I'd be more concerned about, for example, the Chrome browser, than any third-party software the Chrome browser was downloading. Security is not what it was ten years ago - keeping the bad guys out. It's likely the bad guys are already in. Something like Tomoyo or grsecurity allows you to severely curtail what this "trusted" software is allowed to do.

This thread will get a lot of noise inbetween the signal. You could start a Wiki page like http://wiki.linuxquestions.org/wiki/Slackware-Links and copy the important/informative/instructive texts from this thread into the Wiki page. Then you can edit the first post in this thread to contain the link to that Wiki.

4 members found this post helpful.

If I am not running a multilib system would I still need this?


Also I haven't done anything else to "harden" my "slackware- -current" install. I mostly trust the firewalls I am behind. I also think I am smart enough ( hopefully) not to fall pray to fishing attacks.
What would you suggest the next thing I should do? ...


I like the idea of the thread as well, but like Alienbob said, the noise seems to have started already...

I think my post is a start in the positive direction, that is, adding on a software firewall (and the other things I mentioned) is a step up from just using a NAT router. However, I agree with allend. I think one needs to continually revisit and revise the security protocols that are in place as you learn.
I really appreciate the comments from the professional IT people here at LQ.

Where does he say this should be default? He states that there should be a project started, not a petition, not a plea for inclusion into Slackware, just a project. To me, that sounds like exactly what he has with PAM. A project that contains this stuff, so if someone is interested in doing it, they have a decent starting point instead of starting from scratch.

I understand ivandi isn't the most popular person here because of how he chooses to attack Slackware's decisions, but even if he isn't happy with the current state of Slackware, he is doing what a lot of us don't do, putting his money where his mouth is and providing a way for people to have Slackware more like the way he wants it. He has PAM available for people... people can choose to use it, or they can choose to ignore it. He is as welcome to suggest that Slackware should have PAM included just as any of us are welcome to suggest that Slackware should be left without it. Could he have more tact in proposing his suggestions? Absolutely! But it doesn't mean his voice should just be silenced because it isn't what many forum members want to hear. And it shouldn't mean that any idea he has should be attacked by forum members.

1 members found this post helpful.

i agree that everybody has the right to express their opinion
that said, ivandi did state multiple times he's desire for PAM in Slackware by default

A project started to have one of the LSMs compiled into the kernels Pat ships? That's what I don't understand. SELinux or AppArmor is either on or off; there's no need for a project. The kernel config has either y, m or n.

The other point I made was that his proposal, while it might not matter to you, would matter to me. I don't want Slackware shipped with any of the in-kernel LSMs compiled in by default, least of all the NSA and Novell ones Ivandi proposes. S/he mocks Slackware for being the only distro to ship without any of these LSMs turned on; it doesn't seem to have occurred to Ivandi that Pat might have left them switched off so that Slackware users could choose other, out-of-kernel MAC, RBAC and/or RSBAC implementations instead, as I do with Tomoyo version 1 (version 2 is integrated into the kernel), and as other Slackware users do with grsecurity.

The idea that you need a full project just to turn on SELinux/AppArmor/Tomoyo2 in the kernel is quite laughable, and leads me to suspect Ivandi is not quite as knowledgeable as s/he likes to put on. You turn them on by doing make menuconfig with your kernel source. That's your project right there.

1 members found this post helpful.

make menuconfig is the first step in the process of evaluating the available options and selecting the one that fits best. Then provide the needed additional packages and some ready-made policies. I think this could be called a project.

Being a Slackware user implies that I have a very limited knowledge of Linux. My participation in this forum leads me to suspect that the willingness to learn and change is actively disliked here.

And on topic. I am using tomoyo2. Here is a slackbuild for the tools if someone is interested. It's easy to run it in Slackware, but no major distribution uses it.


Cheers

1 members found this post helpful.

I'd have to agree. Most desktop users won't even use these either way. Those that do are better off doing it themselves.

While fixing security issues in Slackware is a good thing, forcing unwanted security options on users is a bad thing. However, I'll be compiling my own kernel anyway.

A software firewall is strongly recommended. I don't trust my router not to be hacked. In fact I also recommend overriding the DNS settings the router gives you as it can lead to attacks.

1 members found this post helpful.

i never was interested in security,
still i learned about /proc and i know CAP_SYSADMIN can do anything he wants using it
https://grsecurity.net/ has patches to restrict /proc access (CONFIG_GRKERNSEC_PROC)

might be of worth for those who care about security more then me
(id' advise waiting if someone who actually knows about this to give hes/her opinion)

You're welcome!

I thought so too but now believe it unrealistic. As long as LQ-Slackware remains plagued by snarky and obnoxious behavior from a loud minority,
having drama-free technical threads is just wishful thinking. A less interactive (therefore more troll-resistant) medium like slackdocs.org is wiser
for this kind of effort (as allend suggested).

--mancha

PS Marking "SOLVED". Moderators: please consider locking if this thread becomes yet another cesspool.

5 members found this post helpful.

Where does he say that? I think you're putting words in his mouth (post) that he never said. He is very vocal in his desire to see Slackware ship with PAM, however, I don't see any mention in this thread where he states that these modifications should be in kernels Pat ships (he only has 3 posts here, it isn't hard to look at all of them before you start throwing out untrue accusations).

Project != Proposal to Pat

I agree. I dont want most of the kind of "help" that has been proposed lately. The reason im using slackware is that its one of the few distros that trusts its users and their knowledge and their ability to take care of themselves. Just ship the software including the kernel, in its default config (and a default services off config) and let me configure it to my liking.

If i wanted something different id be using another distro. Its great the way it is, because the way it is allows you to do pretty much what ever you want to with it.
If one doesnt have the time, or technical expertise to configure it the way one likes, there are other choices available that might better suit.

1 members found this post helpful.

While we're on the subject of hardening and ASLR, I noticed that the latest stable releases on kernel.org include a fix for 64bit that improves the degree of entropy on stack randomisation:
http://git.kernel.org/cgit/linux/ker...58486ae78e8d77

Not the end of the world if you don't have them, but those who take an interest in this sort of thing may find it interesting.

1 members found this post helpful.