Seeking Recommendations - Security, Stability, and Minimalism
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Seeking Recommendations - Security, Stability, and Minimalism
Bottom Line: I'm looking for recommendations on a Linux Distribution to use as a base for a Linux System Hardening research project. (I'll be using this base for both clients and servers but the emphasis is currently on the clients)
Security Requirements:
This is the biggest one. I'm looking for community dedicated to system hardening, people that minimize the attack area/lock down services by default, and include all the necessary essentials to ensure system security. (I had originally started this project with Arch Linux, only to learn that simple things like SELinux and other security enhancements were not supported and apparently haven't been for years.)
Additional Requirements:
Stability - I'm not looking for cutting edge, I'd prefer to use well patched, slightly older packages than have system instability.
Minimal Install - I want to avoid unnecessary bloat and streamline the system to increase performance and minimize the target area. I plan on building the system from the ground up so I'll need a distro that offers a minimal install (net connection with command line and a package manager would be fine).
Package Management - I'm not looking to install everything from source. I'm already comfortable with Pacman, APT, and RPM. But I'm willing to learn others. In this area I'm looking for simplicity and rapid and up to date system patching that is easily automated.
Background:
For your reference, my level of proficiency with Linux is somewhere between intermediate and advanced, depending on the topic. I've been using it regularly for the past 5 or so years with Arch Linux as my OS of choice for personal use. While I'm no Guru by any stretch I'm more than willing to do my own research and dig into a challenging problem.
Final Thoughts:
From what I've discerned so far there seems to be a split between Debian and Redhat/it's lineage. But I'm curious to hear your opinions.
I'm going to tell you some things about what I do and what I feel desirable, the extent to which any of this helps you is questionable, but I don't see that I've much more to offer.
Quote:
Originally Posted by cynicalpsycho
Security Requirements:
This is the biggest one. I'm looking for community dedicated to system hardening, people that minimize the attack area/lock down services by default, and include all the necessary essentials to ensure system security. (I had originally started this project with Arch Linux, only to learn that simple things like SELinux and other security enhancements were not supported and apparently haven't been for years.)
Well, if you are taking this seriously, you will probably want something like SELinux, eventually. Now, there may be a question about what kind of support is implied by 'supported', but it would only be in exceptional cases that you would think of building SEL for yourself because it isn't in repos (that is, one of the pre-requirements for you should be the availability of whatever security 'add-ons' you choose in repos).
Attack area is a valid consideration, but it may well be in opposition to 'being able to do what you want the system for'; give some consideration to the extent that external security measures can be used to give endpoints a slightly easier time of things.
Quote:
Originally Posted by cynicalpsycho
Stability - I'm not looking for cutting edge, I'd prefer to use well patched, slightly older packages than have system instability.
Consider a (potential) exploit: some bad guy, somewhere, works out how to do the kind of thing that you don't want them to do. When it becomes apparent that there is this possibility and when it becomes apparent how this trick has been done, there is the necessity to stop it happening. Once this has been worked out, you need to get the fixed version on to your machines as quickly as possible. At that point, there is really no point in saying 'Version 1.2.3 has always worked for me', you need the new fixed version. Anyone whose 'conservatism' prevents you from getting that fixed version, pronto, isn't helping.
Quote:
Originally Posted by cynicalpsycho
Minimal Install - I want to avoid unnecessary bloat and streamline the system to increase performance and minimize the target area. I plan on building the system from the ground up so I'll need a distro that offers a minimal install (net connection with command line and a package manager would be fine).
No, it wouldn't. By the time that you connect your box to the big, bad, network, you should have various security measures in place. You mention SEL earlier, and, ideally, you'd probably want that in place and in some way configured before you start adding all sorts of bits and pieces to your system. More significantly (possibly), if you intend running Rkhunter, you want it to track changes to your system. So, before the first time that you go on-line to grab updates and extras, you want to have a reference run to capture signatures or everything installed, so that you can track changes from a known clean state. This can only happen if your original install source allows you to install Rkhunter before you ever get on-line.
Quote:
Originally Posted by cynicalpsycho
[B]
Package Management - I'm not looking to install everything from source. I'm already comfortable with Pacman, APT, and RPM. But I'm willing to learn others. In this area I'm looking for simplicity and rapid and up to date system patching that is easily automated.
Final Thoughts:
From what I've discerned so far there seems to be a split between Debian and Redhat/it's lineage. But I'm curious to hear your opinions.
Thank you.
Package management: you've got to be comfortable with whatever it is, because if you are not, you won't check for updates often enough, and the system will not be fully patched. That implies a lot of things, but you need the distro to get patches out quickly enough and you need to be able to use the system without bringing everything to a standstill.
There was nothing in this post that wasn't already stated in my original post or completely obvious to anyone even remotely familiar with linux or the infosec community. More over, it completely ignored the one question I was actually asking: Which distro do you recommend using as a base?
That's not to say you didn't have valid points... but my saying the sky is blue is not at all valid to this conversation either.
There are a few things I feel I need to point out for your education though:
1. SELinux is not a distribution, you don't build it, it's a security module for the Linux Kernel, if anything you configure policies for it.
2. English is clearly not your first language, so my apologies if this came across as harsh.
3. In reference to using older/stable software... OFCOURSE you'd upgrade the software if there is a vulnerability. HOWEVER, that doesn't mean you need to update to the latest and greatest just because of a new feature that came out. This in itself invites instability. I'm looking to build something stable and secure here, not something with the hottest new bells and whistles. Secure patch management =/= bleeding edge repo updates.
4. When I said connect to the network, I meant my own network, where I have local servers with repositories already running... So again your point is moot. Again the purpose of this build is for me to have a stable BASE! meaning a minimal framework for me to build ontop of, that comes with support for the things I need. I'm not looking to get a full distro bloated with all kinds of crap I don't need.
Quote:
Originally Posted by salasi
I'm going to tell you some things about what I do and what I feel desirable, the extent to which any of this helps you is questionable, but I don't see that I've much more to offer.
Well, if you are taking this seriously, you will probably want something like SELinux, eventually. Now, there may be a question about what kind of support is implied by 'supported', but it would only be in exceptional cases that you would think of building SEL for yourself because it isn't in repos (that is, one of the pre-requirements for you should be the availability of whatever security 'add-ons' you choose in repos).
Attack area is a valid consideration, but it may well be in opposition to 'being able to do what you want the system for'; give some consideration to the extent that external security measures can be used to give endpoints a slightly easier time of things.
Consider a (potential) exploit: some bad guy, somewhere, works out how to do the kind of thing that you don't want them to do. When it becomes apparent that there is this possibility and when it becomes apparent how this trick has been done, there is the necessity to stop it happening. Once this has been worked out, you need to get the fixed version on to your machines as quickly as possible. At that point, there is really no point in saying 'Version 1.2.3 has always worked for me', you need the new fixed version. Anyone whose 'conservatism' prevents you from getting that fixed version, pronto, isn't helping.
No, it wouldn't. By the time that you connect your box to the big, bad, network, you should have various security measures in place. You mention SEL earlier, and, ideally, you'd probably want that in place and in some way configured before you start adding all sorts of bits and pieces to your system. More significantly (possibly), if you intend running Rkhunter, you want it to track changes to your system. So, before the first time that you go on-line to grab updates and extras, you want to have a reference run to capture signatures or everything installed, so that you can track changes from a known clean state. This can only happen if your original install source allows you to install Rkhunter before you ever get on-line.
Package management: you've got to be comfortable with whatever it is, because if you are not, you won't check for updates often enough, and the system will not be fully patched. That implies a lot of things, but you need the distro to get patches out quickly enough and you need to be able to use the system without bringing everything to a standstill.
Last edited by cynicalpsycho; 05-27-2015 at 08:33 PM.
I think Debian is a good start. However, the current Stable (Jessie) doesn't have SELinux completely, so you'll have to upgrade to debian Testing or Sid (thus having almost cutting-edge software). I find this ridiculous, they froze and tested the system for 6 months and yet didn't solve this. So much for a system designed for webservers. You can, however, install Debian Wheezy, it does have SELinux entirely and is still supported.
The first thing that come to my mind when it comes to security is a good Firewall. I am behind a router Firewall, and I have a pretty secure iptables ruleset: http://pastebin.com/UsufFHFk
(I Assume you know how to make iptables to automatically load those rules on every boot).
Next, install two Firefox addons: AdBlockPlus (PLEASE disable it on websites you trust and that are useful, such as this one), and NoScript. Then you only allow scripts for websites you trust.
Obviously don't use an account that has sudo access and almost NEVER use the root account.
Encrypt your drive. I'll be writing a tutorial on how to do this on numerous distros so you can select the most secure encryption cypher (Serpent), make it a 256-bit KEY, and have a 10-seconds delay between each passphrase attempt to make brute-force attacks useless.
Gentoo also while not completely security focused does have a gentoo hardened sub project / community
Gentoo is amazingly maliable and can be what every you want it to be. Gentoo is a source based distro but it does have a package manager portage you dont have to worry about doing your own dependancy checking stuff like you would with LFS but because you can set package option flags you can easily strip out what you dont want or dont need to the point arch seems as bloated as mint or debian.
Gentoo isnt a bleeding edge distro unless you want it to be as there are many older packages (well more like arch's PKGBUILDS) that do get patched in the main repository.
As for your package management requirement portage is written entirely in python and bash so if you know python I believe you could beable to make an automated system to your liking. If you dont you could automate alot of the process just with simple bash scripts
Based on your specs, I would say Alpine or (leave the Linux world for) OpenBSD. Gentoo/Funtoo would be another good choice. Steer clear of SELinux in favor or grsecurity.
I think Debian is a good start. However, the current Stable (Jessie) doesn't have SELinux completely, so you'll have to upgrade to debian Testing or Sid (thus having almost cutting-edge software). I find this ridiculous, they froze and tested the system for 6 months and yet didn't solve this. So much for a system designed for webservers. You can, however, install Debian Wheezy, it does have SELinux entirely and is still supported.
This is actually a very critical point I wasn't aware of, thank you for pointing that out. I believe this may have actually knocked Debian out of the running for me. That does help simplify the decision making processes, I'm thinking I'm leaning toward CentOS now.
Quote:
Originally Posted by Amarildo
The first thing that come to my mind when it comes to security is a good Firewall. I am behind a router Firewall, and I have a pretty secure iptables ruleset: http://pastebin.com/UsufFHFk
(I Assume you know how to make iptables to automatically load those rules on every boot).
Next, install two Firefox addons: AdBlockPlus (PLEASE disable it on websites you trust and that are useful, such as this one), and NoScript. Then you only allow scripts for websites you trust.
I'm good with IPTables, as for the online search, I believe I'm going to be using Xen to segregate system activities, so this base OS is just going to be the DOM0, it won't need browsing and all that, I'll have template operating systems that reloads on each boot (this host system will carry all the daily use software and I'll have certain builds for certain activities online), with a connection to a separate home drive (without execute rights) for persistent storage.
I'll be locking down the perms, have specific accounts for every day use and 2 for administration. Min password length/complexity, password, expiration, max attempts before lockout, etc. All that will be baseline stuff.
Quote:
Originally Posted by Amarildo
Encrypt your drive. I'll be writing a tutorial on how to do this on numerous distros so you can select the most secure encryption cypher (Serpent), make it a 256-bit KEY, and have a 10-seconds delay between each passphrase attempt to make brute-force attacks useless.
I currently plan to implement multi-authentication LVM over LUKS full disk encryption on each client host in the Xen hypervisor. (which will require bios, boot, and system authentication prior to even loading the OS).
Quote:
Originally Posted by Amarildo
You can run your webbrowser in SELinux too, there are numerous tutorials on this.
Debian can be installed with a minimal set, you can also "DuckDuckGo that"
Again, I think you've already convinced me to go with CentOS, they too have a minimal install.
Thanks again for all your input Amarildo. It's been quite informative.
I've thought about BSD and I really admire their stance on security. However there seems to be too many limitations. Their low dev base leads to a lack of support for newer hardware and software, they seem to lack alot of pre-created packages that are available to the linux community, and their lack of user base leads to alot more individual troubleshooting as apposed online research (something that drastically increases the time involved in conflict resolution).
As a great woman once said "Ain't no body got time for that."
Gentoo also while not completely security focused does have a gentoo hardened sub project / community
Gentoo is amazingly maliable and can be what every you want it to be. Gentoo is a source based distro but it does have a package manager portage you dont have to worry about doing your own dependancy checking stuff like you would with LFS but because you can set package option flags you can easily strip out what you dont want or dont need to the point arch seems as bloated as mint or debian.
Gentoo isnt a bleeding edge distro unless you want it to be as there are many older packages (well more like arch's PKGBUILDS) that do get patched in the main repository.
As for your package management requirement portage is written entirely in python and bash so if you know python I believe you could beable to make an automated system to your liking. If you dont you could automate alot of the process just with simple bash scripts
Honestly I think Gentoo would be a bit overkill for this project in reference to the amount of detail required in configuration. I've played the "lets tweak it all game" with LFS and Arch. However in this scenario I believe it would just be more of a nuisance than anything else.
Based on your specs, I would say Alpine or (leave the Linux world for) OpenBSD. Gentoo/Funtoo would be another good choice. Steer clear of SELinux in favor or grsecurity.
Why do you recomend grsecurity over SELinux?
As for leaving linux, as mentioned above I feel that BSD while undeniably more secure is still very much lacking in development and community support. Something I feel could hinder my build and slow down the resolution of technical issues.
This is actually a very critical point I wasn't aware of, thank you for pointing that out. I believe this may have actually knocked Debian out of the running for me. That does help simplify the decision making processes, I'm thinking I'm leaning toward CentOS now.
You don't need to go to CentOS *just* because of this. You can compile SELinux in any distro IIRC.
Quote:
Originally Posted by cynicalpsycho
I currently plan to implement multi-authentication LVM over LUKS full disk encryption on each client host in the Xen hypervisor. (which will require bios, boot, and system authentication prior to even loading the OS).
You don't need to authenticate LVM. If the passphrase is good then nobody, and I mean NOBODY (not the F.B.I., the C.I.A, the NSA) will be able to read the contents of the drive.
BIOS auth is too overkill. I don't know of any BIOS exploits that affects Linux. It's easier to just put a password on it and hand over USB sticks to the trusted people, these sticks will contain the BIOS flashing utility to make sure it hasn't been altered.
You can also put, on that same USB, backups of the disk MBR and /boot partition. Remember to use a LiveCD of Debian to copy the MBR or /boot partition if you think they've been tampered. Of course, run sha512sum's of the first sector (512b) + the size of the /boot partition, this is the easier and safest way to determinate if they've been altered.
Tell me if you want to know how to make a backup of the MBR and/or /boot partition.
Quote:
Originally Posted by cynicalpsycho
Again, I think you've already convinced me to go with CentOS, they too have a minimal install.
Do they have SELinux by default?
You should check if they have non-free (proprietary) firmware in the Kernel, i.e. if they use the vanilla Linux Kernel. Debian, for instance, removes all non-free firmware blobs from the Kernel, maintaining a true GNU/Linux Operating System.
Remember: you CAN'T trust closed-source software.
Quote:
Originally Posted by cynicalpsycho
Thanks again for all your input Amarildo. It's been quite informative.
Gentoo is too much maintenance for a Desktop OS. Not to mention it could take weeks to compile everything. Not to mention too that they have bleeding edge software IIRC, which isn't advisable for security intents.
Quote:
Originally Posted by cynicalpsycho
Why do you recomend grsecurity over SELinux?
As for leaving linux, as mentioned above I feel that BSD while undeniably more secure is still very much lacking in development and community support. Something I feel could hinder my build and slow down the resolution of technical issues.
Who said *BSD is more secure? The DEFAULT install of OpenBSD is very secure, though as soon as you start adding programs and services that security could start being not-so-secure (although still a lot more secure than a default Linux install).
You don't need to go to CentOS *just* because of this. You can compile SELinux in any distro IIRC.
While I'm sure this is true, the process is certainly simplified by certain distros over others, the process is fairly straightforward in CentOS which includes the software in it's repository. This distrobution is also focused on security and stability by default. Thus my leaning toward it.
Quote:
Originally Posted by Amarildo
You don't need to authenticate LVM. If the passphrase is good then nobody, and I mean NOBODY (not the F.B.I., the C.I.A, the NSA) will be able to read the contents of the drive.
Authenticate LVM? using the LVM over LUKS method unlocks all of the LVM volumes once you authenticate... I'm also very wary of people proclaiming something is uncrackable.
Quote:
Originally Posted by Amarildo
BIOS auth is too overkill. I don't know of any BIOS exploits that affects Linux. It's easier to just put a password on it and hand over USB sticks to the trusted people, these sticks will contain the BIOS flashing utility to make sure it hasn't been altered.
Valid point.
Quote:
Originally Posted by Amarildo
You can also put, on that same USB, backups of the disk MBR and /boot partition. Remember to use a LiveCD of Debian to copy the MBR or /boot partition if you think they've been tampered. Of course, run sha512sum's of the first sector (512b) + the size of the /boot partition, this is the easier and safest way to determinate if they've been altered.
Tell me if you want to know how to make a backup of the MBR and/or /boot partition.
Putting the boot partition on a thumbdrive... I've thought of that in the past but never implemented it. Do you have some recommended reading?
Quote:
Originally Posted by Amarildo
Do they have SELinux by default?
[/QUOTE] CentOS has SELinux in their repo and its setup is fairly straight forward.
Quote:
Originally Posted by Amarildo
You should check if they have non-free (proprietary) firmware in the Kernel, i.e. if they use the vanilla Linux Kernel. Debian, for instance, removes all non-free firmware blobs from the Kernel, maintaining a true GNU/Linux Operating System.
Remember: you CAN'T trust closed-source software.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
