LinuxQuestions.org
Did you know LQ has a Linux Hardware Compatibility List?
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 08-12-2012, 04:02 PM   #1
smells_of_elderberries
LQ Newbie
 
Registered: Dec 2006
Posts: 25

Rep: Reputation: 0
Question Linux distro that boots from HDD, runs entirely in RAM?


Hi,

I'm looking for a Linux distro to use for checking secure online accounts, such as banking. What I'd like is to install it on my MacBook Pro's SSD for dual-booting with OS X, set it up as necessary (eg. bookmarks, preferred browser, stored passwords for frequent wifi hotspots, firewall etc.) and then freeze the whole install and make every subsequent boot run entirely in RAM without any kind of persistence.

Because I only have a 120GB SSD in my MBP, I'd like to make the Linux partition as small as possible. If the distro were also bootable without having to set up a hybrid MBR (ie. by using Boot Camp to prepare the drive), that would be even better.

I don't want to use any external drives (eg. pendrive) for the linux distro, because it's just something else to remember to carry with me. I don't want to use an optical disc for it because it's also something else to carry, as well as slow to boot.

Anyone able to suggest something suitable?

Many thanks
 
Old 08-12-2012, 05:25 PM   #2
BlackRider
Member
 
Registered: Aug 2011
Distribution: Slackware
Posts: 261

Rep: Reputation: 82
Good options would be:

Slitaz ( http://www.slitaz.org/en )
Porteus (http://www.porteus.org )
Knoppix (http://www.knoppix.net , look for the CD version)

I like to carry a tweaked LiveUSB with Knoppix with me. You can "install" the CD version if you have 700 Mb or so. Slitaz will take 30 and Porteus around 300.

I tend to favor Knoppix where possible, but the others can be convenient.

Any Live GNU/Linux distribution can be installed to a partition in frugal mode, so the computer "thinks" the partition is a CD and boots it Live. Tweaking and man pages reading might be necessary.

Last edited by BlackRider; 08-12-2012 at 05:27 PM.
 
1 members found this post helpful.
Old 08-13-2012, 06:08 PM   #3
smells_of_elderberries
LQ Newbie
 
Registered: Dec 2006
Posts: 25

Original Poster
Rep: Reputation: 0
Thanks BlackRider. I'll check these out and post back if I have any questions.
 
Old 08-14-2012, 02:39 PM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,112
Blog Entries: 54

Rep: Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784
Moved: This thread is more suitable in the Linux Distributions forum and has been moved accordingly to help your thread/question get the exposure it deserves.
 
Old 08-14-2012, 08:48 PM   #5
jefro
Guru
 
Registered: Mar 2008
Posts: 11,317

Rep: Reputation: 1386Reputation: 1386Reputation: 1386Reputation: 1386Reputation: 1386Reputation: 1386Reputation: 1386Reputation: 1386Reputation: 1386Reputation: 1386
The way a live cd works is the data on the cd is mixed with part of the ram to make a faux hard drive. The OS thinks it is running on a real drive until you shut it down.

So you could basically take any hybrid iso that is meant to be copied to a usb and use it.

Your issue with the mac is out of my experience so I can't say about that.

You might be able to get this to work. http://www.spi.dod.mil/lipose.htm


Almost all live cd's are not built to be secure. They tent to have some poor choices like running in root so I can't say for sure it would be more secure than a hardened OS running in a virtual machine. You may simply wish to boot a virtual machine to an image of a live cd. It might get past your mac issues if there is a vm for mac's.
 
Old 08-15-2012, 12:00 AM   #6
aus9
Guru
 
Registered: Oct 2003
Posts: 5,056

Rep: Reputation: Disabled
Nearly all banks want to track you....so the first key is to have a distro where you can easily get the latest web browser and its security patches

Option 1....firefox can be downloaded to your home folder and run off it....and can be updated

2) I am wondering if you are concerned about intrusion? for your request for ram and no persistence

puppy (root mode) uses squashfiles which are kind of non-changeable while in use and ram mode

tinycore uses ram mode and its packages are kept "unpacked" until used which offer pristine-ness

is that the kind of thing you are looking for?

3) otherwise there are dedicated live cds that claim to be non-trackable. eg

https://tails.boum.org/download/index.en.html
 
Old 08-15-2012, 01:21 PM   #7
smells_of_elderberries
LQ Newbie
 
Registered: Dec 2006
Posts: 25

Original Poster
Rep: Reputation: 0
My main objective is to have a system that I can trust to have no viruses, trojans, keyloggers, worms etc. running in the background that might compromise online security for critical accounts (most especially, but not limited to, those related to banking). The idea is to find a suitable Linux distro, set it up to be as appropriate to my needs as possible (eg. with essential bookmarks and network settings), and then freeze it entirely, such that no further changes can be made to anything. Jefro mentions VMs; what I'm looking for is something similar to what Parallels Desktop calls "Undo Disks", whereby changes made during any session (ie. between boot and shutdown of the VM) can be kept or discarded. If I choose to discard, then on next launch of that VM everything is identical to when it was last launched.

I would do this in a VM (I have Parallels and VMWare Fusion) but I'm of the belief that that would only double the vectors for security breaches: I'd have to lock-down the VM _and_ the OS the VM was running in (OS X Mountain Lion). Hence the dual-boot to Linux. By the way, if I'm wrong in this assumption, please illuminate me, because running Linux in a VM would make this a whole lot easier

At the moment, I'm using my iPhone where I can for certain things because the number of programs that can run in the background is severely limited, both in terms of quantity and purpose. But I can't use my iPhone for all the secure online tasks I have in mind, so a fully-fledged desktop/laptop OS will be necessary.

I know I'm not the first to ask for such a thing, but the idea of installing it to my SSD is a new one (to me at least) which is why I ned the advice of others here.

I hope I've explained things a little better now. Thanks for the responses so far

EDIT: Jefro - LPS looks excellent. Its description makes it sound like just what I'm looking for. Now, I just have to find out what installing it to my SSD would involve…

Last edited by smells_of_elderberries; 08-15-2012 at 01:26 PM.
 
Old 08-16-2012, 06:17 PM   #8
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,112
Blog Entries: 54

Rep: Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784
Quote:
Originally Posted by smells_of_elderberries View Post
(..) to have a system that I can trust to have no viruses, trojans, keyloggers, worms etc. running in the background that might compromise online security (..).
Read-only media only ensures the initial state of the OS. On its own it doesn't mitigate any vulnerabilities and it doesn't prevent any accumulation of whatever one could encounter during a session. What's worse using read-only media would prevent critical browser updates and implies no or negligible logging, meaning no audit trail at all if anything goes awry. Flash scripting and Javascript fun, unsolicited sharing of information, social engineering, spoofed or otherwise malicious links and websites, traffic snooping, identity theft might be on the list but viruses definitely aren't. Encryption of storage at rest, per file encryption to protect information when the encrypted file system is mounted, in-flight encryption of traffic, two-factor authentication, a restricted egress access policy using white listing, restrictive MAC rules, extensive logging but most of all the discipline to only visit crucial sites during a session could help curb risks.
I think you should first consider the threatscape in terms of what you actually need to protect against, the risks of what you can't protect against (remote problems), how you can mitigate things and then draw a plan.
 
1 members found this post helpful.
Old 08-16-2012, 06:18 PM   #9
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,112
Blog Entries: 54

Rep: Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784
Moved: This thread is more suitable in the Linux Security forum and has been moved accordingly to help your thread/question get the exposure it deserves ;-p
 
1 members found this post helpful.
Old 08-17-2012, 02:19 PM   #10
BlackRider
Member
 
Registered: Aug 2011
Distribution: Slackware
Posts: 261

Rep: Reputation: 82
I am with unSpawn, even when he has spoken in such an intimidating manner (haha).

A good combo for a domestic user who wants to keep the kind of security you describe would be:

>Subscribe to Debian's security list.
>Use Knoppix in frugal install mode. It is readonly, of course.
>Make a partition for keeping the DEB packages you will be using for updating.
>Write a shell script that install all the updates you have saved on the partition at boot. The partition must be read-only. This script could be used to raise a firewall, harden the networking kernel parameters etc.
>Place yourself behind a good firewall (most domestic routers have one, whenever they are a crap or not is another question).

---------SECURITY MODEL:

You will boot the Live System only to access banking pages which are unlikely to attack your browser when you hit them.

You will regularly read the Security List of Debian in other to find the new security fixes which are released. When needed, you will download them and place them in the partition you have set for the task.

Save your system logs in a USB device before shutting down if you feel in the paranoia mood (this should be always, I guess).

You'll buy a gun, sword, bunch of greneades, dog or nuke and destroy anyone who tries to get physical access to your computer!!

-------------------

And that's it. Your system will have security updates, the initial state of the OS will be known and you will be accessing pages unlikely to attack you, while you are being covered by a firewall.

CONS:

You have to set this up.
Inconvenient.
You could still have security problems by attacks not coming form the external Internet.
I might have forgotten something :-)
 
1 members found this post helpful.
Old 08-17-2012, 03:19 PM   #11
jefro
Guru
 
Registered: Mar 2008
Posts: 11,317

Rep: Reputation: 1386Reputation: 1386Reputation: 1386Reputation: 1386Reputation: 1386Reputation: 1386Reputation: 1386Reputation: 1386Reputation: 1386Reputation: 1386
No, you run a security VM with no hard drive. You use an iso image to boot the VM and run it that way.

Any computer connected to the internet is subject to attack and there has been one proven hole in VM's.

I'd run the dod iso from a vm. No need to make any shared drives or add in any tools to cut and paste. Dunno what parallels calls it but like guest additions.
 
1 members found this post helpful.
Old 08-17-2012, 03:19 PM   #12
sKaar
Member
 
Registered: Jun 2006
Location: dartmouth, nova scotia
Distribution: slackware 12.1
Posts: 74

Rep: Reputation: 2
slax, which probably is similar to other systems, can save all changes to flash drive, including updated packages, so, with a live cd, select updates, you could run an almost entirely stateless machine. if you have the capability, grab a used hard disk, something small, use it for swap to speed things, it'd be wiped nicely with reboot.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Suggested Linux Distro for 128 MB RAM, 233MHz Processor and 4Gb HDD? nicoyuey Linux - Newbie 20 10-11-2009 05:19 PM
Puppy runs in Ram, but how to install to HDD? petect Puppy 5 05-01-2009 06:51 AM
Linux distro for Pentium166MHz, 64MB RAM and 4GB HDD rasputin_ylong Linux - Hardware 10 11-17-2008 03:44 PM
redhat enterprise linux 4 boots slow with 2 GB RAM , boots fast with 512MB robinsingh Linux - Hardware 14 08-26-2008 11:34 PM
need a distro that runs on 32 mb of ram Onewheelinweirdo Linux - Distributions 8 04-19-2007 03:40 PM


All times are GMT -5. The time now is 04:18 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration