SlackwareThis Forum is for the discussion of Slackware Linux.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
On the average setup maybe you're right. I personally don't rely on the stock software on my router. I use OpenWRT. I also have no teen resetting my router. I'm the only one with physical access, actually the only user of the connection. I don't think I'm too careless. When I download unknown software I use an online a/v scanner. On Windows I try program's in a sandbox and on a RAMDISK, if it's not too big, before I might install them for real. And of course my systems are always up to date.
On a server it gets another story naturally.
I'd be more concerned about, for example, the Chrome browser, than any third-party software the Chrome browser was downloading. Security is not what it was ten years ago - keeping the bad guys out. It's likely the bad guys are already in. Something like Tomoyo or grsecurity allows you to severely curtail what this "trusted" software is allowed to do.
PS Over the last months and years I've seen posts with open-ended questions like "How do I secure my Slackware system?". It's
made me think a single Hardening Slackware thread where slackers share security/hardening tips would be a good resource. This
post could kick it off.
Tips could be most anything security-related ranging from mitigation to ways of shrinking attack surfaces to safe configurations
of critical services, etc. Care would be given to ensuring technical accuracy.
A practical knowledge-based thread would be a welcome change of pace on LQ-Slackware which lately seems monopolized by
a small cast of characters intent on poisoning the well by repeatedly calling people stupid/ignorant and calling Slackware
antiquated/inadequate.
Thoughts?
This thread will get a lot of noise inbetween the signal. You could start a Wiki page like http://wiki.linuxquestions.org/wiki/Slackware-Links and copy the important/informative/instructive texts from this thread into the Wiki page. Then you can edit the first post in this thread to contain the link to that Wiki.
Note: this should also be done on Slackware64 so 32-bit executables run in IA-32 emulation mode get properly randomized.
If I am not running a multilib system would I still need this?
Also I haven't done anything else to "harden" my "slackware- -current" install. I mostly trust the firewalls I am behind. I also think I am smart enough ( hopefully) not to fall pray to fishing attacks.
What would you suggest the next thing I should do? ...
I like the idea of the thread as well, but like Alienbob said, the noise seems to have started already...
I think my post is a start in the positive direction, that is, adding on a software firewall (and the other things I mentioned) is a step up from just using a NAT router. However, I agree with allend. I think one needs to continually revisit and revise the security protocols that are in place as you learn.
I really appreciate the comments from the professional IT people here at LQ.
The difference here is that Ivandi, as ever on his high horse, is imposing his view as a default for Slackware. None of the other projects you list is a default.
Where does he say this should be default? He states that there should be a project started, not a petition, not a plea for inclusion into Slackware, just a project. To me, that sounds like exactly what he has with PAM. A project that contains this stuff, so if someone is interested in doing it, they have a decent starting point instead of starting from scratch.
I understand ivandi isn't the most popular person here because of how he chooses to attack Slackware's decisions, but even if he isn't happy with the current state of Slackware, he is doing what a lot of us don't do, putting his money where his mouth is and providing a way for people to have Slackware more like the way he wants it. He has PAM available for people... people can choose to use it, or they can choose to ignore it. He is as welcome to suggest that Slackware should have PAM included just as any of us are welcome to suggest that Slackware should be left without it. Could he have more tact in proposing his suggestions? Absolutely! But it doesn't mean his voice should just be silenced because it isn't what many forum members want to hear. And it shouldn't mean that any idea he has should be attacked by forum members.
Where does he say this should be default? He states that there should be a project started, not a petition, not a plea for inclusion into Slackware, just a project. To me, that sounds like exactly what he has with PAM. A project that contains this stuff, so if someone is interested in doing it, they have a decent starting point instead of starting from scratch.
i agree that everybody has the right to express their opinion
that said, ivandi did state multiple times he's desire for PAM in Slackware by default
Where does he say this should be default? He states that there should be a project started, not a petition, not a plea for inclusion into Slackware, just a project. To me, that sounds like exactly what he has with PAM. A project that contains this stuff, so if someone is interested in doing it, they have a decent starting point instead of starting from scratch.
A project started to have one of the LSMs compiled into the kernels Pat ships? That's what I don't understand. SELinux or AppArmor is either on or off; there's no need for a project. The kernel config has either y, m or n.
The other point I made was that his proposal, while it might not matter to you, would matter to me. I don't want Slackware shipped with any of the in-kernel LSMs compiled in by default, least of all the NSA and Novell ones Ivandi proposes. S/he mocks Slackware for being the only distro to ship without any of these LSMs turned on; it doesn't seem to have occurred to Ivandi that Pat might have left them switched off so that Slackware users could choose other, out-of-kernel MAC, RBAC and/or RSBAC implementations instead, as I do with Tomoyo version 1 (version 2 is integrated into the kernel), and as other Slackware users do with grsecurity.
The idea that you need a full project just to turn on SELinux/AppArmor/Tomoyo2 in the kernel is quite laughable, and leads me to suspect Ivandi is not quite as knowledgeable as s/he likes to put on. You turn them on by doing make menuconfig with your kernel source. That's your project right there.
Last edited by Gerard Lally; 03-08-2015 at 05:02 AM.
The idea that you need a full project just to turn on SELinux/AppArmor/Tomoyo2 in the kernel is quite laughable, and leads me to suspect Ivandi is not quite as knowledgeable as s/he likes to put on. You turn them on by doing make menuconfig with your kernel source. That's your project right there.
make menuconfig is the first step in the process of evaluating the available options and selecting the one that fits best. Then provide the needed additional packages and some ready-made policies. I think this could be called a project.
Being a Slackware user implies that I have a very limited knowledge of Linux. My participation in this forum leads me to suspect that the willingness to learn and change is actively disliked here.
And on topic. I am using tomoyo2. Here is a slackbuild for the tools if someone is interested. It's easy to run it in Slackware, but no major distribution uses it.
A project? Why on earth would anybody need Slackware to start a project implementing NSA or Novell security modules? I for one appreciate Pat not compiling these by default into Slackware kernels because it allows me to patch the kernel with the out-of-kernel Tomoyo version 1 patch without first having to remove the NSA and Novell cruft. I do understand Tomoyo 1 is not as "modern" as Tomoyo 2 but I much prefer using it or grsecurity than SELinux or AppArmor, and I certainly prefer Pat's approach to yours, which sounds like arm-twisting in favour of Red Hat and/or the NSA.
My thoughts: leave Slackware users to make their own "knowledge-based" choices instead of imposing yours on everyone else. Slackware does not "ignore" all the security modules available in the Linux kernel; rather, it leaves it up to competent users to exercise their own choice whether or not to opt for in-kernel (eg., AppArmor) or out-of-kernel (Tomoyo 1, grsecurity) security.
I'd have to agree. Most desktop users won't even use these either way. Those that do are better off doing it themselves.
While fixing security issues in Slackware is a good thing, forcing unwanted security options on users is a bad thing. However, I'll be compiling my own kernel anyway.
A software firewall is strongly recommended. I don't trust my router not to be hacked. In fact I also recommend overriding the DNS settings the router gives you as it can lead to attacks.
i never was interested in security,
still i learned about /proc and i know CAP_SYSADMIN can do anything he wants using it https://grsecurity.net/ has patches to restrict /proc access (CONFIG_GRKERNSEC_PROC)
might be of worth for those who care about security more then me
(id' advise waiting if someone who actually knows about this to give hes/her opinion)
Thanks for that tip on the 'vdso=1' kernel option on Slackware 32-bit. I have confirmed and implemented.
You're welcome!
Quote:
Originally Posted by j_v
I like the idea of the thread. This would be an excellent counterpoint to the Slackware Security threads.
I thought so too but now believe it unrealistic. As long as LQ-Slackware remains plagued by snarky and obnoxious behavior from a loud minority,
having drama-free technical threads is just wishful thinking. A less interactive (therefore more troll-resistant) medium like slackdocs.org is wiser
for this kind of effort (as allend suggested).
--mancha
PS Marking "SOLVED". Moderators: please consider locking if this thread becomes yet another cesspool.
A project started to have one of the LSMs compiled into the kernels Pat ships?
Where does he say that? I think you're putting words in his mouth (post) that he never said. He is very vocal in his desire to see Slackware ship with PAM, however, I don't see any mention in this thread where he states that these modifications should be in kernels Pat ships (he only has 3 posts here, it isn't hard to look at all of them before you start throwing out untrue accusations).
A project started to have one of the LSMs compiled into the kernels Pat ships? That's what I don't understand. SELinux or AppArmor is either on or off; there's no need for a project. The kernel config has either y, m or n.
The other point I made was that his proposal, while it might not matter to you, would matter to me. I don't want Slackware shipped with any of the in-kernel LSMs compiled in by default, least of all the NSA and Novell ones Ivandi proposes. S/he mocks Slackware for being the only distro to ship without any of these LSMs turned on; it doesn't seem to have occurred to Ivandi that Pat might have left them switched off so that Slackware users could choose other, out-of-kernel MAC, RBAC and/or RSBAC implementations instead, as I do with Tomoyo version 1 (version 2 is integrated into the kernel), and as other Slackware users do with grsecurity.
The idea that you need a full project just to turn on SELinux/AppArmor/Tomoyo2 in the kernel is quite laughable, and leads me to suspect Ivandi is not quite as knowledgeable as s/he likes to put on. You turn them on by doing make menuconfig with your kernel source. That's your project right there.
I agree. I dont want most of the kind of "help" that has been proposed lately. The reason im using slackware is that its one of the few distros that trusts its users and their knowledge and their ability to take care of themselves. Just ship the software including the kernel, in its default config (and a default services off config) and let me configure it to my liking.
If i wanted something different id be using another distro. Its great the way it is, because the way it is allows you to do pretty much what ever you want to with it.
If one doesnt have the time, or technical expertise to configure it the way one likes, there are other choices available that might better suit.
While we're on the subject of hardening and ASLR, I noticed that the latest stable releases on kernel.org include a fix for 64bit that improves the degree of entropy on stack randomisation: http://git.kernel.org/cgit/linux/ker...58486ae78e8d77
Not the end of the world if you don't have them, but those who take an interest in this sort of thing may find it interesting.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.