How to design my system? Global system + VMs (Security/Flexibility)

Zzipo · 2013-07-20 10:50:35

Hello,

I have read about LUKS, but I don't know if it is too early to start considering it (maybe for the future).

I want to divide the HDD in the best possible way taking care of SECURITY - PERFORMANCE - FLEXIBILITY (probably all is impossible), but I am completely new to this.

I have experienced several problems combining grsec+virtualbox, so, I will need to change virtualbox with KVM (I have seen someone that make it works with grsec).

I don't know how to divide the workstation, I can differenciate four different tasks that I want to perform:

a) Free time: Reading emails (thunderbird) + surfing the Web + torrent + pdfs + latex + libreoffice + emacs
[Used everyday and 100% of the time]

b) Design: Gimp + Inkscape
[Used 1 of 15 days, but when used, for hours/days]

c) Developing: Java, PHP, Databases, CSS,... so, Apache, MySQl, Eclipse, Emacs
[Used everyday and 50-100% of the time]

d) Windows: specific apps and testing.
[Used 1 of 7 days, but when used, for hours]

So far, I am used to use archlinux with KDE + virtualbox with WindowsXP, and it is easy, but KDE is heavy and virtualbox doesn't work with grsec properly. I have discovered recently vagrant, and I don't know what would be the best approach.
I use emacs as my normal text editor for everything, and if I am going to divide in four different environments, maybe I will need to have a clone copy of emacs config in every env.

Global
---ArchLinux + grsec Kernel + iptables firewall + tomoyo
---Slim + awesome/xmonad
---KVM (shared folders for the different virtualmachines to connect globally to share resources if needed)
---Apps: thunderbird, firefox, torrents, okular (or others without KDE), latex, libreoffice, emacs?
***Q1) those apps are "heavy" and consume resources, but they are going to be used almost constantly, is it better this approach or create a different VM for them?

VirtualMachines for KVM
***Q2) Should be better to protect also every environment with a patched kernel with its own grsec?
------Design
---------ArchLinux vanilla (Security problems?)
---------Slim + awesome/xmonad
---------Apps: Gimp, Inkscape, video edition?
---------Problems: If I need other resources, surf web, edit text,... comfortable switch to global?

------Developing
---------ArchLinux vanilla (Security problems?)
---------Slim + awesome/xmonad
---------Apps: Use vagrant for different boxes for different developing environments, eclipse, emacs
---------Problems: If I need other resources, surf web, edit text,... comfortable switch to global?

------Windows
---------Win XP/7...

***Q3) I thought to use a really light global system to manage fluently all the different environments. What could be the best approach for my purpose?

***Q4) What is better considering both security ~ performance?
a) Global system with grsec + every VM with grsec
b) Global system with grsec + every VM vanilla
c) Global system vanilla + every VM with grsec

***Q5) If I want to use LUKS or truecrypt, what would be the best approach for my purposes? encryption of whole VM env?

I am not in a hurry, i accept every advice

Thank you in advance.

Lone_Wolf · 2013-07-20 12:17:26

***Q1) those apps are "heavy" and consume resources, but they are going to be used almost constantly, is it better this approach or create a different VM for them?

those apps don't seem particularly heavy to me, what are the hardware specs (processor , memory, HDD/SSD sizes) of your system ?

brebs · 2013-07-20 13:31:15

maybe I will need to have a clone copy of emacs config in every env

I don't see the point of having multiple Arch virtual machines - you're just duplicating effort, having to maintain several installations of Arch, rather than one.

Why choose Tomoyo over AppArmor? AppArmor is actually used by major distros, e.g. Ubuntu & OpenSuse, and has a much nicer syntax. The kernel patches are here.

Zzipo · 2013-07-20 14:32:49

@Lone_Wolf
I will do it in one computer, but If it works as I wish, I will do it in other computer with fewer specs. The first test will be in the "heavytank" AMD 6 cores 8GiB RAM 250GB SSD and 2TB HDD.

But other computers will be 2 cores 4GiB RAM and around 500GiB HDD.

My problem is not about specs but about flexibility/security. For example, I am really used to work as PDF reader with Okular, but it needs lot of dependencies from KDE... and probably I will use it, because is really better than other PDF readers (are lighter but with far less features that I use). But I would like to use an global system (environment) that properly manage several VM fluently, and it is because I thought to substitute KDE by awesome or xmonad.

@brebs

That is true, but the point to virtualize is to can use the same system to develop/design/work/test on win in different machines without effort, or even in the same machine if it is compromised.... just import new VM cloned previously.

I said Tomoyo because I was reading a couple of months ago about all and Tomoyo looked like to me better than AppArmor, but I really don't mind, could be everyone.

I am asking about this because for the last year I have been in serious problems because of attacks that destroy the whole system I am really tired of starting with the installation from zero... VM helps me a lot with that, but I don't know how to manage/design the system properly to achieve my goal of different environments for different purposes (and replaceable under attack or migration to different system) and with flexibility/security rules.

The problem with me is how to design the system properly.

brebs · 2013-07-20 16:46:30

Zzipo wrote:

attacks that destroy the whole system

Please elaborate. Do you know what apps are exploited?

Zzipo · 2013-07-20 18:17:24

I think that is not the purpose of this thread, but it seems to happen since long ago. The "funny" thing is that is in a home environment, and it has happened three times in a year.... first Opensuse (Thread) and I didn't know what happened, then I needed to have a partial solution (because I needed to move for a long) and because of the users I put Windows + firewalls + antimalware + antivirus.... two months ago, something happened during surfing (it is weird because it happened when a user was using a official government website), the machine was "freezed" and on reboot grub stage 1.5 error 22 (linux was "disabled" for the users... only windows for the last months). Now, I connect my own laptops to the internal network and I get the same weird things as long ago: after systemctl start dhcpcd@eth0 the transient hostname is "unknown[several numbers]", and it gets slow. Also, errors with emacs, firefox,.... no protocol specified (no display :0), but it is because of the changed hostname. The only solution: log out and log in, and in between modifying the hostname from root account (hostnamectl set-hostname localhost).

I forgot: probably the "attacks" were through flash/java applets.

This is the really short version.

But the point of this thread is not only security, but flexibility with the system (I am a developer).

Thanks

Last edited by Zzipo (2013-07-20 18:17:49)

brebs · 2013-07-20 18:36:09

Zzipo wrote:

probably the "attacks" were through flash/java applets.

So get AppArmor set up, and lock firefox down. This includes the applets run by firefox.

Here's my (old) AppArmor profile for firefox.

progandy · 2013-07-20 21:05:29

Instead of real virtual machines you might be interested in linux containers.
https://wiki.archlinux.org/index.php/Linux_Containers

Arch Linux

#1 2013-07-20 10:50:35

How to design my system? Global system + VMs (Security/Flexibility)

#2 2013-07-20 12:17:26

Re: How to design my system? Global system + VMs (Security/Flexibility)

#3 2013-07-20 13:31:15

Re: How to design my system? Global system + VMs (Security/Flexibility)

#4 2013-07-20 14:32:49

Re: How to design my system? Global system + VMs (Security/Flexibility)

#5 2013-07-20 16:46:30

Re: How to design my system? Global system + VMs (Security/Flexibility)

#6 2013-07-20 18:17:24

Re: How to design my system? Global system + VMs (Security/Flexibility)

#7 2013-07-20 18:36:09

Re: How to design my system? Global system + VMs (Security/Flexibility)

#8 2013-07-20 21:05:29

Re: How to design my system? Global system + VMs (Security/Flexibility)

Board footer