantage, but the disadvantage is that it could cause issues leading to configuring and troubleshooting time increases.  More than likely you will be a safe and secure "average desktop user" with far less. ;)

 

Like 666threesixes666 stated at the end of their first post "security is a strange beast, there are many angles you can take with security.".

It can be as complex as the user/data/owner/etc need it to be, which is why I left out things like physical, BIOS, and network protections, etc, etc.

Plus I was getting close to writing a book anyway.  :P

[666threesixes666]

the problem with naming such an idea is that its hierarchical security.  draw bridges moats gators high stone walls soldiers and all....  i'm kinda flustered with topics this big...  its too much to address at once....  but yeah, to me, it makes more sense to run hardened kernels, and profiles on web pointing servers not desktops.

 

desktops to me make more sense to run iptables, a moderately strong passworded user, disabled root password access (sudo only), no hard disk encryption, and nothing worth getting once in....  if you need sensitive data luks encryption requires partitions.  the only non encrypted to encrypted directory or files system i know of is insecure.  so at that point you may as well use the computer as a dumb terminal to an encrypted external hard drive/thumb drive...  i think luks would require you to enter your password every boot, and build an initramfs every kernel rebuild if you were planning on running that on /...  hardened may also require the initramfs, which i try to avoid like the plague...

 

the cost to run the security procedures, extra system load, loss of usability etc vs benefits gained is another good point.  Jwjones you could just do it, and document how you work through your new problems brought on by tighter security, costs, advantages, etc....  grsecurity, and pax sound nice.  selinux sounds like a nightmare....  i might give a hardened kernel a whirl....  why not (id probably avoid selinux like the plague) =D

[666threesixes666]

i think the best way to address this is security sub pages....  as in a general security page, then security/threesixestake security/drobbinstake security/olegstake security/physical security/hardening security/selinux security/apparmor security/applicationsecurity security/networksecurity etc etc etc so that it would be able to be very branched out and specific in the same breath.  we could have the extremely broad topic then boil everything down to a tightly knit highly secure system quickly.  skim through all the garbage and just have essentials.  like i need to work on speeding up /dev/random quite a bit more and the entropy daemons that can feed it with more data....  i need to figure out hashing files and salting them, need to figure out gpg...  need to figure out encfs, or luks auto decrypting at boot.  physical security is also a huge topic, how physically secure is your server/laptop etc.  can i break your laptop lock with a hammer?  can i use my lock picking expertise to break your lock open in 2 seconds?  do you have video watching the servers?  are the servers rack mounted?  are the servers vulnerable to nuclear attack, and mirrored off site multiple times?

[swamprabbit]

I agree, a general security page is definitely the way to start.

To take what you proposed already I think narrowing it down with sub-categories help keeps in organized and modular.

 

By sub-categories, I mean start with basic domains of security, then have individual methodologies and applications under each.

 

For example selinux and apparmor are both forms of Access Controls, technical ones, not to be confused with Physical Access Controls.

 

There are a lot of websites and books to look at for a reference of how this can be organized.

[sitquietly]

I'm getting ready to install Funtoo ..... Just wondering if anyone uses/recommends this for the desktop.

I installed a hardened amd64 profile for three KDE / xmonad / fluxbox desktops.  One by one I had to abandon the hardened profile on each machine and switch them to pure64.  "Hardened" was easy to install and mostly well supported, but over time I ran into repeated blocks and emerge failures with that profile.  Often problems with hardened packages are fixed within a few days but not always.  It was sufficiently frustrating to motivate the effort to switch away from it.  Some problems were not just that packages could not be emerged but that my own local software and programming projects would fail because they were incompatible with some hardening feature.  I gradually turned off PaX features trying to keep my own stuff compileable.

 

I still run hardened on my file server and am glad for the extra security there.

 

The simpler your "desktop", the more likely that you'll be happy with a hardened system, but it just receives less feedback and bug fixing to make everything work all of the time.  It would be a great service, maybe a worthwhile project for you, if you would install a hardened system and commit to making bug reports for every problem that arises over time.