I am planning to go back to Linux as a Desktop machine.
I would like to make it more secure. And try a few hardening techniques, especially since I plan to get my own server.
- What would be a good, sane hardening strategy? Which tools should I use – Apparmor, SELinux, SMACK, chroot?
- Should I use just one tool, e.g. Apparmor, or a combination of the above?
- Which advantages/disadvantages do these tools have? Are there any others?
- Which do have a sane configuration to security (improvement) ratio?
- Which one would I rather use in a Desktop environment? Which one in a server environment.
So many questions.
Best Answer
AppArmour is usually thought to be simpler than SELinux. SELinux is quite complex and may be used even in military applications while AppArmour tends to be simpler. SELinux operates on i-node level (i.e. restrictions are applied in the same way as ACL or UNIX permissions - on the other hand ) while AppArmour apply at path level (i.e. you specify the access based on path so when path changes it may not apply). AppArmour can also protect subproccesses (like mod_php only) but I am somehow skeptical about the real use of it. AppArmour seems to find its way into mainline kernel (it is in -mm IIRC).
I don't know much about SMACK but it looks like simplified SELinux from description. There is also RSBAC if you would like to look at it.
chroot has a limited scope of use and I don't think it would be much of use in a desktop environment (it can be used to separate daemons from access of whole system - like DNS daemon).
For sure, it is worth to apply 'generic' hardening such as PaX, -fstack-protector etc. Chroot you can use when your distro supports so does AppArmour/SELinux. I guess SELinux is better suited for high security areas (it has much better control over system) and AppArmour is better for simple hardening.
In general, I wouldn't bother to harden generic desktop very much, except switching off unused services, update regularly, etc. unless you work in highly-secured area. If you want to secure anyway, I would use what your distro is supporting. Many of them to be effective needs the application support (for e.x. compiling tools to support attributes, written rules) so I would advise to use what your distro is supporting.