Security

[securitybreach]

All of this is relevant to other distros besides the installation part:

Concepts

• It is possible to tighten the security so much as to make your system unusable. The trick is to secure it without overdoing it.
  
• There are many other things that can be done to heighten the security, but the biggest threat is, and will always be, the user himself. When you think security, you have to think layers. When one layer is breached, another should stop the attack. But you can never make the system 100% secure unless you unplug the machine from all networks, lock it in a safe and never use it.
  
• Be a little paranoid. It helps. And be suspicious. If anything sounds too good to be true, it probably is!
  
• The principle of least privilege: each part of a system should only be able to access what is required to use it, and nothing more.....
  

https://wiki.archlin...ex.php/Security

[V.T. Eric Layton]

Good stuff. That Arch Wiki is impressive as always. I sure wish our dream for the Slackware Wiki had turned out just a bit more like it. Sadly, we lack the participation that Arch enjoys.

 

But you can never make the system 100% secure unless you unplug the machine from all networks, lock it in a safe and never use it.

 

Even that depends on the integrity of the safe.

[Guest LilBambi]

Arch support is awesome for sure.

 

That is a great page on Security (except as Josh noted, the installation part).

[securitybreach]

Also, lynis is a great security auditing suite:

 

Open source software provides trust by having people look into the code. Adjustments are easily made, providing you with a flexible solution for your business. But can you trust systems and software with your data? Lynis provides you this confidence and helps with auditing your systems. So you can verify yourself and trust!

 

How it works

Lynis is an open source security auditing tool. Its main goal is to audit and harden Unix and Linux based systems. It scans the system by performing many security control checks. Examples include searching for installed software and determine possible configuration flaws.

 

Many tests are part of common security guidelines and standards, with on top additional security tests. After the scan a report will be displayed with all discovered findings. To provide you with initial guidance, a link is shared to the related Lynis control.

 

Example output:

 

http://rootkit.nl/software/lynis/

[Cluttermagnet]

I tried installing from Mint repositories and running. Generated report with score of 52. Not so great, I suppose...

 

It is an interesting read for sure.

 

Need to get better at setting up stuff like basic firewall, clamav, etc. I've gotten complacent.

I guess if I really knew what I was doing, I'd be running in a virtualized sandbox.

Haven't learned virtualization yet. Only so many hours in a day...

Edited August 25, 2014 by Cluttermagnet

[Cluttermagnet]

These are the three areas with warnings for me.

I don't really know how to interpret or act on these, however...

Maybe take a look at what I've permitted in Synaptic?

 

- Searching package managers...
- Searching dpkg package manager...					 [ FOUND ]
 - Querying package manager...
- Query unpurged packages...							 [ NONE ]
- Checking security repository in sources.list file...	 [ WARNING ]
- Checking vulnerable packages (apt-get only)...		 [ DONE ]
- Checking package audit tool...						 [ NONE ]

 

- Checking configured nameservers...
- Testing nameservers...
 Nameserver: 127.0.1.1...							 [ OK ]
- Minimal of 2 responsive nameservers...				 [ WARNING ]
- Checking default gateway...							 [ DONE ]
- Getting listening ports (TCP/TCP)...					 [ DONE ]

 

[+] Kernel Hardening
------------------------------------
- Comparing sysctl key pairs with scan profile...
- kernel.core_uses_pid (exp: 1)						 [ DIFFERENT ]
- kernel.ctrl-alt-del (exp: 0)						 [ OK ]
- kernel.sysrq (exp: 0)								 [ DIFFERENT ]
- net.ipv4.conf.all.accept_redirects (exp: 0)			 [ DIFFERENT ]
- net.ipv4.conf.all.accept_source_route (exp: 0)		 [ OK ]
- net.ipv4.conf.all.bootp_relay (exp: 0)				 [ OK ]
- net.ipv4.conf.all.forwarding (exp: 0)				 [ OK ]
- net.ipv4.conf.all.log_martians (exp: 1)				 [ DIFFERENT ]
- net.ipv4.conf.all.mc_forwarding (exp: 0)			 [ OK ]
- net.ipv4.conf.all.proxy_arp (exp: 0)				 [ OK ]
- net.ipv4.conf.all.rp_filter (exp: 1)				 [ OK ]
- net.ipv4.conf.all.send_redirects (exp: 0)			 [ DIFFERENT ]
- net.ipv4.conf.default.accept_redirects (exp: 0)		 [ DIFFERENT ]
- net.ipv4.conf.default.accept_source_route (exp: 0)	 [ DIFFERENT ]
- net.ipv4.conf.default.log_martians (exp: 1)			 [ DIFFERENT ]
- net.ipv4.icmp_echo_ignore_broadcasts (exp: 1)		 [ OK ]
- net.ipv4.icmp_ignore_bogus_error_responses (exp: 1)	 [ OK ]
- net.ipv4.tcp_syncookies (exp: 1)					 [ OK ]
- net.ipv4.tcp_timestamps (exp: 0)					 [ DIFFERENT ]
- net.ipv6.conf.all.accept_redirects (exp: 0)			 [ DIFFERENT ]
- net.ipv6.conf.all.accept_source_route (exp: 0)		 [ OK ]
- net.ipv6.conf.default.accept_redirects (exp: 0)		 [ DIFFERENT ]
- net.ipv6.conf.default.accept_source_route (exp: 0)	 [ OK ]
[ Press [ENTER] to continue, or [CTRL]+C to stop ]

[+] Hardening
------------------------------------
- Installed compiler(s)...							 [ FOUND ]
- Installed malware scanner...						 [ NOT FOUND ]

[V.T. Eric Layton]

Pretty much all to me.

[Guest LilBambi]

- Testing nameservers...

Nameserver: 127.0.1.1...

 

Wouldn't it be helpful to also have an outside facing nameserver? Besides isn't 127.0.1.1 is an odd nameserver IP?

[Capt.Crow]

Martians in your Kernel ???

 

Sorry couldn't help it