Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
05-30-2007, 02:10 PM
|
#1
|
Member
Registered: Feb 2006
Location: Italy
Distribution: Ubuntu FreeBSD
Posts: 92
Rep:
|
hardening on virtual machines
Hi,
I'm a desktop user and I use Ubuntu Feisty Fawn on my notebook.
I like making my Linuxbox as much secure as I can so,
after installing and configuring my firewall, Snort and Tripwire,
I rebuilt the kernel with GRsecurity.
PAX is really great, but it's also quite uncomfortable
(kills executable stack processes,...)
so programs like OpenOffice, used to share libraries via-executable stack,
became unusable; for this reason I should remove PAX protection via-chpax
from binaries needing an executable stack, but it's so boring :-/
I have an idea and I'd like to know your opinion about it.
In the end the idea is going on the internet via a hardened Virtual Machine
and leaving the host (Feisty) without kernel hardening, in this way, I avoid to:
- manually set PAX policy for each binary
- rebuild all the "uncommon hardware" present on my laptop,
cause the VM avoid me to compile external drivers for
video card, network interfaces and so on.
Do you think this can grant me a good compromise in terms of security level?
If I have correctly understood the only way to access a host machine is smashing
the guest. An attacker must compromise the guest then could get the host.
There's no way to bypass the guest and directly getting root priviledge on the host so,
if I build a "full metal jacket" guest with qemu (accelerated with kqemu),
an attacker should smashing the VM before getting access on my Feisty host.
If I'm right than a good firewall, Snort and Tripwire configuration could be
a good protection yet for my Feisty host.
What do you think about it?
sincerely,
deadlinx
|
|
|
06-01-2007, 03:52 PM
|
#2
|
Senior Member
Registered: Nov 2004
Location: Texas
Distribution: RHEL, Scientific Linux, Debian, Fedora
Posts: 3,935
Rep:
|
Quote:
In the end the idea is going on the internet via a hardened Virtual Machine
|
This is a very good idea, if you have the tolerance for it. I've always felt that browsers are buggy crapware (I know they're not easy to write; no offense intended) just waiting around for the next zero-day exploit.
What you're describing is an intelligent way to insulate yourself from that. You could even start a new copy of the VM (i.e. don't save settings from previous sessions) if you'd like. That way even if it becomes compromised somehow, you'd start fresh each time.
|
|
|
06-02-2007, 06:23 AM
|
#3
|
Member
Registered: Feb 2006
Location: Italy
Distribution: Ubuntu FreeBSD
Posts: 92
Original Poster
Rep:
|
Hi,
Quote:
Originally Posted by anomie
What you're describing is an intelligent way to insulate yourself from that.
|
Are we sure that the hypervisor is not a problem about insulation, I mean the hypervisor is loaded in the kernel, if it is buggy than we'll get directly access to the host!
Maybe is a better idea to use a non-accelerated qemu (without kqemu), but it has its own bugs like this research has demonstrated: taviso.decsystem.org/virtsec.pdf
In the end kernel hardening seems to be necessary, I like GRSecurity, but since the 2.6.19.2 patch it is buggy --> it doesn't really grant us the PAX protection now I really feel unsafe :-/
As I've written ( http://www.linuxquestions.org/questi...d.php?t=558341) other security patches (RSBAC, Apparmor, SELinux...) seems not to be, nowadays, comfortable solutions for a Ubuntu desktop
Quote:
Originally Posted by anomie
You could even start a new copy of the VM (i.e. don't save settings from previous sessions) if you'd like. That way even if it becomes compromised somehow, you'd start fresh each time.
|
It's a good idea, but what about reinstalling and reconfiguring each time:
- "firewall"
- hardened kernel,
- Snort
- Tripwire
- Bastille
- ...
It's a good idea rebuild the VM, but once a week or something like this or you risk to spend the majority of the time in installing and configuring instead of surfing the net ;-)
deadlinx
|
|
|
06-02-2007, 12:43 PM
|
#4
|
Senior Member
Registered: Nov 2004
Location: Texas
Distribution: RHEL, Scientific Linux, Debian, Fedora
Posts: 3,935
Rep:
|
Quote:
Originally Posted by deadlinx
I mean the hypervisor is loaded in the kernel, if it is buggy than we'll get directly access to the host!
|
Fair enough, but compared to the odds of a buggy browser leading to some exploit which leads to data loss or some other privilege escalation, etc., I think you're better off with a hypervisor or emulator. Both risks are low on a GNU/Linux box. But I think your intent is to make them even lower.
Quote:
Originally Posted by deadlinx
It's a good idea rebuild the VM, but once a week or something like this or you risk to spend the majority of the time in installing and configuring instead of surfing the net ;-)
|
I was referring to something more like running a copy that you've already configured. e.g. Install and configure the VM once, and then run only a snapshot when cruising the web (so that any changes are not written back to the original).
Last edited by anomie; 06-02-2007 at 12:45 PM.
|
|
|
06-02-2007, 12:44 PM
|
#5
|
Member
Registered: Feb 2006
Location: Italy
Distribution: Ubuntu FreeBSD
Posts: 92
Original Poster
Rep:
|
Hi,
it rest us another problem: while you're accessing the net via-VM, the host is still accessible from the net so I have a doubt can a virtual machine really increase host safety?
deadlinx
|
|
|
06-02-2007, 12:46 PM
|
#6
|
Senior Member
Registered: Nov 2004
Location: Texas
Distribution: RHEL, Scientific Linux, Debian, Fedora
Posts: 3,935
Rep:
|
Quote:
Originally Posted by deadlinx
while you're accessing the net via-VM, the host is still accessible from the net ...
|
Why? Are you running services on the host which are open to external networks?
|
|
|
06-02-2007, 02:18 PM
|
#7
|
Member
Registered: Feb 2006
Location: Italy
Distribution: Ubuntu FreeBSD
Posts: 92
Original Poster
Rep:
|
Hi,
Quote:
Originally Posted by anomie
Are you running services on the host which are open to external networks?
|
You're right,I've no services on the host,
sorry, I need more sleeping hours - weekend spoils me -
or I risk to write other stupid replies,
next time I'll debug my doubts before writing ;-)
Thanks,
good saturday!
deadlinx
|
|
|
All times are GMT -5. The time now is 03:22 PM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|