Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: Gentoo: Hardened

hardened profile for desktops?

  

 
First page Previous page 1 2 Next page Last page  View All Gentoo hardened RSS feed   Index | Next | Previous | View Threaded


emailgrant at gmail

Jun 8, 2012, 12:44 AM

Post #1 of 26 (719 views)
Permalink
hardened profile for desktops?
I started a discussion on gentoo-user about the fact that the hardened
profile appears to only be for servers and not desktops. I thought
I'd check with you guys on this. Is that the case?

- Grant


viniciusferrao at cc

Jun 8, 2012, 1:22 AM

Post #2 of 26 (714 views)
Permalink
Re: hardened profile for desktops? [In reply to]
Well, it's rare to see Gentoo on servers. But all my servers that runs Gentoo (only two actually) are using the hardened version.

I never used hardened on Desktop systems.


Sent from my iPhone

On 08/06/2012, at 04:44, Grant <emailgrant [at] gmail> wrote:

> I started a discussion on gentoo-user about the fact that the hardened
> profile appears to only be for servers and not desktops. I thought
> I'd check with you guys on this. Is that the case?
>
> - Grant
>


powerman at powerman

Jun 8, 2012, 1:34 AM

Post #3 of 26 (708 views)
Permalink
Re: hardened profile for desktops? [In reply to]
Hi!

On Fri, Jun 08, 2012 at 12:44:26AM -0700, Grant wrote:
> I started a discussion on gentoo-user about the fact that the hardened
> profile appears to only be for servers and not desktops. I thought
> I'd check with you guys on this. Is that the case?

I'm using hardened on desktop in last ~6-7 years. And I know at least two
people who also use hardened on desktop.

--
WBR, Alex.


pavel.labushev at runbox

Jun 8, 2012, 1:45 AM

Post #4 of 26 (711 views)
Permalink
Re: hardened profile for desktops? [In reply to]
On Fri, 8 Jun 2012 00:44:26 -0700
Grant <emailgrant [at] gmail> wrote:

> I started a discussion on gentoo-user about the fact that the hardened
> profile appears to only be for servers and not desktops. I thought
> I'd check with you guys on this. Is that the case?

I never used non-hardened linux on my desktops.


titanofold at gentoo

Jun 8, 2012, 4:15 AM

Post #5 of 26 (709 views)
Permalink
Re: hardened profile for desktops? [In reply to]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 06/08/2012 04:34 AM, Alex Efros wrote:
> Hi!
>
> On Fri, Jun 08, 2012 at 12:44:26AM -0700, Grant wrote:
>> I started a discussion on gentoo-user about the fact that the
>> hardened profile appears to only be for servers and not desktops.
>> I thought I'd check with you guys on this. Is that the case?
>
> I'm using hardened on desktop in last ~6-7 years. And I know at
> least two people who also use hardened on desktop.
>

You now know three.

- --
Mr. Aaron W. Swenson
Gentoo Linux Developer
Email : titanofold [at] gentoo
GnuPG FP : 2C00 7719 4F85 FB07 A49C 0E31 5713 AA03 D1BB FDA0
GnuPG ID : D1BBFDA0
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iF4EAREIAAYFAk/R3twACgkQVxOqA9G7/aDEIwD9GsjIfONGo3eTDJAvko47gIFa
lqBlBm8NDZ9opDEOoAAA/0ZfrdoNeXr3PU+v9VzGG3bTmAoMqwIX2YsTS0pItglM
=nlCl
-----END PGP SIGNATURE-----


powerman at powerman

Jun 8, 2012, 6:06 AM

Post #6 of 26 (707 views)
Permalink
Re: hardened profile for desktops? [In reply to]
Hi!

On Fri, Jun 08, 2012 at 07:15:40AM -0400, Aaron W. Swenson wrote:
> >> I started a discussion on gentoo-user about the fact that the
> >> hardened profile appears to only be for servers and not desktops.
> >> I thought I'd check with you guys on this. Is that the case?

Actually, I see no reasons to NOT use hardened on desktops.

Only critical bug is broken VMware/VirtualBox on amd64+hardened.

Everything else is works fine on hardened AFAIK. Even unsupported
nvidia-drivers works fine (they needed for 3D acceleration in VMware).
Sometimes you need to get extra patches from bugzilla or run paxctl,
but this isn't too much headache to avoid it at cost of significantly
lower overall security.

--
WBR, Alex.


kwkhui at hkbn

Jun 8, 2012, 8:27 AM

Post #7 of 26 (707 views)
Permalink
Re: hardened profile for desktops? [In reply to]
On Fri, 08 Jun 2012 07:15:40 -0400
"Aaron W. Swenson" <titanofold [at] gentoo> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> On 06/08/2012 04:34 AM, Alex Efros wrote:
> > Hi!
> >
> > On Fri, Jun 08, 2012 at 12:44:26AM -0700, Grant wrote:
> >> I started a discussion on gentoo-user about the fact that the
> >> hardened profile appears to only be for servers and not desktops.
> >> I thought I'd check with you guys on this. Is that the case?
> >
> > I'm using hardened on desktop in last ~6-7 years. And I know at
> > least two people who also use hardened on desktop.
> >
>
> You now know three.

+another 1 here. Started playing with hardened on my desktop about 18
months ago with 2.6.38 (or was it .39? Can't remember.) kernel.

The lack of desktop profile shouldn't stop you from using the default
hardened profile and customising your USE flags. I think the desktop
profile is just adding a bunch of unnecessary USE flags (udisks and
xulrunner, for example).

Kerwin.
Attachments: signature.asc (0.82 KB)


blueness at gentoo

Jun 8, 2012, 8:30 AM

Post #8 of 26 (706 views)
Permalink
Re: hardened profile for desktops? [In reply to]
On 06/08/2012 03:44 AM, Grant wrote:
> I started a discussion on gentoo-user about the fact that the hardened
> profile appears to only be for servers and not desktops. I thought
> I'd check with you guys on this. Is that the case?
>
> - Grant

I would have no problems with that statement except that it is false.

:p

--
Anthony G. Basile, Ph.D.
Gentoo Linux Developer [Hardened]
E-Mail : blueness [at] gentoo
GnuPG FP : 8040 5A4D 8709 21B1 1A88 33CE 979C AF40 D045 5535
GnuPG ID : D0455535


basile at opensource

Jun 8, 2012, 8:35 AM

Post #9 of 26 (709 views)
Permalink
Re: hardened profile for desktops? [In reply to]
On 06/08/2012 09:06 AM, Alex Efros wrote:
> Hi!
>
> On Fri, Jun 08, 2012 at 07:15:40AM -0400, Aaron W. Swenson wrote:
>>>> I started a discussion on gentoo-user about the fact that the
>>>> hardened profile appears to only be for servers and not desktops.
>>>> I thought I'd check with you guys on this. Is that the case?
>
> Actually, I see no reasons to NOT use hardened on desktops.

True

>
> Only critical bug is broken VMware/VirtualBox on amd64+hardened.

This one is a moving target. Sometimes broken, times fixed. kvm is
working very well of late.

>
> Everything else is works fine on hardened AFAIK. Even unsupported
> nvidia-drivers works fine (they needed for 3D acceleration in VMware).
> Sometimes you need to get extra patches from bugzilla or run paxctl,
> but this isn't too much headache to avoid it at cost of significantly
> lower overall security.
>

nouveau works great on hardened desktops

radeon compiled with llvm needs some fancy pax markings, but also works

--
Anthony G. Basile, Ph. D.
Chair of Information Technology
D'Youville College
Buffalo, NY 14201
(716) 829-8197


radegand at o2

Jun 8, 2012, 9:18 AM

Post #10 of 26 (706 views)
Permalink
Re: hardened profile for desktops? [In reply to]
Hi

On 06/08/12 07:44, Grant wrote:
> I started a discussion on gentoo-user about the fact that the hardened
> profile appears to only be for servers and not desktops. I thought
> I'd check with you guys on this. Is that the case?
I'm using hardened on 3 laptops and 1 desktop, more or less on a daily
basis (typing from one now :)), and I've been using gentoo hardened
desktop for a number of years. I've been running either XFCE or KDE
desktops mostly, on nvidia, ati or intel cards. Mind you, I don't care
about hardware acceleration and I stay with OS drivers whenever I can.
From my experience, getting the binary video drivers to work quite
often requires disabling mprotect on whole lot of stuff (everything in
nvidia case?), which IMHO, undermines the idea of hardening a system in
the first place :)

You do run occasionally into some issues, where you need to use paxctl
to get something to work (usually disabling the mprotect restrictions)
but most of the time things just work :) And recently you get a proper,
hardened (not paxmarked) firefox and thunderbird out of the box
too...purely awesome! :)

Even mplayer can get all the hardened goodies and still works fine... ;]

Radek


tazok.id0 at gmail

Jun 8, 2012, 9:34 AM

Post #11 of 26 (712 views)
Permalink
Re: hardened profile for desktops? [In reply to]
On 08/06/12 17:35, Anthony G. Basile wrote:

>> Only critical bug is broken VMware/VirtualBox on amd64+hardened.
>
> This one is a moving target. Sometimes broken, times fixed. kvm is
> working very well of late.

Uh!, even with kernexec, uderef, mprotect etc etc etc, with both
hardened host and guests?, and without the horrible slowness?

If this is true maybe I would be one of the happiest folk of the world...


tazok.id0 at gmail

Jun 8, 2012, 9:37 AM

Post #12 of 26 (706 views)
Permalink
Re: hardened profile for desktops? [In reply to]
On 08/06/12 13:15, Aaron W. Swenson wrote:
> On 06/08/2012 04:34 AM, Alex Efros wrote:
>> Hi!
>
>> On Fri, Jun 08, 2012 at 12:44:26AM -0700, Grant wrote:
>>> I started a discussion on gentoo-user about the fact that the
>>> hardened profile appears to only be for servers and not desktops.
>>> I thought I'd check with you guys on this. Is that the case?
>
>> I'm using hardened on desktop in last ~6-7 years. And I know at
>> least two people who also use hardened on desktop.
>
>
> You now know three.
>

I have used it also, so four, and probably every freak in this list...
Come on folks, put the truth on the table.


powerman at powerman

Jun 8, 2012, 10:04 AM

Post #13 of 26 (712 views)
Permalink
Re: hardened profile for desktops? [In reply to]
Hi!

On Fri, Jun 08, 2012 at 11:35:28AM -0400, Anthony G. Basile wrote:
> > Only critical bug is broken VMware/VirtualBox on amd64+hardened.
>
> This one is a moving target. Sometimes broken, times fixed. kvm is
> working very well of late.

KVM is able to run Win7 and MacOS with speed comparable with VMware?

--
WBR, Alex.


ma1l1ists at yahoo

Jun 8, 2012, 12:40 PM

Post #14 of 26 (709 views)
Permalink
Re: hardened profile for desktops? [In reply to]
On Fri, 8 Jun 2012 16:06:37 +0300
Alex Efros wrote:

> Actually, I see no reasons to NOT use hardened on desktops.

Maybe many more would if there was an easy and quick to install and
maintain compiled distro. More users more compatibility too, I'd guess.

Not suggesting there should be, just stating a reality.

Anyone know why hardened debian and was it adamantix died off?


tazok.id0 at gmail

Jun 8, 2012, 1:32 PM

Post #15 of 26 (709 views)
Permalink
Re: hardened profile for desktops? [In reply to]
On 08/06/12 21:40, Kevin Chadwick wrote:
> On Fri, 8 Jun 2012 16:06:37 +0300
> Alex Efros wrote:
>
>> Actually, I see no reasons to NOT use hardened on desktops.
>
> Maybe many more would if there was an easy and quick to install and
> maintain compiled distro. More users more compatibility too, I'd guess.
>
> Not suggesting there should be, just stating a reality.
>
> Anyone know why hardened debian and was it adamantix died off?
>

Hardened debian had to change their name by adamantix because debian
forbid the use of his name.
It dissapeared because hardened gentoo appeared, and one distro
maintained by one user (Peter Busser) is a hard and crazy task.


tazok.id0 at gmail

Jun 8, 2012, 1:37 PM

Post #16 of 26 (707 views)
Permalink
Re: hardened profile for desktops? [In reply to]
On 08/06/12 21:40, Kevin Chadwick wrote:
> On Fri, 8 Jun 2012 16:06:37 +0300
> Alex Efros wrote:
>
>> Actually, I see no reasons to NOT use hardened on desktops.
>
> Maybe many more would if there was an easy and quick to install and
> maintain compiled distro. More users more compatibility too, I'd guess.
>
> Not suggesting there should be, just stating a reality.
>
> Anyone know why hardened debian and was it adamantix died off?
>

Excuse me it was trusted deban not hardened debian...


atoth at atoth

Jun 8, 2012, 2:52 PM

Post #17 of 26 (710 views)
Permalink
Re: hardened profile for desktops? [In reply to]
I for one used Trusted Debian / Adamantix before Hardened Gentoo.
It was a distro of choice based on Debian and promoted SSP and PaX-enabled
kernels.
The main problem was, that it practically remained a one man project, led
by Peter Busser. After some time - probably due to the lack of enough
resources - it became slowly out of date. Until it was officially
admitted, that it wasn't recommended to install it on a server.

Long before this I had already switched to Hardened Gentoo. I would say,
that although there are some other security related Linux projets,
Hardened Gentoo is definitely alive. I don't know what is the current
situation regarding Owl Linux, or for example LIDS. And there were also
some other distros like Immunix and Trustix...

I think Hardened Gentoo install is not substantially more complicated to
install compared to a regular Gentoo install nowdays. It would be the
recommended first distro for a newbie. If there would be some popular
commodity Gentoo-based distros, it would be hard to convert them to
hardened. There's for example Ututo. But it's not popular enough.

What I'm currently missing as a Grsecurity user is a lack of reference
policy out-of-the box. SELinux is the best from this point of view. But
it's not easy to accomodate a user specific change. Moreover, a regular
user wouldn't want to tweak around to craft his own RBAC policy.

I wish Hardened Gentoo will live long. Gentoo turned out to be a viable
base for a hardened solution - instead of a binary distro. Thanks for all
effort of the developers.

Dw.
--
dr Tóth Attila, Radiológus, 06-20-825-8057
Attila Toth MD, Radiologist, +36-20-825-8057

2012.Június 8.(P) 21:40 időpontban Kevin Chadwick ezt írta:
> On Fri, 8 Jun 2012 16:06:37 +0300
> Alex Efros wrote:
>
>> Actually, I see no reasons to NOT use hardened on desktops.
>
> Maybe many more would if there was an easy and quick to install and
> maintain compiled distro. More users more compatibility too, I'd guess.
>
> Not suggesting there should be, just stating a reality.
>
> Anyone know why hardened debian and was it adamantix died off?
>


atoth at atoth

Jun 8, 2012, 2:59 PM

Post #18 of 26 (709 views)
Permalink
Re: hardened profile for desktops? [In reply to]
2012.Június 8.(P) 23:52 időpontban "Tóth Attila" ezt írta:
> I think Hardened Gentoo install is not substantially more complicated to
> install compared to a regular Gentoo install nowdays. It would be the
> recommended first distro for a newbie. If there would be some popular
> commodity Gentoo-based distros, it would be hard to convert them to
> hardened. There's for example Ututo. But it's not popular enough.

Reading back my post I realized, that I'm probably too tired. So let me
update some prior sentences:

I think Hardened Gentoo is not substantially more complicated to install
compared to a regular Gentoo nowdays. Although it wouldn't be the
recommended first distro for a newbie. If there would be some popular
commodity Gentoo-based distros, it wouldn't be hard to convert them to
hardened. There's for example Ututo. But it's not popular enough for this
purpose.

Sorry:
Dw.
--
dr Tóth Attila, Radiológus, 06-20-825-8057
Attila Toth MD, Radiologist, +36-20-825-8057

>> 2012.Június 8.(P) 21:40 időpontban Kevin Chadwick ezt írta:
>> On Fri, 8 Jun 2012 16:06:37 +0300
>> Alex Efros wrote:
>>
>>> Actually, I see no reasons to NOT use hardened on desktops.
>>
>> Maybe many more would if there was an easy and quick to install and
>> maintain compiled distro. More users more compatibility too, I'd guess.
>>
>> Not suggesting there should be, just stating a reality.
>>
>> Anyone know why hardened debian and was it adamantix died off?
>>
>
>
>
>


basile at opensource

Jun 9, 2012, 4:35 AM

Post #19 of 26 (704 views)
Permalink
Re: hardened profile for desktops? [In reply to]
On 06/08/2012 12:34 PM, Javier Juan Martínez Cabezón wrote:
> On 08/06/12 17:35, Anthony G. Basile wrote:
>
>>> Only critical bug is broken VMware/VirtualBox on amd64+hardened.
>>
>> This one is a moving target. Sometimes broken, times fixed. kvm is
>> working very well of late.
>
> Uh!, even with kernexec, uderef, mprotect etc etc etc, with both
> hardened host and guests?, and without the horrible slowness?
>
> If this is true maybe I would be one of the happiest folk of the world...

cpu?

--
Anthony G. Basile, Ph. D.
Chair of Information Technology
D'Youville College
Buffalo, NY 14201
(716) 829-8197


ma1l1ists at yahoo

Jun 9, 2012, 7:18 AM

Post #20 of 26 (706 views)
Permalink
Re: hardened profile for desktops? [In reply to]
On Fri, 08 Jun 2012 22:37:49 +0200
Javier Juan Martínez Cabezón wrote:

> Excuse me it was trusted deban not hardened debian...

Hardened debian died off in 2004 it seems and looks like it was a
kernel version issue, though I'm skeptical of that.

http://www.debian-hardened.org/


prometheanfire at gentoo

Jun 9, 2012, 11:47 AM

Post #21 of 26 (706 views)
Permalink
Re: hardened profile for desktops? [In reply to]
On 06/08/2012 11:34 AM, Javier Juan Martínez Cabezón wrote:
> On 08/06/12 17:35, Anthony G. Basile wrote:
>
>>> Only critical bug is broken VMware/VirtualBox on amd64+hardened.
>>
>> This one is a moving target. Sometimes broken, times fixed. kvm is
>> working very well of late.
>
> Uh!, even with kernexec, uderef, mprotect etc etc etc, with both
> hardened host and guests?, and without the horrible slowness?
>
> If this is true maybe I would be one of the happiest folk of the world...
>
I run Hardened host/guest with only uderef disabled.

--
-- Matthew Thode (prometheanfire)
Attachments: signature.asc (0.88 KB)


prometheanfire at gentoo

Jun 9, 2012, 11:49 AM

Post #22 of 26 (703 views)
Permalink
Re: hardened profile for desktops? [In reply to]
On 06/08/2012 02:44 AM, Grant wrote:
> I started a discussion on gentoo-user about the fact that the hardened
> profile appears to only be for servers and not desktops. I thought
> I'd check with you guys on this. Is that the case?
>
> - Grant
>
Running gentoo hardened on all my systems (desktop/laptop and server).

worksforme

--
-- Matthew Thode (prometheanfire)
Attachments: signature.asc (0.88 KB)


klondike at gentoo

Jun 10, 2012, 12:36 PM

Post #23 of 26 (685 views)
Permalink
Re: hardened profile for desktops? [In reply to]
El 08/06/12 09:44, Grant escribió:
> I started a discussion on gentoo-user about the fact that the hardened
> profile appears to only be for servers and not desktops. I thought
> I'd check with you guys on this. Is that the case?
I have been using Gentoo on Desktop systems for some time, mainly
because it doesn't makes much sense speaking well to others of something
without being an example. The Gentoo Hardened system can be used as a
Desktop for daily use (I do use it) and by that I also mean I have used
it even on demanding tasks like live video streaming from DV cameras
(never tried playing games since I'm not that kind of person).

Of course there are some drawbacks, but the team is aware of them and we
do our best to fix these. Some of the ones that come to mind are:
* If you plan on using binary drivers you'll need to disable many
security protections on a most of the programs since the libraries
bundled with them are not hardened friendly.
* Some open source graphical drivers (ATI/AMD comes to mind) require JIT
code in 3D applications (or hacking LLVM so it will always default to
the slooooow interpreter mode). This is a known issue and can be fixed
with tools like revdep-pax which allow you to check which are those
applications.
* In general JIT code is deemed to fail in hardened systems because of
mprotect restrictions, this is a known issue and tends to be fixed by
disabling JIT code generation in the affected packages or removing the
mprotect restrictions on said binaries.
* Virtualization is a world in itself, many processors with
virtualization extensions (specially older ones without hardware nested
pagetables supports) tend to be rather slow with UDEREF and kernexec
enabled in kvm. I think this is more of an implementation issue than a
real hardware issue but I may be wrong here. As for other solutions each
tends to be a world of its own where is better to just try them and see
what happens since they tend to be very hardware specific.

@Grant I generally tend to monitor gentoo-user from time to time to
answer to threads involving hardened (although it is hard to read
everything so many just pass by ignored), can you please tell me the
topic of the thread so I can give it a look and contribute as needed?
Attachments: signature.asc (0.26 KB)


jens at kasten-edv

Jun 10, 2012, 7:26 PM

Post #24 of 26 (687 views)
Permalink
Re: hardened profile for desktops? [In reply to]
Am 2012-06-08 22:32, schrieb Javier Juan Martínez Cabezón:
> On 08/06/12 21:40, Kevin Chadwick wrote:
>> On Fri, 8 Jun 2012 16:06:37 +0300
>> Alex Efros wrote:
>>
>>> Actually, I see no reasons to NOT use hardened on desktops.
>>
>> Maybe many more would if there was an easy and quick to install and
>> maintain compiled distro. More users more compatibility too, I'd
>> guess.
>>
>> Not suggesting there should be, just stating a reality.
>>
>> Anyone know why hardened debian and was it adamantix died off?
>>
>
> Hardened debian had to change their name by adamantix because debian
> forbid the use of his name.
> It dissapeared because hardened gentoo appeared, and one distro
> maintained by one user (Peter Busser) is a hard and crazy task.

Hmm because gentoo hardened? I am not sure about that.
Adamantix was RSBAC specific not grsecurity or SELinux.
I switch to gentoo hardened after adamantix was not maintained anymore.

--
Mit freundlichen Grüßen

Jens Kasten


http://www.kasten-edv.de


tazok.id0 at gmail

Jun 10, 2012, 10:20 PM

Post #25 of 26 (685 views)
Permalink
Re: hardened profile for desktops? [In reply to]
On 11/06/12 04:26, Jens Kasten wrote:
>
>
> Am 2012-06-08 22:32, schrieb Javier Juan Martínez Cabezón:
>> On 08/06/12 21:40, Kevin Chadwick wrote:
>>> On Fri, 8 Jun 2012 16:06:37 +0300
>>> Alex Efros wrote:
>>>
>>>> Actually, I see no reasons to NOT use hardened on desktops.
>>>
>>> Maybe many more would if there was an easy and quick to install and
>>> maintain compiled distro. More users more compatibility too, I'd guess.
>>>
>>> Not suggesting there should be, just stating a reality.
>>>
>>> Anyone know why hardened debian and was it adamantix died off?
>>>
>>
>> Hardened debian had to change their name by adamantix because debian
>> forbid the use of his name.
>> It dissapeared because hardened gentoo appeared, and one distro
>> maintained by one user (Peter Busser) is a hard and crazy task.
>
> Hmm because gentoo hardened? I am not sure about that.
> Adamantix was RSBAC specific not grsecurity or SELinux.
> I switch to gentoo hardened after adamantix was not maintained anymore.
>

Hi Jens, Yes, I'm sure, the main goal of adamantix was to create a
distribution with PIE and SSP to use over a rsbac kernel, goal that made
hardened gentoo later.

At the beginning rsbac was supported in gentoo and maintained by Kang.

First page Previous page 1 2 Next page Last page  View All Gentoo hardened RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.