LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware
User Name
Password
Slackware This Forum is for the discussion of Slackware Linux.

Notices


Reply
  Search this Thread
Old 09-16-2020, 04:36 AM   #1
kukibl
Member
 
Registered: Jun 2008
Distribution: Slackware
Posts: 81

Rep: Reputation: 28
Hardened Slackware (for desktop user)


Hi guys.

Not sure is it because of Windows and Mac OS habits or the quite some time off Linux (or being mature and global concerns regarding security and privacy in general), but with the new Linux box I started research connected with making my installation more secure (so desktop user aspect, not the server one).

Considering I did not find many Slackware articles on this topic (except few older threads), my idea is to try to contribute and write one complete and general guide on this topic targeted at desktop user. Considering I am not expert on the topic, I would use resources from other distributions and this thread to gather tips and advice, as well to write drafts for each step. The final result I would submit to Slackware docs. Considering I have max. 2 hours daily available for my "computing" time (and I cannot devote it only for this purpose), I expect to finish it in a few months. I do not want to rush, want to do it in quality manner and learn at the same time.

For the idea and some general structure with many improvements I would use this Debian wiki article:

https://wiki.debian.org/SetupGuides/...rsonalComputer

The one is quite biased and has a lot individual/personal statements which I will certainly avoid, but general structure and tips look helpful.

Besides this, I know about this one (which gets regularly updated):

https://github.com/pyllyukko/harden.sh

Also, Arch and Gentoo wiki pages:

https://wiki.archlinux.org/index.php/Security

https://wiki.gentoo.org/wiki/Security_Handbook

Basically, I would gather the info, test it and apply on my Slackware installation and then write instructions with explanation for each point.

Hopefully, this evening I will outline the topics I plan to cover and I would use this thread for consulting purposes.

All the criticism, opinions, tips and proposal are more than welcome.
 
Old 09-16-2020, 02:38 PM   #2
business_kid
LQ Guru
 
Registered: Jan 2006
Location: Ireland
Distribution: Slackware, Pi OS & Android
Posts: 11,782

Rep: Reputation: 1387Reputation: 1387Reputation: 1387Reputation: 1387Reputation: 1387Reputation: 1387Reputation: 1387Reputation: 1387Reputation: 1387Reputation: 1387
Windows & MacOS are worse. Linux is hackable from the server pov but people don't expect it in a desktop pc.

Basic hygiene is to close all ports, don't run servers, don't surf dodgy sites, don't be sloppy, (e.g. allow sudo) use TOR.


I gather you want a hardened distro. To do that involves huge reading. When I had a hardened system, linux was vulnerable to buffer overflows on some servers. Now there's Position Independent Code, all hard coded addresses are gone, there's 'canaries' on top of buffers to catch overflows, and the kernel & gcc have come on loads, with stack protection & the works. You have to find out how linux is being hacked now, find or write patches, and harden that way. Analysing what the Russians are up to might help. But that's a moving target, if my experience is anything to go by. Oh, you also need to get out of X and disable all javascript, php, and any other buggy stuff you run. And as soon as the kernel or gcc fixes stuff, update. Just one guy will be on that 24 hours a day. Because as soon as 1 loophole is plugged, another pops up, like 'whack-a-mole.'

Get on the security list here. I think there's a hardened Gentoo, & BSD. You might try them.
 
1 members found this post helpful.
Old 09-16-2020, 02:41 PM   #3
mralk3
Senior Member
 
Registered: May 2015
Location: Utah, USA
Distribution: Slackware, OpenBSD
Posts: 1,439

Rep: Reputation: 806Reputation: 806Reputation: 806Reputation: 806Reputation: 806Reputation: 806Reputation: 806
This should help: https://www.linuxquestions.org/quest...ms-4175550198/

Learn apparmor, since it is much easier to install and configure on Slackware than SELinux. Feel free to use/contribute profiles here: https://gitlab.com/mralk3/apparmor-profiles-slackware

Recompile your kernel with CONFIG_CC_STACKPROTECTOR_STRONG=y

Use compile time flags to harden your third party software and possible rebuild stock slackware packages with similar flags.

Cherry pick just what you need out of harden.sh. Not all of the features apply to 14.2.

Oh and you can use/improve existing documentation here: https://docs.slackware.com/howtos:security:start

Last edited by mralk3; 09-16-2020 at 02:42 PM.
 
4 members found this post helpful.
Old 09-16-2020, 04:40 PM   #4
kukibl
Member
 
Registered: Jun 2008
Distribution: Slackware
Posts: 81

Original Poster
Rep: Reputation: 28
@business_kid

The term "hardened" was maybe over the top here. I would like to cover tips and HOWTO's connected with general security of people using Slackware on the desktop. Basically, to write a single article with one complete overview of things a user could apply on his desktop system security-wise. Probably there is misunderstanding, so would like to make it clear from my side. Besides, I do not have educational background nor the real motivation to educate myself to become Linux (or any other) security expert.

@mralk3

Thank you for the tips and links, I really appreciate it. I will check your thread and AppArmor was actually on my todo list (considering it is available at SBo). A very rough outline of my plan:

- storage encryption (basically this is already covered with great README_CRYPT.TXT, but would like to link it because I think that lots of new users are not aware of this and similar documents)
- keeping system up-to-date (so Changelog following, slackpkg upgrading and slackware-security announcements)
- user management (tweaks, sudo/su, root account locking etc.)
- kernel configuration tips and kernel parameters tweaking (sysctl)
- sandboxing
- firewall (iptables/nftables)
- service management
- password tips
- bootloader password lock
- rootkit scanners (chrootkit, rkhunter...)
- checksum verification
- Tor
- Firefox add-ons and security tweaking
- (for now).
 
Old 09-16-2020, 05:06 PM   #5
mralk3
Senior Member
 
Registered: May 2015
Location: Utah, USA
Distribution: Slackware, OpenBSD
Posts: 1,439

Rep: Reputation: 806Reputation: 806Reputation: 806Reputation: 806Reputation: 806Reputation: 806Reputation: 806
I forgot to mention EFF directions for the paranoid.

https://www.eff.org/issues/security

and the IT policies used by the Linux foundation:

https://github.com/lfit/itpol

specifically: workstation-security and team comms
 
2 members found this post helpful.
Old 09-16-2020, 06:15 PM   #6
Aeterna
Member
 
Registered: Aug 2017
Location: Terra Mater
Distribution: VM Host: Slackware-current, VM Guests: Artix, Venom, antiX, Gentoo, FreeBSD, OpenBSD, OpenIndiana
Posts: 352

Rep: Reputation: Disabled
Listed options are not for desktop user really:

Questions (aside from securing network):
Is your computer located at home exclusively or this is true mobile?
If at home only (and this is multiuser workstation): do you consider your parents, spouse, brother/sister, children hostile?
If at work: are you authorized to make these changes?
Finally: do potential user truly understand the consequences of some of the settings listed?

E.g. A lot of users have Display Manager installed.
if you set in secure /etc/fstab:
Quote:
proc /proc proc nosuid,nodev,noexec,hidepid=2,gid=wheel 0 0
(meaning that in addition to root, only wheel group can read proc)
you will not be able to shutdown/restart OS from DE (e.g. xfce logout menu will show only option to logout and switch user menu options). You will have to switch to ttyX and login as user (who is in wheel group) to shutdown/restart OS. User who belongs to wheel group also will not be able to restart/shut down X from DM menu.

Unless you are not using Display Manager and start X from command line.


Another example: if you disable namespaces, firajail (if you are using it) will not work


I am all for security, but it should be properly explained what will actually happen after some of the changes.

Also take look at https://splitlinux.org/ and https://www.qubes-os.org/

anyway, good luck

Last edited by Aeterna; 09-16-2020 at 07:36 PM.
 
1 members found this post helpful.
Old 09-16-2020, 10:49 PM   #7
rkelsen
Senior Member
 
Registered: Sep 2004
Distribution: slackware
Posts: 2,596

Rep: Reputation: 847Reputation: 847Reputation: 847Reputation: 847Reputation: 847Reputation: 847Reputation: 847
Quote:
Originally Posted by Aeterna View Post
I am all for security, but it should be properly explained what will actually happen after some of the changes.
This.

And: Most ISP provided modems/routers come with sane default settings these days. That's really the most important piece of the puzzle here. The attached computers/devices and their security measures (or lack thereof) then become basically irrelevant.

The ISPs set them this way because they don't want you to run services from your home, but that has the consequence of making your home network significantly more secure.
 
Old 09-17-2020, 12:24 AM   #8
kukibl
Member
 
Registered: Jun 2008
Distribution: Slackware
Posts: 81

Original Poster
Rep: Reputation: 28
@Aeterna & @rkelsen

Thank you for the remarks both.

So you think that all of this is overkill for desktop user (at home or mobile)? Can you write some pointers of the security related modifications someone at home should apply or the defaults (on Slackware in particular) already provide sane and secure defaults?
 
Old 09-17-2020, 02:38 AM   #9
rkelsen
Senior Member
 
Registered: Sep 2004
Distribution: slackware
Posts: 2,596

Rep: Reputation: 847Reputation: 847Reputation: 847Reputation: 847Reputation: 847Reputation: 847Reputation: 847
Quote:
Originally Posted by kukibl View Post
Can you write some pointers of the security related modifications someone at home should apply or the defaults (on Slackware in particular) already provide sane and secure defaults?
No, because there is no "one size fits all" solution.

Further to Aeterna's point: It's no good having the most secure machine if it doesn't do what you want it to do.

As to Slackware's defaults: They work for me, but all of my machines are behind hardware firewalls and I don't click on random links in emails...
 
Old 09-17-2020, 06:59 AM   #10
Ellendhel
Member
 
Registered: Aug 2015
Location: Arlington, VA
Distribution: Slackware
Posts: 64

Rep: Reputation: 48
I will reiterate what I have mentioned in the previous thread: you can start by looking at the "Distribution Independent Linux" benchmark from the Center for Internet Security. It is free, you only need some kind of email registration to receive the link to download the document.

It's a long document (500+ pages) and it's used for both desktop and servers systems (profiles are listed "Level 1 - Server", "Level 2 - Server", "Level 1 - Workstation", "Level 2 - Workstation") and it should be easy to navigate. Details are provided on the "why and how" for each configuration item.

If you like some help and review for your security guide later on, feel free to reach out.
 
1 members found this post helpful.
Old 09-17-2020, 12:04 PM   #11
keithpeter
Member
 
Registered: Nov 2015
Location: 52:30N 1:55W
Distribution: Slackware 14.2 and Current
Posts: 157

Rep: Reputation: Disabled
Quote:
Originally Posted by Ellendhel View Post
[...]
It's a long document (500+ pages) and it's used for both desktop and servers systems (profiles are listed "Level 1 - Server", "Level 2 - Server", "Level 1 - Workstation", "Level 2 - Workstation") and it should be easy to navigate. Details are provided on the "why and how" for each configuration item.
Looks to be very comprehensive, thanks for link.

I'm wondering why this organisation demands that people run a Web browser with Javascript enabled in order to download, and why each stage of the 3 stage process requires the client to accept cookies of cross-site nature.

Why not a simple un-tracked download link?

Remember that any retention of my personal information or any attempt to use my contact details is illegal (as in criminal law) in the jurisdiction I reside in. Why collect information you can't use?

All this is OT for Slackware of course, just the general randomness one has come to expect.

Last edited by keithpeter; 09-17-2020 at 12:17 PM. Reason: clarification
 
Old 09-17-2020, 01:21 PM   #12
mralk3
Senior Member
 
Registered: May 2015
Location: Utah, USA
Distribution: Slackware, OpenBSD
Posts: 1,439

Rep: Reputation: 806Reputation: 806Reputation: 806Reputation: 806Reputation: 806Reputation: 806Reputation: 806
Typically I consider my laptop (which I treat like a desktop workstation) secure when I have an encrypted hard disk (If I am mobile), firewall in place, password manager set up for all my accounts, SSH public key authentication for all remote hosts I control, gpg key for encrypt email configured, and regular external backups by rsync. It goes without saying, fully patched system and kernel. I also run Firefox and Chromium (from alien) in an lxc container. I rent an account from Google to integrate my Google Apps account with my laptop, and this covers a lot of my check list. List items include secure email, secure chat, and integration into my Google Pixel phone.

I understand that many people despise google due to information gathering and privacy. I have always been a fan of google and I've had my Google Apps account since it was a beta testing account years ago. It gets the job done for me with little hassle, cost, and a lot of convenience.

Apparmor is a recent addition to my Slackware installations, mainly to secure internet facing services and applications further. You see, processes in lxc containers are also contained by apparmor profiles on the host.

I do not consider any of my security requirements as extravagant or inconvenient. just my and YMMV.
 
3 members found this post helpful.
Old 09-17-2020, 04:11 PM   #13
kukibl
Member
 
Registered: Jun 2008
Distribution: Slackware
Posts: 81

Original Poster
Rep: Reputation: 28
Thumbs up

Quote:
Originally Posted by Ellendhel View Post
I will reiterate what I have mentioned in the previous thread: you can start by looking at the "Distribution Independent Linux" benchmark from the Center for Internet Security. It is free, you only need some kind of email registration to receive the link to download the document.

It's a long document (500+ pages) and it's used for both desktop and servers systems (profiles are listed "Level 1 - Server", "Level 2 - Server", "Level 1 - Workstation", "Level 2 - Workstation") and it should be easy to navigate. Details are provided on the "why and how" for each configuration item.

If you like some help and review for your security guide later on, feel free to reach out.
Wow! Top stuff, thank you very much for this.
 
Old 09-17-2020, 05:25 PM   #14
drgibbon
Member
 
Registered: Nov 2014
Distribution: Slackware64 -current
Posts: 768

Rep: Reputation: 516Reputation: 516Reputation: 516Reputation: 516Reputation: 516Reputation: 516
Here's my take on a few items from your list:

- storage encryption
The README_CRYPT.TXT seems to be enough, although you might like to increase encrpytion strength from the default settings, e.g., increase iterations, but you'll pay a price for that in terms of unlock speed, so it depends what you want (Arch has nice docs on it). Also the next release of GRUB should have support for unlocking LUKS2 devices, so in theory it should be possible to lock the whole thing (including /boot).

- keeping system up-to-date
Follow the security mailing list or the RSS feeds. `slackpkg update && slackpkg install-new && slackpkg upgrade-all && slackpkg clean-system` should be enough (with clean-system being optional, depending on your blacklist and installed packages).

- user management (tweaks, sudo/su, root account locking etc.)
Nothing special here for me (single user system), but you can use sudo to restrict user access to certain commands as superuser though through a Cmnd_Alias (using visudo).

- kernel configuration tips and kernel parameters tweaking (sysctl)
Not really necessary IMO.

- sandboxing
Anything that uses kernel namespaces to isolate processes. Firejail is the one I know/use.

- firewall (iptables/nftables)
I used Alien's generator. Apparently quite old, but still works fine.

- password tips
Use a password manager. I go with pass, there's also KeePass, etc. For online accounts use 2nd factor authentication when you can, a YubiKey can be a really nice option. There's also a nice software authentiactor called Aegis that's available on F-Droid.

- Tor
Good to use yes, worth sandboxing it too. You might also like to take a look at I2P (unlike Tor, it's suitable for torrents and other applications).

- Firefox add-ons and security tweaking
I'd go with at least uBlock Origin, uMatrix (I use it in permissive mode so it only blocks known crud), HTTPS Everywhere, and something to give you control over cookies/data storage (like Cookie AutoDelete).
 
4 members found this post helpful.
Old 09-17-2020, 05:31 PM   #15
drgibbon
Member
 
Registered: Nov 2014
Distribution: Slackware64 -current
Posts: 768

Rep: Reputation: 516Reputation: 516Reputation: 516Reputation: 516Reputation: 516Reputation: 516
Quote:
Originally Posted by rkelsen View Post
Most ISP provided modems/routers come with sane default settings these days. That's really the most important piece of the puzzle here. The attached computers/devices and their security measures (or lack thereof) then become basically irrelevant.
Each to their own, but I don't think this is true at all. If it was, you could fairly say that Windows XP is the same thing as Qubes security-wise, as long as you have a good firewall on the router
 
3 members found this post helpful.
  


Reply

Tags
security


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Hardened GCC on Slackware -fPIE rup1034 Slackware 7 06-26-2017 04:18 AM
[SOLVED] Is there a Hardened version of Slackware? ReaperX7 Slackware 8 07-12-2012 04:46 PM
Hardened Slackware? Lufbery Slackware 18 06-08-2010 05:56 PM
Not a n00b but not a hardened user... Tralce LinuxQuestions.org Member Intro 1 12-10-2006 05:13 PM
hardened linux from scratch glibc build hardened-specs.sh problem behmjoe Linux From Scratch 2 09-04-2005 02:06 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware

All times are GMT -5. The time now is 07:42 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration