Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Gentoo 1st use - Profile selection for hardened KDE desktop
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Installing Gentoo
View previous topic :: View next topic  
Author Message
akdom
n00b
n00b


Joined: 26 Nov 2014
Posts: 2

PostPosted: Wed Nov 26, 2014 8:12 am    Post subject: Gentoo 1st use - Profile selection for hardened KDE desktop Reply with quote

Hi!

I'm new to gentoo, I figured since all other distro doesn't meet my needs, why not give it a shot.
I'm curently following this guide with the Gentoo official manual : http://www.tecmint.com/gentoo-linux-installation-guide-part-2/

My first problem is the profile selection during installation.

I choose the stage3 amd64 hardened tar file.

Since I'm in a VM, my make.conf file is just basic with -O2 -pipe and -march=native... I'll probably end up using just those in my final version for my main computer anyway.

Now I need to choose a profile. Below is the one I may be interested in...

default/linux/amd64/13.0/selinux
default/linux/amd64/13.0/desktop
default/linux/amd64/13.0/desktop/kde/systemd
hardened/linux/amd64/selinux
hardened/linux/musl/amd64

I would like to use KDE with systemd, but also grsecurity or selinux (or somethjing similar, not too complicated but with more security that just a basic system).

Should I use "default/linux/amd64/13.0/desktop" and then install kde, systemd and selinux or grsecurity? I'm confused.

Your help would be great! :)

Hope to hear back from you guys!
Back to top
View user's profile Send private message
krinn
Watchman
Watchman


Joined: 02 May 2003
Posts: 7071

PostPosted: Wed Nov 26, 2014 11:28 am    Post subject: Reply with quote

- the official gentoo doc is from the official gentoo website...
- <eselect profile list> to list all profile
- <eselect profile set #> to use one
- there's simply no hardened profile for any desktop usage, it doesn't mean you cannot do that, but desktop per essence is against hardening a computer (desktop loves to gave rights and bypass everything so user can fuck the computer like hell with pleasure, just to be able to automount some usb key).
- hardened + systemd: why hardening a computer with an init that is known to have flaw in logs!!! The base of security is to prevent someone doing something you don't expect him to do, but this is an unreachable goal (you just cannot avoid it in real), so the real base of security is in fact "seen what that dude has done and how you can fix it to avoid anyone doing that again", so logs are better for security than anything. Alas you cannot prevent someone to discover something new, but it should be anyone goal to be able to actually see what was done to fix it (even when you cannot use a distance log server with a printer).
systemd include some QR code and other shitty things to let it shine, but actually just fucking the logs you won't be able to know if it's just systemd feature (yeah, mark as WONTFIX make it not a bug, but a feature) or an attacker trying to clean his footprint.
It is also a great risk to be able to read any logs with the help of a binary only, if the binary gets corrupts, it won't show you logs, but what the attacker want you to see (so he doesn't even need to kill the logs).
So the systemd ultra-secure logs are in fact the worst concept made so far, even sign or crypto the output of the logs depend on a binary that could be attack, and in real you just don't even need to do that, as corrupting the logs would be enough as you won't be able to know if it was done by someone or systemd bug (ah yes, sorry not a bug, feature...).
Because of this, i could say anyone using selinux or hardened profile with systemd is just walking on his head.
- if it's not clear, use the hardened profile you wish (but an hardened one) and install what you wish. Again because of systemd authors attitude, i would goes with a glibc profile to avoid bad surprises with musl and uclibc.
Back to top
View user's profile Send private message
Apheus
Guru
Guru


Joined: 12 Jul 2008
Posts: 419

PostPosted: Wed Nov 26, 2014 3:06 pm    Post subject: Reply with quote

You can use a desktop profile and unmask the "hardened" use flag in /etc/portage/profile/use.mask:

Code:
-hardened


And set the "hardened" use flag globally. This way you get a hardened toolchain (check with "gcc-config -l") while using the desktop profile and avoiding the hassle to maintain all desktop use flags manually.

You can always use the hardened kernel, even without the above profile hack, but only hardened-kernel + hardened toolchain gives full ASLR.

And set LDFLAGS to

Code:
"${LDFLAGS} -Wl,-z,now -Wl,-z,relro"


in make.conf

Possible problems:
- you might need to keep CONFIG_PAX_NOEXEC in kernel disabled, depending on graphics driver. KDE4 is a 3D desktop after all. With NOEXEC, maintaining the exception flags for many programs can be tedious. Without NOEXEC, one could call it "semi-hardened", though.
- Some packages do not build, like virtualbox guest stuff if this is a guest system. Switch to vanilla compiler with gcc-config and back afterwards. Of course, these programs are not fully protected
- some packages might require additional use flags, like pax_kernel
- This is unsupported. If you encounter bugs, be sure to test on a supported stack before reporting

Systemd is a whole topic in itself. What krinn said. From my non-expert point of view, systemd look like a behemoth which tries to solve problems which have been solved already for years, and repeating old errors. I would avoid it. My semi-hardened KDE desktop runs fine with openrc.

krinn wrote:
Again because of systemd authors attitude, i would goes with a glibc profile to avoid bad surprises with musl and uclibc.


What do musl and uclibc have to do with systemd?

There is actually a ready-to-use hardened desktop distro, from a gentoo dev, which is effenctively gentoo built on uclibc with XFCE desktop: https://wiki.gentoo.org/wiki/Project:Hardened_uClibc/Lilblue
Back to top
View user's profile Send private message
akdom
n00b
n00b


Joined: 26 Nov 2014
Posts: 2

PostPosted: Wed Nov 26, 2014 5:39 pm    Post subject: Reply with quote

I wasn't expecting answers so fast :) Thank you guys!

Quote:
- there's simply no hardened profile for any desktop usage, it doesn't mean you cannot do that, but desktop per essence is against hardening a computer (desktop loves to gave rights and bypass everything so user can fuck the computer like hell with pleasure, just to be able to automount some usb key).


That is totally true, thought I would like so kind of enhanced security :)

I would definitely go with glibc, I think it's better.

Thanks for your time krinn.


Apheus, the way you explain it, it looks like a lot of work for not so much, I should probably stick to descktop/kde for now.

You guys know any way to increase security afterwards? I'm kind of paranoid from time to time :P I should probably just disable internet hehe.


One small question, what if I would like to make a http server after I get used to Gentoo, should I use an hardened kernel or the benefits aren't much and it's going to be a waste of time?
Back to top
View user's profile Send private message
mv
Watchman
Watchman


Joined: 20 Apr 2005
Posts: 6281

PostPosted: Wed Nov 26, 2014 7:08 pm    Post subject: Reply with quote

You can use a hardened-kernel with a desktop profile and set USE=pax_kernel globally.
Moreover, you can set security relevant CFLAGS, CXXFLAGS, LDLAGS: -fstack-protector-strong (or even -fstack-protector-all although IMHO this is unnecessary overkill) -fPIE -pie -Wl,-z,now -Wl,-z,relro
Then you have almost everything which hardened provides except for selinux.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Installing Gentoo All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum