The hardened Linux thread

Discussion in 'all things UNIX' started by J_L, Aug 23, 2015.

  1. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,516
    Of course Linux is relatively secure with its obscurity, trusted repository, and whatnot. But how can we make it even more so? Here is the thread for that. I will list the following techniques, so feel free to add onto them:

    - Grsecurity/SELinux/AppArmor
    - FireJail/Docker
    - custom firewall rules
    - OSSEC
    - Compile your own hardened kernel
    - Possible detection tool or AV like RKHunter or Comodo
    - uBlock Origin, WOT, and other browser extensions
    - VirusTotal in case of suspicious executable
    - DNS, HOSTS, and other system config
     
    Last edited: Aug 23, 2015
  2. Infected

    Infected Registered Member

    Joined:
    Feb 9, 2015
    Posts:
    665
    This is a good thread. It will help us "me" learn more about Linux. I have the bottom 3 and a Firewall installed. Still a lot more to learn and do.
     
  3. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    1,984
    Location:
    Canada
    For me the main hardening centers around the browser, since it is the main avenue of attack, and by running Chromium, Linux provides it with its very strong sandboxing, especially the seccomp-bpf sandbox. In addition, I run Chromium:

    1. Firejailed with the private.keep option, so all changes during the browsing sessions are wiped clean when it's closed.
    2. Block 3rd-party cookies
    3. Disable most of the web services
    4. Click-to-play plugins
    5. Extensions: uBlock Origin blocking 3rd-part frames globally, and HTTPS Everywhere.

    Other than that, I use UFW, default deny both incoming and outgoing, with my own custom made rules.
     

    Attached Files:

  4. Infected

    Infected Registered Member

    Joined:
    Feb 9, 2015
    Posts:
    665
    I found a video youtube about installing and using Firejail. Seems pretty straight forward.

    https://www.youtube.com/watch?v=xUW0L2Yj_us&index=1&list=LL2PxpC4xFu18nezAynUUQ-g
     
    Last edited by a moderator: Aug 23, 2015
  5. AutoCascade

    AutoCascade Registered Member

    Joined:
    Feb 16, 2014
    Posts:
    625
    Location:
    United States
    The browser is the weak point so disabling Java and Flash plugins goes a long way towards securing a system.
    Encrypt your hard drive. Use a router. Use iptables. Use signed software from the authorized repository.
    Use Chromium or use Firefox with Firejail. I use Chromium with uMatrix, LastPass, 2 factor authentication, strong passwords and PasswordAlert.

    The distro you choose has a lot to do with how secure the system is. Developers harden the kernel in many different ways and they react to vulnerability by making adjustments.

    Probably the most secure distros are:

    Qubes - everything runs in a virtual environment for the severe paranoid.
    Hardened Gentoo - you can make the kernel as hard as is possible but is difficult to install imo.
    Alpine- lightweight w/grsec/pax built into the kernel. Poor documentation with some leading to dead ends.
    Mempo- hardened Debian w/grsec/pax built in.
    Tails- privacy focused, boots off cd every time.
    Mainstream distros Ubuntu, Fedora, Debian and OpenSuse are secure as the developers write security features into their kernels and quickly respond to security vulnerabilities. With these there is a trade of somewhat over the strictly security focused distros but with more available software and they are easier to get started and use.

    Look at Mint. They remove AppArmor and delay updates so the user experience isn't blemished by an errant update. Hell it doesn't even come with the firewall enabled. Yet their forums, which are pretty active, are not filled with people saying they are infected. There isn't even a security sub-forum. Of course the kernel is hardened (sans AppArmor) as its an Ubuntu rewrite so there is some security baked in.
     
  6. Infected

    Infected Registered Member

    Joined:
    Feb 9, 2015
    Posts:
    665
    So does Chrome need firejail? I have Chrome with ublock, adguard and netcraft.
     
  7. AutoCascade

    AutoCascade Registered Member

    Joined:
    Feb 16, 2014
    Posts:
    625
    Location:
    United States
    I'm of a belief that you don't need to sandbox it yet again. OTOH if firejail adds another layer of security without slowing or disrupting your browser experience................... I don't use it because SELinux interferes with it.

    The Chrome sandbox is much stronger on Linux than on Windows since the sandbox can only be as strong as the OS allows. https://code.google.com/p/chromium/wiki/LinuxSandboxing

    chrome:sandbox

    Sandbox Status
    SUID Sandbox No
    Namespace Sandbox Yes
    PID namespaces Yes
    Network namespaces Yes
    Seccomp-BPF sandbox Yes
    Seccomp-BPF sandbox supports TSYNC Yes
    Yama LSM enforcing No
    You are adequately sandboxed.
     
  8. Infected

    Infected Registered Member

    Joined:
    Feb 9, 2015
    Posts:
    665
    Thanks for this. I can't get Chrome to launch with firejail. I keep getting errors for some reason. Only FF launches with it.

    firejail chrome
    Parent pid 9271, child pid 9272
    Child process initialized
    /bin/bash: chrome: command not found

    parent is shutting down, bye...
     
  9. AutoCascade

    AutoCascade Registered Member

    Joined:
    Feb 16, 2014
    Posts:
    625
    Location:
    United States
    Just out of curiosity what are you using for a distro and desktop?
     
  10. Infected

    Infected Registered Member

    Joined:
    Feb 9, 2015
    Posts:
    665
    Mint 17.2 Cinnamon
     
    Last edited: Aug 23, 2015
  11. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    1,984
    Location:
    Canada
    Try: firejail google-chrome-stable
     
  12. AutoCascade

    AutoCascade Registered Member

    Joined:
    Feb 16, 2014
    Posts:
    625
    Location:
    United States
    I was able to run Firejail on Mint. Try Wat0114's suggestion or in the Firejail thread there's something about adding debug to the command but I don't remember exacty.
     
  13. zakazak

    zakazak Registered Member

    Joined:
    Sep 20, 2010
    Posts:
    523
    Does anyone know anything about firefox sandboxing on linux? I have been using chrome for ages and know aboutbits sandboxing (altough I didnt know it was more powerfull on linux) but want to switch to firefox due to privacy reasons. Is it similiar to chrome in terms of sandboxing on linux?
     
  14. Infected

    Infected Registered Member

    Joined:
    Feb 9, 2015
    Posts:
    665
    Thanks, that worked, but with errors.

    Code:
    Parent pid 3320, child pid 3321
    Child process initialized
    GLib-GIO-Message: Using the 'memory' GSettings backend.  Your settings will not be saved or shared with other applications.
    ** Message: Remote error from secret service: org.freedesktop.Secret.Error.IsLocked: Cannot get secret of a locked object
    [1:1:0824/064444:ERROR:extension_downloader.cc(693)] Invalid URL: '' for extension nnjnbmmegdjndlcmeajcldfcmilogjal
    ** Message: Remote error from secret service: org.freedesktop.Secret.Error.IsLocked: Cannot create an item in a locked collection
    [1:196:0824/064445:ERROR:get_updates_processor.cc(243)] PostClientToServerMessage() failed during GetUpdates
    [1:2:0824/064501:ERROR:channel.cc(300)] RawChannel read error (connection broken)
    
     
  15. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    1,984
    Location:
    Canada
    it's not unusual to get some errors, as ong as the application is launched in the firejail. Try using the Debug switch:

    firejail --debug google-chrome-stable


    then you should see expected results similar to:

    Code:
    $ firejail --debug google-chrome-stable
    Command name #google-chrome-stable#
    Using the local network stack
    Parent pid 29887, child pid 29888
    Initializing child process
    PID namespace installed
    Mounting read-only /bin, /sbin, /lib, /lib64, /usr, /etc, /var
    Mounting tmpfs on /var/lock
    Mounting tmpfs on /var/tmp
    Mounting tmpfs on /var/log
    Mounting tmpfs on /tmp/firejail/mnt directory
    Create the new utmp file
    Mount the new utmp file
    Disable /home/lost+found
    Disable /home/username
    Remounting /proc and /proc/sys filesystems
    Remounting /sys directory
    Disable /proc/sysrq-trigger
    Disable /proc/sys/kernel/hotplug
    Disable /sys/kernel/uevent_helper
    Disable /proc/irq
    Disable /proc/bus
    Disable /proc/kcore
    Disable /proc/kallsyms
    Mounting a new /boot directory
    Disable /dev/port
    Username wat0114, groups 100, 7, 10, 90, 91, 92, 95, 98,
    Starting google-chrome-stable
    execvp argument 0: /bin/bash
    execvp argument 1: -c
    execvp argument 2: google-chrome-stable
    Child process initialized
    I have not shown several of the errors I get as well, but Chrome runs fine in the firejail for me.
     
  16. Infected

    Infected Registered Member

    Joined:
    Feb 9, 2015
    Posts:
    665
    Thanks, I'll use this from now on. I still get errors, but if it runs, I guess it's ok.
     
  17. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    722
    Firejail
    Quote:
    You'll notice that seccomp and caps are disabled in the Chromium profile but several critical folders and files are blacklisted. You are free to add more. I've created the following myrules.inc file in ~/.config/firejail which I included in nearly every profile:
    Code:
    read-only ${HOME}/.config/firejail/*
    blacklist ${HOME}/.config/autostart
    blacklist ${HOME}/.kde4/Autostart
    blacklist ${HOME}/.kde/Autostart
    blacklist ${HOME}/.wine
    blacklist ${HOME}/.conky
    blacklist ${HOME}/.gramps
    blacklist ${HOME}/.dropbox
    blacklist ${HOME}/.dropbox-dist
    blacklist ${HOME}/.dropbox-master
    blacklist ${HOME}/Dropbox
    blacklist ${HOME}/moneyplex
    blacklist ${HOME}/.conkyrc
    read-only ${HOME}/.bashrc
    read-only ${HOME}/.bash_profile
    blacklist ${HOME}/.bash_history
    read-only /etc/passwd
    blacklist /etc/shadow
    EDIT: I recommend to create the directory ~/.config/firejail and copy the existing profiles from /etc/firejail to that new directory. Those profiles take precedence over the ones in /etc/firejail. Thus, you can modify them without having them overwritten when Firejail gets updated.
     
  18. AutoCascade

    AutoCascade Registered Member

    Joined:
    Feb 16, 2014
    Posts:
    625
    Location:
    United States
    Firefox is in the process of implementing the same sandbox as Chrome on Linux but its not quite there yet, they still have issues.
     
  19. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    722
    An overview is https://wiki.mozilla.org/Security/Sandbox . On Windows the sandbox should already be enabled for Nightly.
    I don't know, though, how this fits with Servo which is intended to become the new rendering engine in Firefox:
     
  20. amarildojr

    amarildojr Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    1,977
    Location:
    Brasil
    Hmm.... what? Linux doesn't do "security through obscurity".... at all....

    Thanks for linking my custom firewall rules ;)

    Here's what I do:

    * GRsecurity + PAX, with "softmode" set to "0" (making mitigations opt-out rather than opt-in);
    * Firejail for almost all apps, with numerous flags;
    * GUFW, a mix between my custom rules and other rules (will be in my Github repo soon);
    * uBlockOrigin, Disconnect, RequestPolicy, https-everywhere, NoScript;

    I don't use detection tools, their dumb unless you have a server and/or don't want to pass malware to people.
    The only tool I use is rkhunter, this tool is actually useful ;)

    I encrypt my drive. FDE, with twofish-xts-plain64, and an iter-time of 5000, which means 10 seconds between each passphrase attempt, making brute-force attacks useless.

    VirusTotal? Why? If the user only uses the trusted repositories there's no need to scan an executable file at all. Maybe for a PDF or such? But then, Firejail and GRSec should take care of any exploit.

    I'll do some research on OSSEC.

    Chrome's sandbox can't be trusted. Firefox's sandbox neither. Both can by bypassed.
     
  21. Balthazar

    Balthazar Registered Member

    Joined:
    Nov 8, 2013
    Posts:
    137
    Location:
    Earth
    I've just been starting to read about this subject. Do you think it to be useful in light of the development mentioned in the other topic (patches not being available in the future).
    I had trouble allowing my VPN client to be executed from my home folder. It uses openvpn, openssl and other dependencies. Is this something that can easily be solved?
     
  22. amarildojr

    amarildojr Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    1,977
    Location:
    Brasil
    I'm not sure I understand what you mean.
    If you currently use the LTS GRSec Kernel (3.14), you can still use kernel.pax.softmode=0.
    And even when the LTS branch is no longer available, you will either be using the latest publicly availalbe LTS kernel of your distro (which should still allow kernel.pax.softmode=0) or the testing versions, which also allow kernel.pax.softmode=0.

    So IMO you should be fine either way, softmode=0 will work regardless of the LTS branch not being publicly available.

    See this article to learn how to set permissions to problematic executables https://wiki.archlinux.org/index.php/Pax

    Remember, don't start giving "pemrs" permissions right away, because this is how executables are handled if "kernel.pax.softmode" is set to "1" (meaning all mitigations are off and opt-in). Most problematic execuables can be allowed under "kernel.pax.softmode=0" by giving the executables the following permission: "m".

    Remember that uppercase letters (PEMRS) mean mitigations are ON; and lowercase letters (pemrs) mean mitigations are OFF.
     
  23. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    722
    Agreed :thumb:

    I wonder why you need Disconnect, RequestPolicy and Noscript.
    - Disconnect: Its filter lists are also available in uBlock Origin. Together with the other available filterlists and hosts files uBlock Origin blocks considerably more.
    - RequestPolicy: Its functionality can be completely replaced by chosing default deny in Dynamic Filtering. See also the various available blocking modes.
    - Noscript: Can also be replaced in uBlock Origin if you block inline and 1st party scripts. (Althoug it might make sense to keep Noscript installed and allow scripts globally: Its XSS and clickjacking protection would still be activated.)

    Advantage: the less extensions you use the less unique is your browser ( -> fingerprinting).
     
  24. Balthazar

    Balthazar Registered Member

    Joined:
    Nov 8, 2013
    Posts:
    137
    Location:
    Earth
    I think I didn't understand myself but your explanation helps. Thanks.

    Thanks again, I will try when I have a better understanding of how things work. It's just that using a VPN is the first thing I do when using a freshly installed system.
     
  25. amarildojr

    amarildojr Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    1,977
    Location:
    Brasil
    - I keep disconnect here so that I'm able to see, with a more generic "filter" naming, what is trying to deliver ads, or content, or social tracking.
    - I wouldn't want to replace RequestPolicy because there are a few ads that I agree to display on some websites that I support and/or that I bennefit from.

    Overall, RequestPolicy is my first line of defense. It blocks all scripts and I can chose what to allow in a more deeper way than NoScript. If there are ads that I want to display on a page, I allow them through uBlockOrigin. NoScript is here because RequesPolicy sometimes doesn't forbid some javascript requests, and NoScript does.
     
Loading...