Page 1 of 1

Additiona Security software to complement GrSEc

PostPosted: Sat Oct 02, 2010 3:32 am
by hedon4561
GrSec & linux/unix Newbie

Recently I installed NetSecl 3.0 (as a VM) which has Grsec installed. Security is a priority on this machine & to further lock down the os I've disabled additional serices - postfix, smbfs,sshd, network remote-fs, & aslr sound. This vm is only used for one purpose - banking, it never is used for ANY thing else. It aslo sits behind a Cisco FW. I would like to know if there is any additional software I can install to compliment Grsecurity.

Thanks in advance.

Re: Additiona Security software to complement GrSEc

PostPosted: Sun Oct 03, 2010 3:01 am
by Grach
To make system more secure in general:
1. Uninstall packages with unused suid/sgid binaries (like sudo)
2. Make sure all the PaX and Grsecurity features are enabled, configured properly and don't prevent apps from working
3. Rebuild your kernel without unnecessary things like modules, LSM framework, SCTP and IPsec, FUSE, DRM, ALSA/OSS and so on
4. Apply more restricted DAC permissions on sensitive files and directories like stuff in /var/log, /sys, /boot, /lib/modules, /proc/bus, etc
5. Use more secure resolvers like unbound or djbdns instead of BIND; use more secure syslog daemon like socklog or even don't use syslog daemon at all
6. Make sure executables you use are build as PIE to make ROP attacks more unlikely to success, and if they aren't PIE, rebuild them with customized specs
7. If you connect to several banking systems, do it as separate users in separate X window servers, and maybe deploy some restrictive RBAC policy with custom killing and logging traps to detect and prevent intrusions
8. Try to maintain static /dev to prevent any exploitation of udev
9. Use iptables to reject any inbound connections to prevent exploitation of services that could be left running by mistake
10. Configure your browser for strict SSL/TLS usage (like requiring OCSP avalability, only safe TLS negotiation, no weak ciphers, etc)
11. Uninstall anything you don't need to prevent web browser or any other app from running Java applets and audio/video content by accident, etc.
12. Use NoScript and its ABE to prevent XSS/CSRF attacks
13. Disable JIT compiling of JavaScript and enable MPROTECT restriction on web browser executable
14. Anything else I forgot or don't know about

Btw, TinHat seems more appropriate for your task (if you have enough RAM to run it), or Hardened Gentoo, as they both have strong kernelspace and userspace hardeding, while OpenSUSE (which NetSecl 3.0 is based on), AFAIK, does not provide PIE binaries (at least not for client apps), has (partially) writable ELF relocation tables, no system-wide -fstack-protector-all, etc...

Re: Additiona Security software to complement GrSEc

PostPosted: Sun Oct 03, 2010 9:00 pm
by hedon4561
Many thanks for your suggestions. I'm going to look into the distros that you have suggested. As I'm new to unix/linux, would you be able to recommend any with the experience to build a customized locked down system?

regards

Re: Additiona Security software to complement GrSEc

PostPosted: Mon Oct 04, 2010 12:25 am
by Grach
I'm not sure whether I understand: to recommend what exactly? English isn't my native language.

Re: Additiona Security software to complement GrSEc

PostPosted: Thu Oct 07, 2010 5:47 am
by hedon4561
I was looking for someone reliable who could build a customized linux distro that would be able to include the hardening suggestions you listed below.


Regards

Re: Additiona Security software to complement GrSEc

PostPosted: Thu Oct 07, 2010 2:21 pm
by Grach
Perhaps you should ask on #gentoo-hardened on Freenode. However, keep in mind that Hardened Gentoo and TinHat are moving targets, and if you are after hiring someone to configure it for you, then you could need such person to maintain it. Not a good idea, IMHO. If I would be you, I would configure a basic hardened system and learn how to enhance it further, to do everything by myself and keep outsiders away from my banking requisites. :)