LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 05-30-2007, 02:10 PM   #1
deadlinx
Member
 
Registered: Feb 2006
Location: Italy
Distribution: Ubuntu FreeBSD
Posts: 92

Rep: Reputation: 15
hardening on virtual machines


Hi,

I'm a desktop user and I use Ubuntu Feisty Fawn on my notebook.

I like making my Linuxbox as much secure as I can so,
after installing and configuring my firewall, Snort and Tripwire,
I rebuilt the kernel with GRsecurity.

PAX is really great, but it's also quite uncomfortable
(kills executable stack processes,...)
so programs like OpenOffice, used to share libraries via-executable stack,
became unusable; for this reason I should remove PAX protection via-chpax
from binaries needing an executable stack, but it's so boring :-/

I have an idea and I'd like to know your opinion about it.

In the end the idea is going on the internet via a hardened Virtual Machine
and leaving the host (Feisty) without kernel hardening, in this way, I avoid to:

- manually set PAX policy for each binary
- rebuild all the "uncommon hardware" present on my laptop,
cause the VM avoid me to compile external drivers for
video card, network interfaces and so on.


Do you think this can grant me a good compromise in terms of security level?
If I have correctly understood the only way to access a host machine is smashing
the guest. An attacker must compromise the guest then could get the host.
There's no way to bypass the guest and directly getting root priviledge on the host so,
if I build a "full metal jacket" guest with qemu (accelerated with kqemu),
an attacker should smashing the VM before getting access on my Feisty host.

If I'm right than a good firewall, Snort and Tripwire configuration could be
a good protection yet for my Feisty host.

What do you think about it?


sincerely,

deadlinx
 
Old 06-01-2007, 03:52 PM   #2
anomie
Senior Member
 
Registered: Nov 2004
Location: Texas
Distribution: RHEL, Scientific Linux, Debian, Fedora
Posts: 3,935
Blog Entries: 5

Rep: Reputation: Disabled
Quote:
In the end the idea is going on the internet via a hardened Virtual Machine
This is a very good idea, if you have the tolerance for it. I've always felt that browsers are buggy crapware (I know they're not easy to write; no offense intended) just waiting around for the next zero-day exploit.

What you're describing is an intelligent way to insulate yourself from that. You could even start a new copy of the VM (i.e. don't save settings from previous sessions) if you'd like. That way even if it becomes compromised somehow, you'd start fresh each time.
 
Old 06-02-2007, 06:23 AM   #3
deadlinx
Member
 
Registered: Feb 2006
Location: Italy
Distribution: Ubuntu FreeBSD
Posts: 92

Original Poster
Rep: Reputation: 15
Hi,

Quote:
Originally Posted by anomie
What you're describing is an intelligent way to insulate yourself from that.
Are we sure that the hypervisor is not a problem about insulation, I mean the hypervisor is loaded in the kernel, if it is buggy than we'll get directly access to the host!

Maybe is a better idea to use a non-accelerated qemu (without kqemu), but it has its own bugs like this research has demonstrated: taviso.decsystem.org/virtsec.pdf

In the end kernel hardening seems to be necessary, I like GRSecurity, but since the 2.6.19.2 patch it is buggy --> it doesn't really grant us the PAX protection now I really feel unsafe :-/

As I've written (http://www.linuxquestions.org/questi...d.php?t=558341) other security patches (RSBAC, Apparmor, SELinux...) seems not to be, nowadays, comfortable solutions for a Ubuntu desktop



Quote:
Originally Posted by anomie
You could even start a new copy of the VM (i.e. don't save settings from previous sessions) if you'd like. That way even if it becomes compromised somehow, you'd start fresh each time.
It's a good idea, but what about reinstalling and reconfiguring each time:
- "firewall"
- hardened kernel,
- Snort
- Tripwire
- Bastille
- ...

It's a good idea rebuild the VM, but once a week or something like this or you risk to spend the majority of the time in installing and configuring instead of surfing the net ;-)

deadlinx
 
Old 06-02-2007, 12:43 PM   #4
anomie
Senior Member
 
Registered: Nov 2004
Location: Texas
Distribution: RHEL, Scientific Linux, Debian, Fedora
Posts: 3,935
Blog Entries: 5

Rep: Reputation: Disabled
Quote:
Originally Posted by deadlinx
I mean the hypervisor is loaded in the kernel, if it is buggy than we'll get directly access to the host!
Fair enough, but compared to the odds of a buggy browser leading to some exploit which leads to data loss or some other privilege escalation, etc., I think you're better off with a hypervisor or emulator. Both risks are low on a GNU/Linux box. But I think your intent is to make them even lower.

Quote:
Originally Posted by deadlinx
It's a good idea rebuild the VM, but once a week or something like this or you risk to spend the majority of the time in installing and configuring instead of surfing the net ;-)
I was referring to something more like running a copy that you've already configured. e.g. Install and configure the VM once, and then run only a snapshot when cruising the web (so that any changes are not written back to the original).

Last edited by anomie; 06-02-2007 at 12:45 PM.
 
Old 06-02-2007, 12:44 PM   #5
deadlinx
Member
 
Registered: Feb 2006
Location: Italy
Distribution: Ubuntu FreeBSD
Posts: 92

Original Poster
Rep: Reputation: 15
Hi,

it rest us another problem: while you're accessing the net via-VM, the host is still accessible from the net so I have a doubt can a virtual machine really increase host safety?

deadlinx
 
Old 06-02-2007, 12:46 PM   #6
anomie
Senior Member
 
Registered: Nov 2004
Location: Texas
Distribution: RHEL, Scientific Linux, Debian, Fedora
Posts: 3,935
Blog Entries: 5

Rep: Reputation: Disabled
Quote:
Originally Posted by deadlinx
while you're accessing the net via-VM, the host is still accessible from the net ...
Why? Are you running services on the host which are open to external networks?
 
Old 06-02-2007, 02:18 PM   #7
deadlinx
Member
 
Registered: Feb 2006
Location: Italy
Distribution: Ubuntu FreeBSD
Posts: 92

Original Poster
Rep: Reputation: 15
Hi,

Quote:
Originally Posted by anomie
Are you running services on the host which are open to external networks?
You're right,I've no services on the host,
sorry, I need more sleeping hours - weekend spoils me -
or I risk to write other stupid replies,
next time I'll debug my doubts before writing ;-)

Thanks,

good saturday!

deadlinx
 
  


Reply

Tags
hardening, kernel, security, virtualization


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
virtual machines forum bskrakes LQ Suggestions & Feedback 22 05-14-2007 06:04 AM
virtual machines ?'s tlarkin SUSE / openSUSE 7 10-05-2006 05:15 PM
New Category - Virtual Machines BaptismOfFire LQ Suggestions & Feedback 5 02-19-2006 09:00 PM
Virtual Machines Berticus Linux - Newbie 8 10-18-2005 01:38 AM
Virtual Machines ZoZo Linux - General 2 09-23-2002 01:01 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 03:22 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration