-
Notifications
You must be signed in to change notification settings - Fork 0
/
secure-workstation.html
244 lines (242 loc) · 16.2 KB
/
secure-workstation.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
<head>
<meta http-equiv="Content-Type" content="application/xhtml+xml; charset=UTF-8" />
<meta name="generator" content="AsciiDoc 8.6.8" />
<title>The Secure Workstation</title>
<link rel="stylesheet" href="/css/reset.css" type="text/css" />
<link rel="stylesheet" href="/css/modern.css" type="text/css" />
<link rel="stylesheet" href="/css/pygments.css" type="text/css" />
</head>
<body class="article">
<div id="container">
<div id="wrapper">
<div id="header">
<h1>The Secure Workstation</h1>
<p class="postinfo">Posted by <a href="mailto:<cwhite@engineyard.com>">Chris White</a> on Tue Feb 19 PST 2013</p>
</div>
<div id="menu">
<ul>
<li><a href="/">Home</a></li>
<li>|</li>
<li><a href="/articles.html">Articles</a></li>
</ul>
</div>
<div id="content">
<h2 id="_introduction" class="sect1">Introduction</h2>
<p class="paragraph">For many companies the fear of a security breach can put great stress on those involved. With the recent <a href="http://www.facebook.com/notes/facebook-security/protecting-people-on-facebook/10151249208250766">Facebook breach due to employee laptops being compromised</a>, a plan came to mind on how to create a fairly secure workstation. Having some experience working on <a href="https://github.com/cwgem/catalyst-support">Grsecurity backed EC2 images</a>, I began the task of working on such a system.</p>
<h2 id="_distribution" class="sect1">Distribution</h2>
<p class="paragraph">I chose Gentoo for my distribution of choice, primarily due to familiarity,and also due to the fact that the <a href="http://www.gentoo.org/proj/en/hardened/">Hardened Gentoo Project</a> puts a considerable amount of effort in supporting the security components of interest. For example, there is the hardened toolchain, which introduces technologies such as <a href="http://www.research.ibm.com/trl/projects/security/ssp/">stack smashing protector</a> and <a href="http://linuxfromscratch.xtra-net.org/hlfs/view/unstable/glibc-2.4/chapter02/pie.html">position independent code</a>. This helps with exploits that utilize buffer overflows or assumed memory addresses.</p>
<p class="paragraph">However one caveat is that to gain the full benefit of the hardened toolchain, compiling becomes even more necessary than a standard Gentoo install. That means staying away from binaries of libreoffice, firefox, chromium, etc. In order to get around this, standardize hardware along with something close to the <a href="https://github.com/cwgem/catalyst-support">Gentoo catalyst build scripts</a> developed can serve as a binary package server to workstatons. This allows for secure, standard binaries customized to business needs and reducing the amount of IT support necessary.</p>
<p class="paragraph">Since the hardened desktop profiles in Gentoo where deprecated, a custom profile was developed which merged the KDE desktop profile and the hardened profile. They were placed in a <code>/usr/local/portage</code> overlay with the following structure:</p>
<div class="listingblock">
<div class="content"><div class="highlight"><pre>orchard portage # tree
.
└── profiles
├── hardened-desktop
│ └── parent
└── repo_name
</pre></div></div></div>
<p class="paragraph">where <code>repo_name</code> is simply a text file with the name of the repository, <code>hardened-custom</code>. The parent file is a list of profiles to inherit from, relative to the directory where the file exists. In this case it contains:</p>
<div class="listingblock">
<div class="content"><div class="highlight"><pre>../../../../portage/profiles/targets/desktop/kde
../../../../portage/profiles/hardened/linux/amd64
</pre></div></div></div>
<p class="paragraph">This easily combines the two profiles giving the benefits of the hardened toolchain, with the requirements for having a suitable KDE desktop. Finally the stable keyword branch of Gentoo was utilized to remain as solid as possible. The main exception to that was using a non-stable marked kernel and a few other required packages to be as up to date as possible and keep in line with the latest Grsecurity patches.</p>
<h2 id="_kernel" class="sect1">Kernel</h2>
<p class="paragraph">The kernel used is hardened-sources-3.7.8, which includes the <a href="http://grsecurity.net/">Grsecurity patchset</a>, as well as a few other security related patchsets. The importance of utilizing this patchset can be addressed by this quote from the project website:</p>
<div class="quoteblock">
<div class="content">
<p class="paragraph">Unlike other expensive security "solutions" that pretend to achieve security through known-vulnerability patching, signature-based detection, or other reactive methods, grsecurity provides real proactive security. The only solution that hardens both your applications and operating system, Grsecurity is essential for public-facing servers and shared-hosting environments.</p>
</div>
<div class="attribution">
</div></div>
<p class="paragraph">While keeping the system up to date is important, it’s often hard to keep up with complete accuracy. Grsecurity comes in by providing protection against common attack vectors that most exploits utilize. Configuring Grsecurity in the kernel is incredibly easy, and can be achieved by simply using auto configuration and setting to Desktop accordingly:</p>
<div class="listingblock">
<div class="content"><div class="highlight"><pre>[*] GRsecurity
Configuration Method ( Automatic ) --->
Usage Type (Desktop) --->
Virtualization Type (None) --->
Required Priorities (Performance ---->
Default Special Groups --->
Customize Configuration --->
</pre></div></div></div>
<p class="paragraph">Here performance was emphasized as the workstation is often utilized for compile work, and as such becomes an important factor. The file system settings are also important, in this case using ext4. It’s okay to go with another file system instead, but it’s recommend to enable extended attributes:</p>
<div class="listingblock">
<div class="content"><div class="highlight"><pre><*> The Extended 4 (ext4) filesystem
-*- Ext4 extended attributes
[*] Ext4 POSIX Access Control Lists
[*] Ext4 Security Labels
[ ] EXT4 debugging support
</pre></div></div></div>
<p class="paragraph">This allows for adjusting PaX headers on binaries like Skype, which don’t deal well with binary tampering.</p>
<h2 id="_notable_software" class="sect1">Notable Software</h2>
<h3 id="_the_list" class="sect2">The List</h3>
<p class="paragraph">Working at EngineYard I use a number of tools to help with various tasks. Of importance to this project was the following list of software:</p>
<ul class="ulist">
<li>
Amarok - Show that something "fun" still works in a hardened environment.
</li>
<li>
KDE - Just a personal preference, so pick whatever suits your needs.
</li>
<li>
Chromium - A browser with a solid security model. Also lets passwords be stored using the system keychain (in this case KWallet). No Java, Flash, or PDF plugins will be utilized.
</li>
<li>
Thunderbird - Handle interaction with email. As a bonus it also has great support for <a href="https://support.mozillamessaging.com/en-US/kb/digitally-signing-and-encrypting-messages">digital signatures</a> and <a href="http://kb.mozillazine.org/Getting_an_SMIME_certificate">email certificates</a>.
</li>
<li>
LibreOffice - Provides basic office suite functionality.
</li>
<li>
Skype - Being a company with remote users, this is often used to setup business meetings.
</li>
<li>
Google Talk - For the times when a regular phone call is necessary.
</li>
<li>
DropBox - Synchronize files with iPad and other devices.
</li>
<li>
Irssi - Connect to IRC there is company work based around open source software, which general communicates with IRC.
</li>
</ul>
<h3 id="_caveats" class="sect2">Caveats</h3>
<h4 id="_skype" class="sect3">Skype</h4>
<p class="paragraph">Skype has a binary tampering system which prevents flagging some security protections off so it works properly. While this is rather unfortunate Skype is an essential business tool. With that in mind it takes a few steps to get it running:</p>
<div class="listingblock">
<div class="content"><div class="highlight"><pre># mkdir -p /etc/portage/package.unmask
# mkdir -p /etc/portage/package.license
# echo '=net-im/skype-4.1.0.20' >> /etc/portage/package.keywords/skype
# echo '=net-im/skype-4.1.0.20 skype-4.0.0.7-copyright' >> /etc/portage/package.license/skype
# emerge skype
# paxctl -c /opt/bin/skype
# paxctl -m /opt/bin/skype # disable MPROTECT so it actually runs
</pre></div></div></div>
<p class="paragraph">After this and some headset setup Skype worked without a hitch and showed no issues during two group meetings.</p>
<h4 id="_dropbox" class="sect3">DropBox</h4>
<p class="paragraph">Same here with needing to disable protections. This was achieved through doing:</p>
<div class="listingblock">
<div class="content"><div class="highlight"><pre># emerge dropbox
# paxctl -c /opt/dropbox/dropbox
# paxctl -m /opt/dropbox/dropbox
</pre></div></div></div>
<h4 id="_google_talk" class="sect3">Google Talk</h4>
<p class="paragraph">This needs to use the latest version to keep up with the Google download page:</p>
<div class="listingblock">
<div class="content"><div class="highlight"><pre># echo 'www-plugins/google-talkplugin' >> /etc/portage/package.keywords/googletalk
# echo '=www-plugins/google-talkplugin-3.13.2.0 Google-TOS' >> /etc/portage/package.license/googletalk
</pre></div></div></div>
<p class="paragraph">That enables usage of Google Voice for phone calls in Chromium. Nothing had to be disabled for it protection wise to work.</p>
<h2 id="_home_directory_encryption" class="sect1">Home Directory Encryption</h2>
<p class="paragraph">This was put off till the end in order to avoid dealing with too much trouble during setup. After much research I came to the conclusion that using <a href="http://www.arg0.net/encfs">encfs</a> would allow for a reasonable balance in having a secure system and time to setup. Everything that would contain personal documents was in <code>/home</code>, so the idea was to encrypt that alone and leave the rest of the system (freely available software) to its own. As this works with FUSE, support will need to be enabled in the kernel, and fuse (sys-fs/fuse) will need to be installed.</p>
<p class="paragraph">First is to logout of the system entirely for all users. In this case there was only one user. Also X11 based login managers such as gdm, kdm, and xdm will all need to be shutdown. Next, have a root screen up to handle the administrative tasks, and be sure it isn’t in the <code>/home</code> directory somewhere. Now to create an encrypted location for <code>/home</code> to map to:</p>
<div class="listingblock">
<div class="content"><div class="highlight"><pre># mv /home /home.orig
# mkdir /home /home.enc
# encfs --public /home.enc /home
</pre></div></div></div>
<p class="paragraph">This creates a directory, <code>/home.enc</code>, where all of the <code>/home</code> files will be in encrypted form. <code>/home</code> will become the unencrypted version when the proper key is given. From then on all files that go to <code>/home</code> are encrypted. <code>--public</code> was provided to make DropBox work properly, which will fail to run without it set. When first run, <code>encfs</code> will promopt:</p>
<div class="listingblock">
<div class="content"><div class="highlight"><pre>Creating new encrypted volume.
Please choose from one of the following options:
enter "x" for expert configuration mode,
enter "p" for pre-configured paranoia mode,
anything else, or an empty line will select standard mode.
?>
</pre></div></div></div>
<p class="paragraph">Here standard mode was selected by simply pressing enter. This provides a reasonable balance between security an performance for a desktop system. After selection of the security mode, a prompt will appear to set the key for encryption. Enter the password and remember, if you lose it your home data will no longer be accessible in plain form. It’s recommended to back up the data to a tarball somewhere, and then use gpg encryption to secure it:</p>
<div class="listingblock">
<div class="content"><div class="highlight"><pre># tar cjpvf /backup/someplace/home-backup.tar.bz2 /home.orig
# gpg -c /backup/someplace/home-backup.tar.bz2
</pre></div></div></div>
<p class="paragraph">Later backups can be retrieved by running:</p>
<div class="listingblock">
<div class="content"><div class="highlight"><pre># gpg /backup/someplace/home-backup.tar.bz2.gpg
</pre></div></div></div>
<p class="paragraph">Which will prompt for the password used to protect the file, and decrypt if it was successfully entered. Now it’s time to encrypt the home data by simply copying the old data to the new encrypted home:</p>
<div class="listingblock">
<div class="content"><div class="highlight"><pre># rsync -a --progress /home.orig/ /home/
</pre></div></div></div>
<div class="admonitionblock">
<table><tr>
<td class="icon">
<img src="/images/warning.png" alt="Warning" />
</td>
<td class="content">You don’t need to do this if you use a desktop login system like <code>xdm</code></td>
</tr></table>
</div>
<p class="paragraph">One final step for X11 users is to get around an issue with the Xauthority file not locking properly. The following snippet can be added to the user shell’s rc file (<code>~/.bashrc</code> for example):</p>
<div class="listingblock">
<div class="content"><div class="highlight"><pre>export XAUTHORITY=/tmp/.Xauthority-$USER
export ICEAUTHORITY=/tmp/.ICEauthority-$USER
</pre></div></div></div>
<p class="paragraph">From there X11 should start without any issues.</p>
<h2 id="_conclusion" class="sect1">Conclusion</h2>
<p class="paragraph">Using this system I was able to confirm the following:</p>
<ul class="ulist">
<li>
Skype works without any issues, and the other party is able to hear me okay
</li>
<li>
Google Voice plugin works
</li>
<li>
Thunderbird shows no issues, and is able to perform well with emails running into the ten thousands
</li>
<li>
LibreOffice did not show any issues as was expected
</li>
<li>
DropBox indexes and downloads okay
</li>
<li>
Amarok is able to play audio just fine
</li>
<li>
Chromium is able to visit most major site without issue (save Flash based sites of course)
</li>
<li>
Irssi connects just fine, though it was not anticipated that it would have any issues
</li>
</ul>
<p class="paragraph">As for what’s next:</p>
<ul class="ulist">
<li>
Evaluate the security of Java and WebEx for desktop sharing meetings (for now phone dial-in is always an option)
</li>
<li>
Figure out how to secure irssi passwords for NickServ and server authentication
</li>
<li>
Look into a CampFire desktop solution, with the web version currently being a suitable alternative
</li>
</ul>
<p class="paragraph">I hope this guide shows that through even with the security provided through compile time and Grsecurity kernel protection, a reasonable workstation can be setup to provide practical usage. It will be interesting to see how these technologies will progress in the future to work towards further lessening the gap between security and usability.</p>
</div>
<div id="footer">
<p id="footer-text">
Last updated 2013-03-24 18:51:31 PDT
</p>
<div id="footer-badges">
<a href="http://validator.w3.org/check?uri=referer">
<img style="border:0;width:88px;height:31px"
src="http://www.w3.org/Icons/valid-xhtml11-blue"
alt="Valid XHTML 1.1" height="31" width="88" />
</a>
<a href="http://jigsaw.w3.org/css-validator/">
<img style="border:0;width:88px;height:31px"
src="http://jigsaw.w3.org/css-validator/images/vcss-blue"
alt="Valid CSS!" />
</a>
<a rel="license" href="http://creativecommons.org/licenses/by/3.0/us/">
<img alt="Creative Commons License" style="border-width:0" src="http://i.creativecommons.org/l/by/3.0/us/88x31.png" />
</a>
</div>
</div>
</div>
</div>
</body>
</html>