4 replies to this topic

[Swerve]

I'm planning on a reformat, and am thinking about hardening my system beyond the default installation (Ubuntu 8.10 32bit Desktop, dual booted with XP). I'd like to do some research before jumping right in, in order to avoid problems as much as possible.

The options/programs I have found that help with this are:

SELinux
AppArmour
Snort or OSSEC

From my current reading, I believe that one can either run SELinux or AppArmour, running both is either not possible, or not normal practice.

AppArmor is a powerful program and, when an application is confined, AppArmor can restrict the activity of even the root user. AppArmor was designed as an alternative to SELinux and is designed to be easier to use.

Reading this, I am thinking AppArmour may be the better decision as the entire subject of system hardening is new to me, and this concept seems a simple one to comprehend.

I'm assuming that Snort or OSSEC can operate with either option, but perhaps I'm mistaken.

I realise I haven't offered much here in terms of specific questions, but I'm just trying to find my feet with the subject matter, so am looking at this from a high level right now.

But if anyone can offer any advice/direction on the subject, it'd be most appreciated.

Thanks!

EDIT - Just wanted to add another query. How much of an effect on speed does encrypting your entire installation make? My PC is a 2ghz, 1gb RAM box, so it's hardly a great machine, perhaps the specs aren't good enough and perhaps doing so would be overkill in any case. What is the standard way of implementing this? I know TrueCrypt can do it, but when I install Ubuntu server it offers the option of encrypting my Home directory, but the Desktop version does not, but I assume it can be done, just encrypting the Home directory seems the more practical solution (and also the Swap partition). If I did just encrypt Home/Swap, am I leaving critical areas exposed? Just some ideas/thoughts.

Again, merci beaucoup

Edited by Swerve, 17 January 2009 - 12:20 PM.

[Enigma]

to answer your disk encryption question it depends on what the purpose of the machine is and what apps you are using. if you have an app that does alot of reading and writing to disk your overhead is going to be obviously more. I would recommend only encrypting folders that have sensitve information instead of full disk encryption.


-E

[Spyril]

Well Ubuntu already comes with AppArmor by default. From the looks of their documentation / wiki it looks like they're making some sort of effort to get tighter Ubuntu/apparmor integration in the future. I'd go with that. I hear it's way easier to write policies for than SElinux, too. I've never messed with either, but SElinux was a huge pain in the ass for me on Fedora 8, so I've disabled it on every system I've installed since then.

[Ohm]

This type of hardening only really works for machines with a very set usage. And by that, I mean they call the same system calls in the same order with similar parameters. On a desktop machine (and since you didn't even give a hint as to what this machine will be use for, I assume it's a desktop machine), this profile will have to be quite broad. Further, the type of security threats you're actually going to face are going to be almost nil on a desktop machine with no services running.

Want to harden your system? Turn off all unnecessary services. This probably means all of them. Keep your software updated. This means updating religiously. use sane programs in a sane manner. Don't leave netcat ports open, blindly run scripts you find on the Internet, etc. Well.. you're pretty much done. The system is "hardened."

What threats will you face on a desktop system running Linux? Almost none. Someone on your network or the Internet might discover you from a portscan, but if you keep your system updated and ports closed, there's not much they can do. They could try some other route, such as compromising firefox to get limited read access to your home directory or something, but really, who's going to do that.

If you want to explore hardening, that's fine, have fun. Just don't think that you'll be "hardening" your Linux desktop any. Since the threat is almost nil with the minimum of effort, there's just nothing to harden against. I suggest setting up a server system, which is more appropriate for hardening, and play with that. Build in intentional security flaws and see how the syscall shield does. Do something useful and productive, hardening a desktop machine is just foolish.

[Swerve]

Thanks for the advice guys

I'll have a play with AppArmor next weekend after I've finished a paper I'm writing, and like to say Enigma, I think I'll just go with the folder option until I can afford a decent machine.

Appreciated.