SlackwareThis Forum is for the discussion of Slackware Linux.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Not sure is it because of Windows and Mac OS habits or the quite some time off Linux (or being mature and global concerns regarding security and privacy in general), but with the new Linux box I started research connected with making my installation more secure (so desktop user aspect, not the server one).
Considering I did not find many Slackware articles on this topic (except few older threads), my idea is to try to contribute and write one complete and general guide on this topic targeted at desktop user. Considering I am not expert on the topic, I would use resources from other distributions and this thread to gather tips and advice, as well to write drafts for each step. The final result I would submit to Slackware docs. Considering I have max. 2 hours daily available for my "computing" time (and I cannot devote it only for this purpose), I expect to finish it in a few months. I do not want to rush, want to do it in quality manner and learn at the same time.
For the idea and some general structure with many improvements I would use this Debian wiki article:
Windows & MacOS are worse. Linux is hackable from the server pov but people don't expect it in a desktop pc.
Basic hygiene is to close all ports, don't run servers, don't surf dodgy sites, don't be sloppy, (e.g. allow sudo) use TOR.
I gather you want a hardened distro. To do that involves huge reading. When I had a hardened system, linux was vulnerable to buffer overflows on some servers. Now there's Position Independent Code, all hard coded addresses are gone, there's 'canaries' on top of buffers to catch overflows, and the kernel & gcc have come on loads, with stack protection & the works. You have to find out how linux is being hacked now, find or write patches, and harden that way. Analysing what the Russians are up to might help. But that's a moving target, if my experience is anything to go by. Oh, you also need to get out of X and disable all javascript, php, and any other buggy stuff you run. And as soon as the kernel or gcc fixes stuff, update. Just one guy will be on that 24 hours a day. Because as soon as 1 loophole is plugged, another pops up, like 'whack-a-mole.'
Get on the security list here. I think there's a hardened Gentoo, & BSD. You might try them.
The term "hardened" was maybe over the top here. I would like to cover tips and HOWTO's connected with general security of people using Slackware on the desktop. Basically, to write a single article with one complete overview of things a user could apply on his desktop system security-wise. Probably there is misunderstanding, so would like to make it clear from my side. Besides, I do not have educational background nor the real motivation to educate myself to become Linux (or any other) security expert.
@mralk3
Thank you for the tips and links, I really appreciate it. I will check your thread and AppArmor was actually on my todo list (considering it is available at SBo). A very rough outline of my plan:
- storage encryption (basically this is already covered with great README_CRYPT.TXT, but would like to link it because I think that lots of new users are not aware of this and similar documents)
- keeping system up-to-date (so Changelog following, slackpkg upgrading and slackware-security announcements)
- user management (tweaks, sudo/su, root account locking etc.)
- kernel configuration tips and kernel parameters tweaking (sysctl)
- sandboxing
- firewall (iptables/nftables)
- service management
- password tips
- bootloader password lock
- rootkit scanners (chrootkit, rkhunter...)
- checksum verification
- Tor
- Firefox add-ons and security tweaking
- (for now).
Distribution: VM Host: Slackware-current, VM Guests: Artix, Venom, antiX, Gentoo, FreeBSD, OpenBSD, OpenIndiana
Posts: 1,008
Rep:
Listed options are not for desktop user really:
Questions (aside from securing network):
Is your computer located at home exclusively or this is true mobile?
If at home only (and this is multiuser workstation): do you consider your parents, spouse, brother/sister, children hostile?
If at work: are you authorized to make these changes?
Finally: do potential user truly understand the consequences of some of the settings listed?
E.g. A lot of users have Display Manager installed.
if you set in secure /etc/fstab:
(meaning that in addition to root, only wheel group can read proc)
you will not be able to shutdown/restart OS from DE (e.g. xfce logout menu will show only option to logout and switch user menu options). You will have to switch to ttyX and login as user (who is in wheel group) to shutdown/restart OS. User who belongs to wheel group also will not be able to restart/shut down X from DM menu.
Unless you are not using Display Manager and start X from command line.
Another example: if you disable namespaces, firajail (if you are using it) will not work
I am all for security, but it should be properly explained what will actually happen after some of the changes.
I am all for security, but it should be properly explained what will actually happen after some of the changes.
This.
And: Most ISP provided modems/routers come with sane default settings these days. That's really the most important piece of the puzzle here. The attached computers/devices and their security measures (or lack thereof) then become basically irrelevant.
The ISPs set them this way because they don't want you to run services from your home, but that has the consequence of making your home network significantly more secure.
So you think that all of this is overkill for desktop user (at home or mobile)? Can you write some pointers of the security related modifications someone at home should apply or the defaults (on Slackware in particular) already provide sane and secure defaults?
Can you write some pointers of the security related modifications someone at home should apply or the defaults (on Slackware in particular) already provide sane and secure defaults?
No, because there is no "one size fits all" solution.
Further to Aeterna's point: It's no good having the most secure machine if it doesn't do what you want it to do.
As to Slackware's defaults: They work for me, but all of my machines are behind hardware firewalls and I don't click on random links in emails...
I will reiterate what I have mentioned in the previous thread: you can start by looking at the "Distribution Independent Linux" benchmark from the Center for Internet Security. It is free, you only need some kind of email registration to receive the link to download the document.
It's a long document (500+ pages) and it's used for both desktop and servers systems (profiles are listed "Level 1 - Server", "Level 2 - Server", "Level 1 - Workstation", "Level 2 - Workstation") and it should be easy to navigate. Details are provided on the "why and how" for each configuration item.
If you like some help and review for your security guide later on, feel free to reach out.
[...]
It's a long document (500+ pages) and it's used for both desktop and servers systems (profiles are listed "Level 1 - Server", "Level 2 - Server", "Level 1 - Workstation", "Level 2 - Workstation") and it should be easy to navigate. Details are provided on the "why and how" for each configuration item.
Looks to be very comprehensive, thanks for link.
I'm wondering why this organisation demands that people run a Web browser with Javascript enabled in order to download, and why each stage of the 3 stage process requires the client to accept cookies of cross-site nature.
Why not a simple un-tracked download link?
Remember that any retention of my personal information or any attempt to use my contact details is illegal (as in criminal law) in the jurisdiction I reside in. Why collect information you can't use?
All this is OT for Slackware of course, just the general randomness one has come to expect.
Last edited by keithpeter; 09-17-2020 at 12:17 PM.
Reason: clarification
Typically I consider my laptop (which I treat like a desktop workstation) secure when I have an encrypted hard disk (If I am mobile), firewall in place, password manager set up for all my accounts, SSH public key authentication for all remote hosts I control, gpg key for encrypt email configured, and regular external backups by rsync. It goes without saying, fully patched system and kernel. I also run Firefox and Chromium (from alien) in an lxc container. I rent an account from Google to integrate my Google Apps account with my laptop, and this covers a lot of my check list. List items include secure email, secure chat, and integration into my Google Pixel phone.
I understand that many people despise google due to information gathering and privacy. I have always been a fan of google and I've had my Google Apps account since it was a beta testing account years ago. It gets the job done for me with little hassle, cost, and a lot of convenience.
Apparmor is a recent addition to my Slackware installations, mainly to secure internet facing services and applications further. You see, processes in lxc containers are also contained by apparmor profiles on the host.
I do not consider any of my security requirements as extravagant or inconvenient. just my and YMMV.
I will reiterate what I have mentioned in the previous thread: you can start by looking at the "Distribution Independent Linux" benchmark from the Center for Internet Security. It is free, you only need some kind of email registration to receive the link to download the document.
It's a long document (500+ pages) and it's used for both desktop and servers systems (profiles are listed "Level 1 - Server", "Level 2 - Server", "Level 1 - Workstation", "Level 2 - Workstation") and it should be easy to navigate. Details are provided on the "why and how" for each configuration item.
If you like some help and review for your security guide later on, feel free to reach out.
- storage encryption
The README_CRYPT.TXT seems to be enough, although you might like to increase encrpytion strength from the default settings, e.g., increase iterations, but you'll pay a price for that in terms of unlock speed, so it depends what you want (Arch has nice docs on it). Also the next release of GRUB should have support for unlocking LUKS2 devices, so in theory it should be possible to lock the whole thing (including /boot).
- keeping system up-to-date
Follow the security mailing list or the RSS feeds. `slackpkg update && slackpkg install-new && slackpkg upgrade-all && slackpkg clean-system` should be enough (with clean-system being optional, depending on your blacklist and installed packages).
- user management (tweaks, sudo/su, root account locking etc.)
Nothing special here for me (single user system), but you can use sudo to restrict user access to certain commands as superuser though through a Cmnd_Alias (using visudo).
- kernel configuration tips and kernel parameters tweaking (sysctl)
Not really necessary IMO.
- sandboxing
Anything that uses kernel namespaces to isolate processes. Firejail is the one I know/use.
- firewall (iptables/nftables)
I used Alien's generator. Apparently quite old, but still works fine.
- password tips
Use a password manager. I go with pass, there's also KeePass, etc. For online accounts use 2nd factor authentication when you can, a YubiKey can be a really nice option. There's also a nice software authentiactor called Aegis that's available on F-Droid.
- Tor
Good to use yes, worth sandboxing it too. You might also like to take a look at I2P (unlike Tor, it's suitable for torrents and other applications).
- Firefox add-ons and security tweaking
I'd go with at least uBlock Origin, uMatrix (I use it in permissive mode so it only blocks known crud), HTTPS Everywhere, and something to give you control over cookies/data storage (like Cookie AutoDelete).
Most ISP provided modems/routers come with sane default settings these days. That's really the most important piece of the puzzle here. The attached computers/devices and their security measures (or lack thereof) then become basically irrelevant.
Each to their own, but I don't think this is true at all. If it was, you could fairly say that Windows XP is the same thing as Qubes security-wise, as long as you have a good firewall on the router
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
and YMMV.
