some questions, some answers, ... On Sun, Aug 11, 2013 at 2:27 AM, coderman <coderman@gmail.com> wrote:
... 1. use a common distro, but rebuild critical components - bootloader, initramfs, openssl, openssh, the kernel, gnutls, libgmp, use 64bit, etc.
this means rebuild hardened versions of these libraries from source; excluding insecure cipher suites in an OpenSSL build for example, altering architecture optimizations, supported features, in others, the goal being that an exploit targeted to a vanilla distribution will more likely fail with observable error or crash, rather than succeed silently. many exploits are very brittle in this respect, with any change in symbol offsets or capabilities rendering them completely ineffective.
2. use isolation and RBAC, Qubes, VirtualBox, VMWare, Parallels, remember that VM escapes are available and expected. defense in depth can never be too deep.
virtualization implies chained exploits for full compromise. combined with the above you've drastically increased the cost of a successful attack with modest effort. the likelihood of detection (by appearing vulnerable yet not being so) is also increased. remember that VMMs and hypervisors are themselves potentially vulnerable software systems suitable for hardening and customization.
3. use constrained network access - identify anomalies, control bandwidth, firewall ingress and egress aggressively. this implies constant monitoring to detect such events. (another exercise left to the reader)
data exfiltration can be very visible via network behavior if you're paying attention. cross referencing connection state in your upstream router vs. local OS view of sockets can identify discrepancies where compromise has concealed covert connections. malware communicating directly on an ethernet or wireless adapter outside of the OS is also visible at this junction.
4. rootkit and backdoor your own systems - use the dirty tricks to observe and constrain your system before someone else uses dirty tricks to compromise your system.
this is mostly a variant of #1 at a kernel / system level. like notepad.exe connecting to the internet, there are some syscall, file access, and network requests which are clearly anomalous and indicators of compromise.
5. don't forget physical security - this is the universal oversight and most effective end run around all other operational and technical security measures. there is a reason physical access so often implies "game over" and why black bag jobs are still and will continue to be effective against all targets.
this is a storied tangent unto itself... last but not least: you must develop a routine of continuous hardening and improvement. these steps are not done once and finished; they are elements within a larger strategy of operational rigor defending against motivated and capable attackers. asking for my "hardened linux build" is missing the point entirely!