I'm not a programmer or a expert Linux user.

I use Linux Mint 18. I would learn more about OS hardening and about security-oriented system administration. I'm not skilled user but I think that very important concepts about OS and networking security should be cognizable, accessible and usable by every user, skilled or newbie. I would have those informations:

A) Security-oriented OS, appropriate for non-specialist use, exists? I always found only very specialized OS... For example Kali or Blackarch for pentest, CAINE for forensic use, Tails for anonymity... I yet didn't found anything appropriate for generale use.

B) Hardening-oriented metapackages or scripts exists? I hear about Bastille or harden-foo but they are now obsolete.

C) If the previous questions will have negative answer, could you help me for building an harden and security-oriented system? You consider that:

C1) I would get software only from official debian-based repositories; I wouldn't make experiments with untrusted repos, unstable packages or raw source code. I don't want to compromise the system which I would protect;

C2) I would implement defensive technologies like PAM, SELinux, Apparmor, Grsecurity and other also (all togheter also if it's possible for a stable system);

C3) I would a graphical front-end NFtables/IPtables rules manager which is actively maintained and fully supported by latest kernel/OS/libraries versions; I would also some automation services like fail2ban or PSAD which could help me for firewall rules managing and upgrading;

C4) I would an IDS/IPS service combined with some other accessory services like HIPS, files integrity checker, correlator and log analyzer. I would that this services aren't too intricate or intrusive for my moderate skills and for my basic OS and network utilization... I would a good security level, but without excessive paranoia. I use a simple desktop OS and I haven't use it for web server or for manage a complex LAN.

C5) I would a system monitor and an admin panel with simple but powerful graphical GUI;

C6) I would some tools for data forensic analysing and for anti-forensic use; I would simply protect my data by hardware/software fault (with the possibility to carving lost files) and my sensitive data from privacy vulnerabilities;

C7) I would tools for passively protect my OS by various offensive process like arp poisoning, port-scan, port-knocking, sniffing, DNS faking etc...

C8) I would some utilities for vulnerabilities audit for every security-administration side;

C9) I would other utilities, which could be useful for me. (process and runtime analyzers, clients or tunnellers for crypting/anonyming networking, etc...).


Thanks a lot for your attention and excuse me if I wrote too much. Excuse me also for possible english grammar mistakes.

P.S. I read many walkthrough about hardening but I'm confuse because sometimes they recommend different ways (sometimes conflicting), or obsolete nor too much complex solving, or also recommend software absent into trusted repositories.

Have a look at our Security references and Welcome to LQ!

Linux, by default, is generally secure. A more clear answer would depend on your distro and the package versions that are in the repositories (for the distro in question). RHEL based distro's will offer SELinux out of the box (you have an option to configure this in the installer) and Ubuntu comes with AppArmor out of the box. You cannot use both AppArmor and SELinux at the same time as this would create conflicts with file permissions. You should be fine using SELinux or AppArmor.

Unfortunately you selected a distro that has been made to be widely usable to almost anyone.

This brings in security issues to me. Less is more to begin with. I'd start with a minimal hardened system. Might even go to susestudio and get Suse Enterprise Linux or configure Centos to be hardened. There are of course some distro's that claim to be hardened out of the box.

Security is as many best practices as you can learn and use.

1 members found this post helpful.

Thanks!

I already read that topic but I see that many links are dead and some software are now obsolete. This is a very common problem which I found in various guides. I read many many topics or guides and now I'm confuse. I would clarify.

About other replies: I would remain into debian-based side because this is the environment into which I feel much confortable and much able to manage it. I could also make some new experience and experiments but first of all I would limited recklessness because I could compromise my system security instead of harden it with some misconfiguration error or with the use of untrusted repositories or unstable SW.

I also read something about QuebesOS but it have a very complex architecture and I don't know if I could be able to manage it well. Also I think that Xen supervisioning could have troubles about HW/SW full support. The project is overall very interesting but for now I think that it isn't the most suitable OS for me

I'm a fan of Common Sense Security.
Up-to-date System patches from vetted software channels.
And definitely scan the nut behind the keyboard.

Basic and decent Security can be had using a Router.
You're being "new" and all, I will not take the time for "security-oriented system administration"
I don't Yak Shave, Sorry.

https://help.ubuntu.com/community/DoINeedAFirewall
Security is not a Package.

Don't buy a computer.
Don't ever plug it in.
Don't ever turn it on = Secure.

Since some of our links are in question,
Here are some links that are not:
https://help.ubuntu.com/community/ and https://debian-handbook.info/browse/stable/

Good Luck.

1 members found this post helpful.

It's going to take along time to learn all that to be able to make good use out of it.
Better off picking one way of harding an learn all that takes first!

Thank you very much for your reply. Your word are granitic truth. Maybe however you misunderstand me about something because I said that I'm confuse about some points and I would hear some fresh direct opinion but I don't said that I would one substitute who leads to term the task or that I would somebody who is at my disposal. Also about packages, I already understand that security is not a package, because I don't never think that installation are enouh to make you quiet sleepy and safe (nobody can quiet sleepy... never). I'm new but I'm not so stupid

I'm totally avaible for lost me among thousand of guides or for consume my keyboard and my fingers. I'm new but I have much willingness to engage the task. I'm already doing this to be honest. For example I'm trying OpenSuse and CentOS and I'm deciding to abandon debian-based environment because I notice that this could be a good idea.

Being a free universe. I think the opposite. But to each person, to cramp their finger, to trip their own trigger.
I was a OpenSuse and Mandriva user while Zenwalking in a past life. Rawhide should have been just a show I watched. Not a sources.list I should have enabled.

To each their own private Idaho.

Why? Your opinion could much interest me... Some ReHL-based OSs are well-know for their great maturity and stability and maybe the unique thing which I could regret is the departure from immense debian repositories (without underestimate the stability of Debian mainstream OS). Also I try various distros in those days but when I play with Suse or CentOS in a VM, I have the strange feel (maybe irrational) that they could represent a better starting point for me and for my purpose.

https://www.linux.com/news/chapter/L...rials-linuxcom

Some tips on that site.

1 members found this post helpful.

Lack of online support. My inexperience. Back then broken rpm distro threads on this forum was legion in numbers. It might be better now. I don't know. As I settled into my ways till I got comfy cozy with what I learned.

Back then. Gear was lower powered and VM was not a option. It is a more varied universe now.

I am AntiX user like most Slackware users are on this forum. A freaking die-hard fanatic fan boy.

It is what trips my trigger.

1 members found this post helpful.

Thank you

In case you decide to march to the tune of a different drummer some day. Just some basic stuff is all.

http://www.linuxquestions.org/questi...4/#post5089762

Found the Slackware hardening thread that was referred to in my above link.

http://www.linuxquestions.org/questi...re-4175489704/

1 members found this post helpful.

The lack of online support could be a problem, maybe. Also in reality the less wealth of rpm repositories than debian repos scare me a bit... above all because I would use only trusted sources and if I don't find into they everything I could need, I'll be forced to break this conduct, and if I could break this, I'll not doing hardening in the right way IMHO.