Why use hardened kernels?

Name
Email
Subject
Comment *
File	Select/drop/paste files here
* = required field	[▶ Show post options & limits] Confused? See the FAQ.

Flag
Oekaki	Show oekaki applet (replaces files and can be used instead)
Options	Do not bump (you can also write sage in the email field) Spoiler images (this replaces the thumbnails of your images with question marks)
Password	(For file and post deletion.)
Allowed file types:jpg, jpeg, gif, png, webm, mp4, pdf Max filesize is 8 MB. Max image dimensions are 10000 x 10000. You may upload 3 per post.

File: 1458575294906.jpg (74.04 KB, 469x150, 469:150, grsec.jpg)

Why use hardened kernels? Anonymous 03/21/16 (Mon) 15:48:14 No.547789

This thread is about the advantages of a hardened kernels. Why would you use one? What are the advantages and disadvantages?

Would a hardened kernel really make one safer online? Would it really protect from, or slow down hackers?

How do they work?

inb4 ledditfag.

Anonymous 03/21/16 (Mon) 15:54:04 No.547791

File: 1458575644060.jpg (20.63 KB, 500x377, 500:377, Haibara-Ai-ai-haibara-1428….jpg)

animu 2 bump

Anonymous 03/21/16 (Mon) 16:59:04 No.547843

Read the fucking manual

Anonymous 03/21/16 (Mon) 17:42:46 No.547884

cause if you don't linus will rape you in your sleep

Anonymous 03/22/16 (Tue) 02:37:10 No.548168

>why would you secure your computer?

>what are the advantages and disadvantages?

>would securing your computer really make one safer online?

>would it really protect from, or slow down hackers?

>how does it work?

Anonymous 03/22/16 (Tue) 03:08:37 No.548189

>>547789

Imo it's not worth the hassle if you're not a company which has at least 2 experts who maintain this shit 24/7. Secondly, it's not as secure as everyone thinks. SEL was found compromised recently due to a bug which present in the code since several YEARS, making every SEL implementation basically worthless up to that date, no matter how well configured.

If you're into security go with compartmentalization. qubes, whonix. In IT security it's always better to assume that nothing is secure and build your system with mitigation in mind than trying to build a stronghold which contains several unknowns.

Security by isolation is the best approach you can have to achieve mitigation and security at the same time. Otherwise it's a waste of time and money.

Same goes for browsers. Why spent 100 hours trying to harden an already compromised browser if you could just use fucking Internet Explorer in a throwaway-sandbox.

If you can't afford a machine to run a qubes/whonix setup, you can just buy a cheap piece of hardware (old notebook / pc) and treat it as your sandbox and isolate it to your work/privacy related machine.

Anonymous 03/22/16 (Tue) 03:09:45 No.548192

>>548168

he asked about hardening kernels you fucking quadra kike. It's good to explain things to new people from time to time, especially if you were a fucking pleb once yourself.

Anonymous 03/22/16 (Tue) 03:32:27 No.548200

File: 1458617547423.jpeg (2.79 MB, 5209x2927, 5209:2927, mr-sel4bot.jpeg)

Yes.

You are missing out.

Anonymous 03/22/16 (Tue) 03:49:23 No.548207

>>548189

This is the worst advice I have ever seen.

You should try to prevent getting pwned in the first place, which is what grsec tries to do, all while preparing to get pwned by compartmentalizing and sandboxing as you said.

You're saying "why should we bother trying to harden our software if it's already fucked?"

Anonymous 03/22/16 (Tue) 03:49:35 No.548208

File: 1458618575520.gif (45.51 KB, 225x225, 1:1, 9nnnw4D.gif)

I've never understood why kernel.org (or even some 3rd party like linuxlibre) don't put out a stripped-down purpose-built hardened kernel, or a few different ones to choose from. I guess it's easy enough to roll your own tho.

I just don't trust shit like SEL or grsecurity for that matter. Better to roll your own I guess.

Anonymous 03/22/16 (Tue) 03:52:30 No.548213

>>548208

>I just don't trust shit like SEL or grsecurity for that matter. Better to roll your own I guess

Do you trust the linux kernel? Do you trust Firefox? Do you trust your firmware? Do you trust your hardware? Do you trust every single process that's running your computer right now?

Anonymous 03/22/16 (Tue) 04:14:31 No.548219

>>548213

>Do you trust the linux kernel?

Not especially.

>Do you trust Firefox?

Nope.

Do you trust your firmware? Do you trust your hardware?

More than my OS, generally.

>Do you trust every single process that's running your computer right now?

Yes, all that are listed by ps, anyway...

Anonymous 03/22/16 (Tue) 04:19:54 No.548221

>>548219

Why not trust grsec then? You do realize it's free right?

Anonymous 03/22/16 (Tue) 04:28:47 No.548224

>>548221

It just seems like there should be a kernel.org kernel that's fucking tight-hard and built for security. That there is not is my main bitch against Linux. Honestly IMO the Linux kernel itself is the shittiest part of any given Linux distro.

TP~* 03/22/16 (Tue) 04:44:08 No.548233

File: 1458621848696.jpg (8.09 KB, 275x183, 275:183, images.jpg)

>>you can just buy a cheap piece of hardware (old notebook / pc) and treat it as your sandbox and isolate it to your work/privacy related machine.

Perfect comment - physical separation.

Exactly! Who in this world told us only one laptop is allowed?

TP~* 03/22/16 (Tue) 05:12:17 No.548241

File: 1458623538076.jpg (35.97 KB, 400x233, 400:233, harden.jpg)

>>Would a hardened kernel really make one safer online?

Absolutely!

Hardening = look for ways to reduce the size of the attack surface ...

Best example: disable JavaScript in our browser. This is 'hardening'.

xtreme hardening for Android:

https://copperhead.co/android/

xtreme hardening for BSD:

https://hardenedbsd.org/

xtreme hardening for Debian:

https://subgraph.com/sgos/graph/index.en.html

https://subgraph.com/sgos/hardening/index.en.html

xtreme hardening for Gentoo:

https://wiki.gentoo.org/wiki/Project:Hardened

But more important is ENCRYPTION and FIREWALL.

SANDBOX = not hardening, more the controll of an process.

Hardening is always a passive action or what you like to attack doesn't exist.

Anonymous 03/22/16 (Tue) 06:29:16 No.548259

>>547789

Asking in the correct sticky.

Actually you and TP~* can step into >>>/oven/ , so that you stop shitting up /tech/ even more.

Anonymous 03/22/16 (Tue) 06:54:20 No.548273

>>548207

>This is the worst advice I have ever seen.

This is the most ironically hyperbolic post I've ever made

Anonymous 03/22/16 (Tue) 09:26:14 No.548318

Hardened kernels are useful in any applications where security is important.

Because most hardening mechanisms exhibit minimal slowdown, and because adding compiler flags and recompiling your kernel isn't particularly difficult, it is advisable to utilize hardening mechanisms wherever possible.

The only cons are slightly increased memory usage and reduced execution speed for some hardening mechanisms.

Anonymous 03/22/16 (Tue) 13:17:46 No.548371

>>548189

>Container is compromised because of buffer overflow vulnerability

>Attacker escalates privileges because all security measures were relegated to the compartimentalization software

>Get pwnd anyway

You know grsecurity does way more than permission control, right? Fuck, you can use it for containers too.

>>548208

Are you seriously considering coding your own patches? Why not go all the way and code your own kernel from scratch too?

>>548318

>The only cons are slightly increased memory usage and reduced execution speed for some hardening mechanisms.

Someone should tell the Debian maintainers about that. More specifically, the Iceweasel maintainer seems to have little to no idea about hardening.