hardened profile for desktops?

classic Classic list List threaded Threaded
27 messages Options
12
Reply | Threaded
Open this post in threaded view
|

hardened profile for desktops?

Grant-4
I started a discussion on gentoo-user about the fact that the hardened
profile appears to only be for servers and not desktops.  I thought
I'd check with you guys on this.  Is that the case?

- Grant

Reply | Threaded
Open this post in threaded view
|

Re: hardened profile for desktops?

Vinícius Ferrão
Well, it's rare to see Gentoo on servers. But all my servers that runs Gentoo (only two actually) are using the hardened version.

I never used hardened on Desktop systems.


Sent from my iPhone

On 08/06/2012, at 04:44, Grant <[hidden email]> wrote:

> I started a discussion on gentoo-user about the fact that the hardened
> profile appears to only be for servers and not desktops.  I thought
> I'd check with you guys on this.  Is that the case?
>
> - Grant
>

Reply | Threaded
Open this post in threaded view
|

Re: hardened profile for desktops?

Alex Efros-4
In reply to this post by Grant-4
Hi!

On Fri, Jun 08, 2012 at 12:44:26AM -0700, Grant wrote:
> I started a discussion on gentoo-user about the fact that the hardened
> profile appears to only be for servers and not desktops.  I thought
> I'd check with you guys on this.  Is that the case?

I'm using hardened on desktop in last ~6-7 years. And I know at least two
people who also use hardened on desktop.

--
                        WBR, Alex.

Reply | Threaded
Open this post in threaded view
|

Re: hardened profile for desktops?

Pavel Labushev-4
In reply to this post by Grant-4
On Fri, 8 Jun 2012 00:44:26 -0700
Grant <[hidden email]> wrote:

> I started a discussion on gentoo-user about the fact that the hardened
> profile appears to only be for servers and not desktops.  I thought
> I'd check with you guys on this.  Is that the case?

I never used non-hardened linux on my desktops.

attachment0 (853 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: hardened profile for desktops?

Aaron W. Swenson-2
In reply to this post by Alex Efros-4
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 06/08/2012 04:34 AM, Alex Efros wrote:

> Hi!
>
> On Fri, Jun 08, 2012 at 12:44:26AM -0700, Grant wrote:
>> I started a discussion on gentoo-user about the fact that the
>> hardened profile appears to only be for servers and not desktops.
>> I thought I'd check with you guys on this.  Is that the case?
>
> I'm using hardened on desktop in last ~6-7 years. And I know at
> least two people who also use hardened on desktop.
>

You now know three.

- --
Mr. Aaron W. Swenson
Gentoo Linux Developer
Email    : [hidden email]
GnuPG FP : 2C00 7719 4F85 FB07 A49C  0E31 5713 AA03 D1BB FDA0
GnuPG ID : D1BBFDA0
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iF4EAREIAAYFAk/R3twACgkQVxOqA9G7/aDEIwD9GsjIfONGo3eTDJAvko47gIFa
lqBlBm8NDZ9opDEOoAAA/0ZfrdoNeXr3PU+v9VzGG3bTmAoMqwIX2YsTS0pItglM
=nlCl
-----END PGP SIGNATURE-----

Reply | Threaded
Open this post in threaded view
|

Re: hardened profile for desktops?

Alex Efros-4
Hi!

On Fri, Jun 08, 2012 at 07:15:40AM -0400, Aaron W. Swenson wrote:
> >> I started a discussion on gentoo-user about the fact that the
> >> hardened profile appears to only be for servers and not desktops.
> >> I thought I'd check with you guys on this.  Is that the case?

Actually, I see no reasons to NOT use hardened on desktops.

Only critical bug is broken VMware/VirtualBox on amd64+hardened.

Everything else is works fine on hardened AFAIK. Even unsupported
nvidia-drivers works fine (they needed for 3D acceleration in VMware).
Sometimes you need to get extra patches from bugzilla or run paxctl,
but this isn't too much headache to avoid it at cost of significantly
lower overall security.

--
                        WBR, Alex.

Reply | Threaded
Open this post in threaded view
|

Re: hardened profile for desktops?

radek madej
In reply to this post by Grant-4
Hi

On 06/08/12 07:44, Grant wrote:
> I started a discussion on gentoo-user about the fact that the hardened
> profile appears to only be for servers and not desktops.  I thought
> I'd check with you guys on this.  Is that the case?
I'm using hardened on 3 laptops and 1 desktop, more or less on a daily
basis (typing from one now :)), and I've been using gentoo hardened
desktop for a number of years. I've been running either XFCE or KDE
desktops mostly, on nvidia, ati or intel cards. Mind you, I don't care
about hardware acceleration and I stay with OS drivers whenever I can.
 From my experience, getting the binary video drivers to work quite
often requires disabling mprotect on whole lot of stuff (everything in
nvidia case?), which IMHO, undermines the idea of hardening a system in
the first place :)

You do run occasionally into some issues, where you need to use paxctl
to get something to work (usually disabling the mprotect restrictions)
but most of the time things just work :) And recently you get a proper,
hardened (not paxmarked) firefox and thunderbird out of the box
too...purely awesome! :)

Even mplayer can get all the hardened goodies and still works fine... ;]

Radek

Reply | Threaded
Open this post in threaded view
|

Re: hardened profile for desktops?

Kerwin Hui
In reply to this post by Aaron W. Swenson-2
On Fri, 08 Jun 2012 07:15:40 -0400
"Aaron W. Swenson" <[hidden email]> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> On 06/08/2012 04:34 AM, Alex Efros wrote:
> > Hi!
> >
> > On Fri, Jun 08, 2012 at 12:44:26AM -0700, Grant wrote:
> >> I started a discussion on gentoo-user about the fact that the
> >> hardened profile appears to only be for servers and not desktops.
> >> I thought I'd check with you guys on this.  Is that the case?
> >
> > I'm using hardened on desktop in last ~6-7 years. And I know at
> > least two people who also use hardened on desktop.
> >
>
> You now know three.
+another 1 here.  Started playing with hardened on my desktop about 18
months ago with 2.6.38 (or was it .39?  Can't remember.) kernel.

The lack of desktop profile shouldn't stop you from using the default
hardened profile and customising your USE flags.  I think the desktop
profile is just adding a bunch of unnecessary USE flags (udisks and
xulrunner, for example).

Kerwin.

signature.asc (853 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: hardened profile for desktops?

Anthony G. Basile
In reply to this post by Grant-4
On 06/08/2012 03:44 AM, Grant wrote:
> I started a discussion on gentoo-user about the fact that the hardened
> profile appears to only be for servers and not desktops.  I thought
> I'd check with you guys on this.  Is that the case?
>
> - Grant

I would have no problems with that statement except that it is false.

:p

--
Anthony G. Basile, Ph.D.
Gentoo Linux Developer [Hardened]
E-Mail    : [hidden email]
GnuPG FP  : 8040 5A4D 8709 21B1 1A88  33CE 979C AF40 D045 5535
GnuPG ID  : D0455535

Reply | Threaded
Open this post in threaded view
|

Re: hardened profile for desktops?

Anthony G. Basile-2
In reply to this post by Alex Efros-4
On 06/08/2012 09:06 AM, Alex Efros wrote:
> Hi!
>
> On Fri, Jun 08, 2012 at 07:15:40AM -0400, Aaron W. Swenson wrote:
>>>> I started a discussion on gentoo-user about the fact that the
>>>> hardened profile appears to only be for servers and not desktops.
>>>> I thought I'd check with you guys on this.  Is that the case?
>
> Actually, I see no reasons to NOT use hardened on desktops.

True

>
> Only critical bug is broken VMware/VirtualBox on amd64+hardened.

This one is a moving target.  Sometimes broken, times fixed.  kvm is
working very well of late.

>
> Everything else is works fine on hardened AFAIK. Even unsupported
> nvidia-drivers works fine (they needed for 3D acceleration in VMware).
> Sometimes you need to get extra patches from bugzilla or run paxctl,
> but this isn't too much headache to avoid it at cost of significantly
> lower overall security.
>

nouveau works great on hardened desktops

radeon compiled with llvm needs some fancy pax markings, but also works

--
Anthony G. Basile, Ph. D.
Chair of Information Technology
D'Youville College
Buffalo, NY 14201
(716) 829-8197

Reply | Threaded
Open this post in threaded view
|

Re: hardened profile for desktops?

Javier Juan Martinez Cabezon
On 08/06/12 17:35, Anthony G. Basile wrote:

>> Only critical bug is broken VMware/VirtualBox on amd64+hardened.
>
> This one is a moving target.  Sometimes broken, times fixed.  kvm is
> working very well of late.

Uh!, even with kernexec, uderef, mprotect etc etc etc, with both
hardened host and guests?, and without the horrible slowness?

If this is true maybe I would be one of the happiest folk of the world...

Reply | Threaded
Open this post in threaded view
|

Re: hardened profile for desktops?

Javier Juan Martinez Cabezon
In reply to this post by Aaron W. Swenson-2
On 08/06/12 13:15, Aaron W. Swenson wrote:

> On 06/08/2012 04:34 AM, Alex Efros wrote:
>> Hi!
>
>> On Fri, Jun 08, 2012 at 12:44:26AM -0700, Grant wrote:
>>> I started a discussion on gentoo-user about the fact that the
>>> hardened profile appears to only be for servers and not desktops.
>>> I thought I'd check with you guys on this.  Is that the case?
>
>> I'm using hardened on desktop in last ~6-7 years. And I know at
>> least two people who also use hardened on desktop.
>
>
> You now know three.
>

I have used it also, so four, and probably every freak in this list...
Come on folks, put the truth on the table.

Reply | Threaded
Open this post in threaded view
|

Re: hardened profile for desktops?

Alex Efros-4
In reply to this post by Anthony G. Basile-2
Hi!

On Fri, Jun 08, 2012 at 11:35:28AM -0400, Anthony G. Basile wrote:
> > Only critical bug is broken VMware/VirtualBox on amd64+hardened.
>
> This one is a moving target.  Sometimes broken, times fixed.  kvm is
> working very well of late.

KVM is able to run Win7 and MacOS with speed comparable with VMware?

--
                        WBR, Alex.

Reply | Threaded
Open this post in threaded view
|

Re: hardened profile for desktops?

ma1l1ists
In reply to this post by Alex Efros-4
On Fri, 8 Jun 2012 16:06:37 +0300
Alex Efros wrote:

> Actually, I see no reasons to NOT use hardened on desktops.

Maybe many more would if there was an easy and quick to install and
maintain compiled distro. More users more compatibility too, I'd guess.

Not suggesting there should be, just stating a reality.

Anyone know why hardened debian and was it adamantix died off?

Reply | Threaded
Open this post in threaded view
|

Re: hardened profile for desktops?

Javier Juan Martinez Cabezon
On 08/06/12 21:40, Kevin Chadwick wrote:

> On Fri, 8 Jun 2012 16:06:37 +0300
> Alex Efros wrote:
>
>> Actually, I see no reasons to NOT use hardened on desktops.
>
> Maybe many more would if there was an easy and quick to install and
> maintain compiled distro. More users more compatibility too, I'd guess.
>
> Not suggesting there should be, just stating a reality.
>
> Anyone know why hardened debian and was it adamantix died off?
>

Hardened debian had to change their name by adamantix because debian
forbid the use of his name.
It dissapeared because hardened gentoo appeared, and one distro
maintained  by one user (Peter Busser) is a hard and crazy task.


Reply | Threaded
Open this post in threaded view
|

Re: hardened profile for desktops?

Javier Juan Martinez Cabezon
In reply to this post by ma1l1ists
On 08/06/12 21:40, Kevin Chadwick wrote:

> On Fri, 8 Jun 2012 16:06:37 +0300
> Alex Efros wrote:
>
>> Actually, I see no reasons to NOT use hardened on desktops.
>
> Maybe many more would if there was an easy and quick to install and
> maintain compiled distro. More users more compatibility too, I'd guess.
>
> Not suggesting there should be, just stating a reality.
>
> Anyone know why hardened debian and was it adamantix died off?
>

Excuse me it was trusted deban not hardened debian...

Reply | Threaded
Open this post in threaded view
|

Re: hardened profile for desktops?

"Tóth Attila"
In reply to this post by ma1l1ists
I for one used Trusted Debian / Adamantix before Hardened Gentoo.
It was a distro of choice based on Debian and promoted SSP and PaX-enabled
kernels.
The main problem was, that it practically remained a one man project, led
by Peter Busser. After some time - probably due to the lack of enough
resources - it became slowly out of date. Until it was officially
admitted, that it wasn't recommended to install it on a server.

Long before this I had already switched to Hardened Gentoo. I would say,
that although there are some other security related Linux projets,
Hardened Gentoo is definitely alive. I don't know what is the current
situation regarding Owl Linux, or for example LIDS. And there were also
some other distros like Immunix and Trustix...

I think Hardened Gentoo install is not substantially more complicated to
install compared to a regular Gentoo install nowdays. It would be the
recommended first distro for a newbie. If there would be some popular
commodity Gentoo-based distros, it would be hard to convert them to
hardened. There's for example Ututo. But it's not popular enough.

What I'm currently missing as a Grsecurity user is a lack of reference
policy out-of-the box. SELinux is the best from this point of view. But
it's not easy to accomodate a user specific change. Moreover, a regular
user wouldn't want to tweak around to craft his own RBAC policy.

I wish Hardened Gentoo will live long. Gentoo turned out to be a viable
base for a hardened solution - instead of a binary distro. Thanks for all
effort of the developers.

Dw.
--
dr Tóth Attila, Radiológus, 06-20-825-8057
Attila Toth MD, Radiologist, +36-20-825-8057

2012.Június 8.(P) 21:40 időpontban Kevin Chadwick ezt írta:

> On Fri, 8 Jun 2012 16:06:37 +0300
> Alex Efros wrote:
>
>> Actually, I see no reasons to NOT use hardened on desktops.
>
> Maybe many more would if there was an easy and quick to install and
> maintain compiled distro. More users more compatibility too, I'd guess.
>
> Not suggesting there should be, just stating a reality.
>
> Anyone know why hardened debian and was it adamantix died off?
>



Reply | Threaded
Open this post in threaded view
|

Re: hardened profile for desktops?

"Tóth Attila"
2012.Június 8.(P) 23:52 időpontban "Tóth Attila" ezt írta:
> I think Hardened Gentoo install is not substantially more complicated to
> install compared to a regular Gentoo install nowdays. It would be the
> recommended first distro for a newbie. If there would be some popular
> commodity Gentoo-based distros, it would be hard to convert them to
> hardened. There's for example Ututo. But it's not popular enough.

Reading back my post I realized, that I'm probably too tired. So let me
update some prior sentences:

I think Hardened Gentoo is not substantially more complicated to install
compared to a regular Gentoo nowdays. Although it wouldn't be the
recommended first distro for a newbie. If there would be some popular
commodity Gentoo-based distros, it wouldn't be hard to convert them to
hardened. There's for example Ututo. But it's not popular enough for this
purpose.

Sorry:
Dw.
--
dr Tóth Attila, Radiológus, 06-20-825-8057
Attila Toth MD, Radiologist, +36-20-825-8057

>> 2012.Június 8.(P) 21:40 időpontban Kevin Chadwick ezt írta:
>> On Fri, 8 Jun 2012 16:06:37 +0300
>> Alex Efros wrote:
>>
>>> Actually, I see no reasons to NOT use hardened on desktops.
>>
>> Maybe many more would if there was an easy and quick to install and
>> maintain compiled distro. More users more compatibility too, I'd guess.
>>
>> Not suggesting there should be, just stating a reality.
>>
>> Anyone know why hardened debian and was it adamantix died off?
>>
>
>
>
>



Reply | Threaded
Open this post in threaded view
|

Re: hardened profile for desktops?

Anthony G. Basile-2
In reply to this post by Javier Juan Martinez Cabezon
On 06/08/2012 12:34 PM, Javier Juan Martínez Cabezón wrote:

> On 08/06/12 17:35, Anthony G. Basile wrote:
>
>>> Only critical bug is broken VMware/VirtualBox on amd64+hardened.
>>
>> This one is a moving target.  Sometimes broken, times fixed.  kvm is
>> working very well of late.
>
> Uh!, even with kernexec, uderef, mprotect etc etc etc, with both
> hardened host and guests?, and without the horrible slowness?
>
> If this is true maybe I would be one of the happiest folk of the world...

cpu?

--
Anthony G. Basile, Ph. D.
Chair of Information Technology
D'Youville College
Buffalo, NY 14201
(716) 829-8197

Reply | Threaded
Open this post in threaded view
|

Re: hardened profile for desktops?

ma1l1ists
In reply to this post by Javier Juan Martinez Cabezon
On Fri, 08 Jun 2012 22:37:49 +0200
Javier Juan Martínez Cabezón wrote:

> Excuse me it was trusted deban not hardened debian...

Hardened debian died off in 2004 it seems and looks like it was a
kernel version issue, though I'm skeptical of that.

http://www.debian-hardened.org/

12