Software projects/OS/Slackware/Advanced usage/Hardening
From Pandora Wiki
About this document
- It's a WIP. Security is a huge subject. May take monthes to have something consistent here.
- I'm not a security expert.
GNU/Linux and free software
- Slackware, as almost every Linux distribution, is not secured by default. In fact, almost no Linux distribution is shipped with an acceptable security level.
- It's up to the administrator to work it out to reach the needed security level.
- When nicely secured, the main danger will come from the administrator's lack of attention.
- Avoid weakening your network with proprietary OS, even UNIX-based:
There's people who know things about the proprietary OS that you don't know.
- It means big proprietary vendors can put one hundred backdoors in their OS. When someone finds one, they will release a patch saying "Look at how we are trusty, we patched in less than one day". Still, there's ninety-nine backdoors left for them to sell.
- Use free software.
The physical access
- This is the most critical and dangerous vulnerability. When someone can get a physical access to your devices, you're potentially screwed.
- If you intend to hire or work with someone who calls himself a security expert, ask him what is the most dangerous vulnerability. If he doesn't answer this, throw him away, and far.
The Pandora bootloader
The installed programs
- The more programs installed, the more potential weaknesses.
- To install a minimal Slackware system, a good start is to take a look at tagfiles.
- They are located in the installation packages series. Tagfile example: the "a" (base system) serie tagfile: http://ftp.slackware.pl/pub/armedslack/armedslack-13.37/slackware/a/tagfile
- Of course, updates are critical.
- See this.
- For a top-level security, you have to recompile your kernel as non-modular, only including the needed options.
- There's pros and cons about using a long-term stable or a latest kernel. I'm not able to give enlightened advices on this subject.
The password policy
- Following my advice about the physical access, don't let anybody plug any device into your machines, especially USB ones.
The security tools