Hardened Slackware?
 

Hi all,

I've been reading about Hardened Linux from Scratch, and that got me wondering what it would take to build Slackware with some (or all?) of the HLFS modifications.

Has anyone done something like that?

To broaden the question a bit, what do you all do to harden your Slackware installation? Do you use IPTables? Do you encrypt your hard drive? Please share.

Regards,

Hi

I Encrypt hard drive...

Is there a way to create a customized implementation of LUKS/AES...?

Inclusion or other symmetric encryption protocols, ncreased number of rounds in AES cypher, extended keyword length/permutation tables, different key scheduling mechanism...?


I know the code is open, but I would like ro read on the details of implementation...

This would be a real Hardened Slackware... IMHO...

BRGDS

Alex

I do all the usual low-hanging-fruit stuff: iptables, encrypted partition, use of different users/groups for different tasks, ensure daemons that are only needed locally only listen on 127.0.0.1.

I've been meaning to try grSecurity for a while now but I've not got around to it yet. To be honest, I'm not sure it would gain me all that much the way I use my box. If I wanted to run a secured server I'd probably implement it on OpenBSD rather than linux anyway.

Here's a (perhaps) useful link:
http://transamrit.net/docs/sysHarden...ening-10.2.txt

Gilbert,

That link is useful, though terse. It is, as I understand it, a different approach from HLFS, which actually compiles the system differently to harden it.

I need to do more research. I suspect, though, that it is possible to recompile Slackware with the hardened bits, just like GrapefruitGirl recompiled Slackware for performance last year. I also suspect that it would be a lot of work!

Regards,

In the quest to continue on this theme, I've found a good thread on encrypting one's hard drive here. This is most useful if one already has Slackware installed.

Hopefully not too off-topic for this thread, but I'd like to know from users who are using encrypted HDD for their Slackware install:

What is the performance/speed impact of an encrypted installation? Is the system noticeably slower/sluggish? How is boot-up time affected?

That's not off-topic at all. I've been wondering the same thing. :D

I'm using encryption for example on my Atom Netbook. First I encryptet the whole disk and installed everything in LVM (which is the only possibility to encrypt swap for suspend to disk). The system felt really slow. Then I reinstalled and encrypted only /home. Now it feels like slackware again.

In my perception the speed loss is not that huge. I have my systems encrypted but have some partitions still unencrypted. Since my system partitions are all encrypted I cannot compare to unencrypted boot time. My impression (not measured, only impression) is that it makes a noticable difference if you're acting on many or big files, but I do not notice it in everyday usage. The "smallest" machine I can say this for has a Intel Celeron M530, a SATA harddisk and 1GB of RAM.

My opinion may be biased though - I don't have a choice because I absolutely need the encryption and I had expected a real slow down, so I'm more than happy with the result.

I use an encrypted LVM for my whole system and have not noticed any slowdown at all. I play the occasional game and get reasonable framerates, and between my formerly unencrypted Slackware 12.1 install and my now-former encrypted Slackware 12.2 install I noticed no significant slowdown of the system. And of course my current encrypted Slackware64-13.0 installation seems fine as well.

Of course this is all anecdotal, but the encryption certainly has not made using my system any more frustrating at the very least. If you are concerned you can always just encrypt /home and leave the rest unencrypted -- any data that has any value shouldn't be stored in any other place in the running system IMO.

For my systems, I make a scope-limiting assumption that physical access is already Game Over. Network-wise, I've got iptables set up so that all a scanner can tell about my computer is that there's a ethernet card.

I guess I have two questions:

1) Is there any way to encrypt the /home directory without moving all the data and encrypting it based on the directions in README_CRYPT with cryptsetup?

2) /home has everyone's home directory (e.g., /home/drew and /home/robin). How does encryption work with multiple users?

Regards,

1) Not that I know of, at least not with cryptsetup-LUKS. I know that TrueCrypt does that with Windows system partitions on the fly though so it is not theoretically impossible. I don't know if truecrypt on Linux can handle this.

2) Works flawless, once the system is started you don't notice what folders are being encrypted as it is handled transparently.
If it is a desktop machine where several people will have access, the user that boots the machine is of course required to enter a passphrase (or use a keyfile etc.), else no user can access her/his home folders.
LUKS offers several key slots so that at least some users (seven, nine? I don't remember) could use their distinct passphrases or keyfiles.

http://slackware.osuosl.org/slackwar...ADME_CRYPT.TXT

Exellent guide by alienbob i used the luks/lwm setup.
doesnt feel slower,boot-up time to enter password +10 sec.