# Security - Compromised?

## skovgyden

Hi,

Its gonna be a long one this  :Smile:  - Hope you have the time to finish reading.

Well, the subject goes for my XP box. Some lousy trojan came in from outta nowhere  :Sad:  - Running fully patched XP, NAV Av pro, even Trojanhunter. All behind a dedicated FireWall (Soho) - Still the trojan got itself installed. Allthough I had my folders encrypted I got somewhat spooked (my keyboard isnt encrypted for example). I quickly moved my important private files and banking keys to the Gentoo box.

Now Im sitting here in front of my Gentoo...thinking that Im more secure here...I probably are - my Box isnt running any servers at all. But then again...I have 3 major concerns with my installation.

1. Userland security

Well, do I trust the userland applications? No. I mean...I'm aware of the Open Source advantage, but lets be serious. I could easily write an ebuild and get it into the Gentoo userland. And all you ppl have on me is a crappy hotmail address. Suppose someone decides to sneak in a key logger? I wouldnt notice...the community probably wouldnt notice until after a lot of exploits. Comparing to Windows (or even RedHat or Suse) I definately trust the applications more. Notice that this sentence is using "trust" as a way to descibe the developers intention...not skills  :Smile: 

Now of course I have read the security pages, searched the forum and there are a lot of things I can do to make my system more secure. Firewall, GRsec etc. But I really really feel the need for something to monitor my Linux installation "making sure" that noone is out on a rampage run. Do the Linux community have somthing along the way of a "anti-trojan" application? Like "TDS" for Windows. And I dont just mean a simple file-based IDS - but also in-memory scanning.

What do you think of my concern? Any point or am I missing something?

2. Keeping up-2-date.

It goes for any OS. Keeping up2date is essential. But especially Gentoo has a problem here imo. I cant emerge -u world on a regular basis. I need the computing power for something else. And lets face it. 1 outta 5 world updates end up wrecking your system   :Confused:   - I have seen several admins/veterans etc that emphasizes: Dont ever never update the world if you dont wanna spend the weekend fixing things. But is it enough to run the Glsa update?

3. Encrypted filesystem

Now lets say that the system has been compromised. In that situation I really want my files to be encrypted. But I also dont want to manually decrypt every file or directory on a ad hoc basis. I need something more - ehm - automatic. Somthing like this - but for Linux (Ext3/Reiser). Dont you agree?

Solutions

Well, I thought of 2 things that might help me on my way. Just wanna hear from you if it is possible / adviceable. 

1. Readonly systems. 

Shouldnt I mount all system files as readonly? If I separate temporary files from sysem files, I should be able to mount the system as readonly right? And dont you agree that it would make it allmost impossible to exploit the system? For example it would make it impossible to alter my FTP/Mail servers configuration files.

2. Execution stop.

This is just an idea...I imagine a mail server. Once the server is up and running I activate a switch in the Linux system that takes a snap-shot of the running services and locks the system from starting any other service or application. Only way is to allow local login from a user in the wheel group..that could "su" to stop the hard lock. 

I imagine that even if the TCP door was open, a remote attacker would not be able to execute anything. Is this thought a complete laugh? If yes...why  :Smile: 

Thanks for your time,

----------

## Houdini

 *Quote:*   

> 
> 
> Well, do I trust the userland applications? No. I mean...I'm aware of the Open Source advantage, but lets be serious. I could easily write an ebuild and get it into the Gentoo userland. And all you ppl have on me is a crappy hotmail address. Suppose someone decides to sneak in a key logger? I wouldnt notice...the community probably wouldnt notice until after a lot of exploits.
> 
> 

 

I really doubt that.  You can't just upload a ebuild into portage and have everyone get it next time they emerge sync.  It goes through the Gentoo dev team, who would notice something that emails out passwords (or whatever).

 *Quote:*   

> 
> 
> Comparing to Windows (or even RedHat or Suse) I definately trust the applications more. Notice that this sentence is using "trust" as a way to descibe the developers intention...not skills
> 
> 

 

Sorry, which group do you trust more?  I'm sure it's not the Windows applications (which you can't see the source of).  The RedHat and SuSE applications are the same ones Gentoo uses, other than the install tools.

 *Quote:*   

> 
> 
> But I really really feel the need for something to monitor my Linux installation "making sure" that noone is out on a rampage run. Do the Linux community have somthing along the way of a "anti-trojan" application? Like "TDS" for Windows. And I dont just mean a simple file-based IDS - but also in-memory scanning. 
> 
> What do you think of my concern? Any point or am I missing something? 
> ...

 

Yes, we have a great application: it's called a proper security model.  When you're running as a non-root user, nothing you run can change your system binaries.  You still need to have the basic common sense to not run stuff you don't trust (binaries off IRC).

In general, I think your concern is based on your Windows experience.  Linux has it's own problems, but they aren't the Windows ones.

As for a more secure system, look into SELinux, GRSecurity, or one of the other hardening systems.  People have written kernel patches to require all binaries to be GPG signed, those might help what you are talking about.

On all linuxes, you can use tools like chkrootkit and AIDE to monitor the health of your system and to watch for breakins/viruses.

 *Quote:*   

> 
> 
> It goes for any OS. Keeping up2date is essential. But especially Gentoo has a problem here imo. I cant emerge -u world on a regular basis. I need the computing power for something else. And lets face it. 1 outta 5 world updates end up wrecking your system  - I have seen several admins/veterans etc that emphasizes: Dont ever never update the world if you dont wanna spend the weekend fixing things. But is it enough to run the Glsa update? 
> 
> 

 

I really doubt that your machine's CPU is maxed out 24/7.  If it is, well, updates on any system are going to be a problem.  If you're not using KDE and Openoffice.org, there won't be many updates that require much compile time.

As for stability of updates: I have a colocated machine that I have no physical access to, running Gentoo.  I "emerge sync && emerge -UDv world" on it every week.  In the last 6 months, it hasn't hosed me.  Likewise, on my home machine, I haven't had an update go bad for quite a while.  You can, of course, make a bad decision on an update ("hey, unemerging xfree shouldn't be bad, right?"), but that's not a problem of the OS/distro.

 *Quote:*   

> 
> 
> Now lets say that the system has been compromised. In that situation I really want my files to be encrypted. But I also dont want to manually decrypt every file or directory on a ad hoc basis. I need something more - ehm - automatic.
> 
> 

 

Your original question was "don't you agree?", to which I would say "yes".  However, that doesn't help you much.   What you need is loopback encryption.  the old way was with "cryptoloop", the newer way (requiring a 2.6 kernel) is "dm_crypt".  If you can work with just having an encrypted directory somewhere, this will tell you all you need to know.  If you want a full encrypted home directory, then you'll need to look at pam_mount, or something similar.  This may sound like a lot of work, but it's really not bad.

 *Quote:*   

> 
> 
> Shouldnt I mount all system files as readonly? If I separate temporary files from sysem files, I should be able to mount the system as readonly right? And dont you agree that it would make it allmost impossible to exploit the system? For example it would make it impossible to alter my FTP/Mail servers configuration files. 
> 
> 

 

Sure!  Once everything is set up, you probably can do that.  You'll need to figure out where all the stuff that gets written to lives, but that won't be too hard.  Someone may have even done that already for you, you'll just need to find it.

Updates will be an issue, but you could always remount read/write when you need to.

 *Quote:*   

> 
> 
> This is just an idea...I imagine a mail server. Once the server is up and running I activate a switch in the Linux system that takes a snap-shot of the running services and locks the system from starting any other service or application. Only way is to allow local login from a user in the wheel group..that could "su" to stop the hard lock. 
> 
> I imagine that even if the TCP door was open, a remote attacker would not be able to execute anything. Is this thought a complete laugh? If yes...why  
> ...

 

Well... there's a few problems with that, but nothing that couldn't be taken care of.

First:  Running "su", for instance, is a program.  Stopping execution means no su  :Smile: 

If you really want to do that, you could create a kernel module that would only allow things to be executed on a specific console or something.  That  borders on "intro to kernel programming" work.

That will definately keep the kiddies out.  A dedicated hacker, however, wouldn't be stopped by it.  Once someone is to the code execution level (you get hacked), they could simply make the program they're exploiting do what they want, instead of running other programs.  It raises the bar, which is good, but it's still not perfect.

Good luck.

----------

## skovgyden

 *Houdini wrote:*   

> 
> 
> I really doubt that.  You can't just upload a ebuild into portage and have everyone get it next time they emerge sync.  It goes through the Gentoo dev team, who would notice something that emails out passwords (or whatever).
> 
> 

 

No..afaik userland ebuilds arent audited. Just imagine the ressources! 

 *Quote:*   

> 
> 
> Sorry, which group do you trust more?  I'm sure it's not the Windows applications (which you can't see the source of).  The RedHat and SuSE applications are the same ones Gentoo uses, other than the install tools.
> 
> 

 

Actually I meant Windows :=) - I know I cant see the source, but I trust them not to actively (by intention) merge applications with exploits. And I also pay for it.

 *Quote:*   

> 
> 
> Yes, we have a great application: it's called a proper security model.  When you're running as a non-root user, nothing you run can change your system binaries.  You still need to have the basic common sense to not run stuff you don't trust (binaries off IRC).
> 
> In general, I think your concern is based on your Windows experience.  Linux has it's own problems, but they aren't the Windows ones.
> ...

 

No, sorry but I think you got it wrong. If there IS a security model, it can be broken. Ever wonder why theres so much work being done to separate application-spaces from system-core? Just see the Linux kernel or the work done in Obsd. And there are some Linux applications out there to deal with the problem...(eg systrace), but I havent found any in portage...

 *Quote:*   

> 
> 
> On all linuxes, you can use tools like chkrootkit and AIDE to monitor the health of your system and to watch for breakins/viruses.
> 
> 

 

True, but its not monitoring process-memory afaik.

 *Quote:*   

> 
> 
> As for stability of updates: I have a colocated machine that I have no physical access to, running Gentoo.  I "emerge sync && emerge -UDv world" on it every week.  In the last 6 months, it hasn't hosed me.  Likewise, on my home machine, I haven't had an update go bad for quite a while. You can, of course, make a bad decision on an update ("hey, unemerging xfree shouldn't be bad, right?"), but that's not a problem of the OS/distro.
> 
> 

 

Yes..I guess those systems are out there aswell  :Smile: 

I just dont trust an emerge world on a server.  Also - I got about 4 Gentoo installations running at friends and family now...and I cant maintain those PC's...the users cant either. It has to be well-proven automated updating. Nothing less when talking mainstream Desktop.

 *Quote:*   

> 
> 
> Your original question was "don't you agree?", to which I would say "yes".  However, that doesn't help you much.   What you need is loopback encryption.  the old way was with "cryptoloop", the newer way (requiring a 2.6 kernel) is "dm_crypt".  If you can work with just having an encrypted directory somewhere, this will tell you all you need to know.  If you want a full encrypted home directory, then you'll need to look at pam_mount, or something similar.  This may sound like a lot of work, but it's really not bad.
> 
> 

 

No...this is excellent! Just what I am looking for...

 *Quote:*   

> 
> 
> Sure!  Once everything is set up, you probably can do that.  You'll need to figure out where all the stuff that gets written to lives, but that won't be too hard.  Someone may have even done that already for you, you'll just need to find it.
> 
> 

 

My thought exactly...just cant find it "Gentoo-specific".

 *Quote:*   

> 
> 
> Updates will be an issue, but you could always remount read/write when you need to.
> 
> 

 

Yes...we're only talking serverwise here - and they will be updated manually anyways...no problem in that.

 *Quote:*   

> 
> 
> First:  Running "su", for instance, is a program.  Stopping execution means no su 
> 
> 

 

No..you misunderstand me...the system would be locked for all new execution except the [i]local[i] login of user "joe". All root-stuff is allowed locally. Thus making su or sudo possible for "joe". 

 *Quote:*   

> 
> 
> If you really want to do that, you could create a kernel module that would only allow things to be executed on a specific console or something.  That  borders on "intro to kernel programming" work.
> 
> 

 

Yes...thats even better....you didnt misanderstand me afterall  :Smile: 

 *Quote:*   

> 
> 
> That will definately keep the kiddies out.  A dedicated hacker, however, wouldn't be stopped by it.  Once someone is to the code execution level (you get hacked), they could simply make the program they're exploiting do what they want, instead of running other programs.  It raises the bar, which is good, but it's still not perfect.
> 
> Good luck.
> ...

 

Thanks....hmm gotta think that execution prevention through some more  :Smile: 

----------

## r4d1x

 *Quote:*   

> . Keeping up-2-date. 
> 
> It goes for any OS. Keeping up2date is essential. But especially Gentoo has a problem here imo. I cant emerge -u world on a regular basis. I need the computing power for something else. And lets face it. 1 outta 5 world updates end up wrecking your system  - I have seen several admins/veterans etc that emphasizes: Dont ever never update the world if you dont wanna spend the weekend fixing things. But is it enough to run the Glsa update? 

 

im not so sure you got your facts straight on this one.  Back when I first started with Gentoo, I'd do a emerge -u world everyday.  Only time something broke is when I forgot to etc-update, or edit a replaced file in /etc/conf.d after etc-update'ing the wrong way.  Even then, most of them were quick fixes.  Sure, adding 32840752398475 use flags wasnt a good idea either, but I blame all that on lack of experience.

----------

## skovgyden

 *r4d1x wrote:*   

> 
> 
> im not so sure you got your facts straight on this one.  Back when I first started with Gentoo, I'd do a emerge -u world everyday.  Only time something broke is when I forgot to etc-update, or edit a replaced file in /etc/conf.d after etc-update'ing the wrong way.  Even then, most of them were quick fixes.  Sure, adding 32840752398475 use flags wasnt a good idea either, but I blame all that on lack of experience.

 

Perhaps you're right (I hope so). Im on my forth Gentoo installation...3 of them is going to be updated with -u world...  :Shocked: 

But just to "justify" my facts you might wanna read up on this thread: https://forums.gentoo.org/viewtopic.php?t=163377&highlight=glsa. Notice that we're talking about Developers and Admins recommending NOT to update world. My point is that they probably have their facts straight...or?

----------

## zerojay

*bzzzt*

Wrong, they are not telling people to never update world. They are telling people to never use the -U flag with emerge, period, including updating world. Using 'emerge -u world' is fine and has never broken my system, and most likely never will thanks to the use of /etc/portage/package.keywords.

----------

## r4d1x

heres an interesting little "script" that I found while browsing the forums a while ago.  I ended up setting it to a cron job just because it never fails (knock on wood).

```
emerge sync

emerge -uDpv world

emerge -uDv world

emerge -pv depclean

emerge -v depclean

revdep-rebuild -pv

revdep-rebuild -v

dispatch-conf
```

----------

## zerojay

Yeah, that's the same script that was mentioned in the thread linked to above. Good stuff.

----------

## Koon

 *skovgyden wrote:*   

> is it enough to run the Glsa update?

 

Yes it is.

People running a supported arch (x86, ppc, amd64 or sparc) and using only stable ebuilds just need to update their system by following GLSA directives. They will be secure. glsa-check can help getting security updates automatically.

Of course, it doesn't protect you against configuration screwups or user errors.

- Koon / Gentoo Linux Security Team

----------

## GenKreton

 *r4d1x wrote:*   

> heres an interesting little "script" that I found while browsing the forums a while ago.  I ended up setting it to a cron job just because it never fails (knock on wood).
> 
> ```
> emerge sync
> 
> ...

 

If its a cron job you may as well eliminate the pretends. ANd if you run it by hand, with the exception of the revdep-rebuild, I suggest you replace the -p with a -a. Just saves time.

----------

