# Military-grade security for Gentoo Desktop

## mbar

Let's talk some science-fiction here  :Smile: 

If you were to secure your laptop/desktop computer to the highest possible level (or whatever military-grade may mean) how would you do that? I'm asking because I think I have mastered these:

http://en.gentoo-wiki.com/wiki/DM-Crypt_with_LUKS

http://en.gentoo-wiki.com/wiki/Root_on_LVM_or_EVMS_over_dm-crypt/LUKS

and I have some (unpleasant) experience with hardened, and I'm bored and would like to learn more.

Let's assume we want to protect our computers from Lisbeth Salander

What next? grsecurity? Would a checklist help here?

```
Whole disk DM-Crypt with LUKS ............... Check

Hardened Gentoo ........... Check

Firewall ................... Check

No trace of Internet Explorer .......... Check

Remote login only with SSH ............. Check

.

.

.

.

```

----------

## Letharion

Given that the US NSA is heavily involved in SELinux (or so I think http://www.nsa.gov/research/selinux/), I'd say that's as close to "military grade" as you are likely to get.  :Smile: 

----------

## mbar

I wondered if mentioning Lisbeth would attract someone from Sweden... and it happened  :Wink: 

----------

## Letharion

I had no idea who she was, I didn't even click the link until now  :Wink: 

I've heard of the books and movies of course, but never read or saw them.

----------

## mbar

/me starts reading http://www.gentoo.org/proj/en/hardened/selinux/selinux-handbook.xml

----------

## gerard27

mbar,

Are you seriously considering to make your lappy impenetrable?

I have been using Linux long time (no server).

Went from distro to distro always with the same root passwd.

Never any problem.

Gerard.

----------

## Letharion

I quote the OP:

 *Quote:*   

> I'm bored and would like to learn more. 

 

What better reason could there possibly be, than to pursue knowledge for the sake of fun, and knowledge?

I tried to get my server to use SE-Linux too once, for precisely the same reason, but I didn't have the patience required at that time.

----------

## tomk

Moved from Gentoo Chat to Networking & Security as it fits better here.

----------

## mbar

 *Letharion wrote:*   

> What better reason could there possibly be, than to pursue knowledge for the sake of fun, and knowledge?

 

This is exactly the reason for my "quest". I'm a Gentoo user since late 2004 and till today I have installed only one hardened server (not for me, but I'm still helping with updates and administration of that server), that I un-hardened due to trouble with updating some packages. The rest of my Gentoo installs are "default" servers and desktops. None has been "penetrated" as you may say  :Smile: 

But I recon that my knowledge of hardened/secure Linux is not full -- time to learn then  :Wink: 

----------

## mr.sande

I am  kind of on the same "quest", trying to learn more about linux security. Figured a good way to learn is  to live with it. 

Up until now I have

-switched to hardened profile

-enabled pax and grsecurity

-rebuilt system

-started auditing with lsat, lynis, rkhunter and other such tools

Since Im new to hardened gentoo this is a learning journey for me. So I was wondering what your plans for hardening is mbar?

----------

## 1clue

First, let me preface this with "I'm not an expert."

That said, just about every encryption book, paper, web site or primer I've ever read claims that "military grade encryption" is a snake oil warning.

The US Military doesn't publish any information about what sort of encryption they use, therefore proving what grade of encryption they provide vs the grade you're looking at is impossible, and while some reputable groups use the term you really need to do your homework.

Other warnings include "trust us, we know what we're doing" and other attempts to obscure what's going on.  Good encryption has little to do with method and everything to do with the key.  Another would be the permission to export it from the USA.

It has been some years since I looked into it, but I would strongly recommend that you do a bunch of reading on sites or in books which don't use the term.

Good luck and have fun.

----------

## mbar

 *1clue wrote:*   

> That said, just about every encryption book, paper, web site or primer I've ever read claims that "military grade encryption" is a snake oil warning.
> 
> [...]
> 
> It has been some years since I looked into it, but I would strongly recommend that you do a bunch of reading on sites or in books which don't use the term.
> ...

 

Of course I'm aware of this issue. Besides, I have a degree (albeit a low one  :Wink:  ) in Computer Security, so I have already read few books without the "military grade" statement. And I used "military grade" as somewhat tongue-in-cheek remark. Nonetheless I treat this subject seriously.

 *1clue wrote:*   

> Good luck and have fun.

 

Yeah!

 *mr.sande wrote:*   

> Since Im new to hardened gentoo this is a learning journey for me. So I was wondering what your plans for hardening is mbar?

 

No definite plans yet, I'm conducting some trials (i.e. fresh SELinux Gentoo install) on a virtual machine.

BTW I have found this:

http://hardenedgentoo.blogspot.com/

pity it's updated rather rarely.

----------

