Hardened Slackware?
Hi all,
I've been reading about Hardened Linux from Scratch, and that got me wondering what it would take to build Slackware with some (or all?) of the HLFS modifications. Has anyone done something like that? To broaden the question a bit, what do you all do to harden your Slackware installation? Do you use IPTables? Do you encrypt your hard drive? Please share. Regards, |
Hi
I Encrypt hard drive... Is there a way to create a customized implementation of LUKS/AES...? Inclusion or other symmetric encryption protocols, ncreased number of rounds in AES cypher, extended keyword length/permutation tables, different key scheduling mechanism...? I know the code is open, but I would like ro read on the details of implementation... This would be a real Hardened Slackware... IMHO... BRGDS Alex |
I do all the usual low-hanging-fruit stuff: iptables, encrypted partition, use of different users/groups for different tasks, ensure daemons that are only needed locally only listen on 127.0.0.1.
I've been meaning to try grSecurity for a while now but I've not got around to it yet. To be honest, I'm not sure it would gain me all that much the way I use my box. If I wanted to run a secured server I'd probably implement it on OpenBSD rather than linux anyway. |
Here's a (perhaps) useful link:
http://transamrit.net/docs/sysHarden...ening-10.2.txt |
Gilbert,
That link is useful, though terse. It is, as I understand it, a different approach from HLFS, which actually compiles the system differently to harden it. I need to do more research. I suspect, though, that it is possible to recompile Slackware with the hardened bits, just like GrapefruitGirl recompiled Slackware for performance last year. I also suspect that it would be a lot of work! Regards, |
In the quest to continue on this theme, I've found a good thread on encrypting one's hard drive here. This is most useful if one already has Slackware installed.
|
Hopefully not too off-topic for this thread, but I'd like to know from users who are using encrypted HDD for their Slackware install:
What is the performance/speed impact of an encrypted installation? Is the system noticeably slower/sluggish? How is boot-up time affected? |
That's not off-topic at all. I've been wondering the same thing. :D
|
Quote:
|
Quote:
My opinion may be biased though - I don't have a choice because I absolutely need the encryption and I had expected a real slow down, so I'm more than happy with the result. |
I use an encrypted LVM for my whole system and have not noticed any slowdown at all. I play the occasional game and get reasonable framerates, and between my formerly unencrypted Slackware 12.1 install and my now-former encrypted Slackware 12.2 install I noticed no significant slowdown of the system. And of course my current encrypted Slackware64-13.0 installation seems fine as well.
Of course this is all anecdotal, but the encryption certainly has not made using my system any more frustrating at the very least. If you are concerned you can always just encrypt /home and leave the rest unencrypted -- any data that has any value shouldn't be stored in any other place in the running system IMO. |
For my systems, I make a scope-limiting assumption that physical access is already Game Over. Network-wise, I've got iptables set up so that all a scanner can tell about my computer is that there's a ethernet card.
|
Quote:
1) Is there any way to encrypt the /home directory without moving all the data and encrypting it based on the directions in README_CRYPT with cryptsetup? 2) /home has everyone's home directory (e.g., /home/drew and /home/robin). How does encryption work with multiple users? Regards, |
Quote:
2) Works flawless, once the system is started you don't notice what folders are being encrypted as it is handled transparently. If it is a desktop machine where several people will have access, the user that boots the machine is of course required to enter a passphrase (or use a keyfile etc.), else no user can access her/his home folders. LUKS offers several key slots so that at least some users (seven, nine? I don't remember) could use their distinct passphrases or keyfiles. |
Quote:
Exellent guide by alienbob i used the luks/lwm setup. doesnt feel slower,boot-up time to enter password +10 sec. |
All times are GMT -5. The time now is 11:07 PM. |