Difference between revisions of "Software projects/OS/Slackware/Advanced usage/Hardening"

From Pandora Wiki
Jump to: navigation, search
(Created page with "= About this document = * It's a WIP. Security is a huge subject. May take monthes to have something consistent here. * I'm not a security expert. = GNU/Linux and free software ...")
 
 
(3 intermediate revisions by the same user not shown)
Line 5: Line 5:
 
= GNU/Linux and free software =
 
= GNU/Linux and free software =
 
* Slackware, as almost every Linux distribution, is not secured by default. In fact, almost no Linux distribution is shipped with an acceptable security level.
 
* Slackware, as almost every Linux distribution, is not secured by default. In fact, almost no Linux distribution is shipped with an acceptable security level.
* It's up to the administrator to work it out to the needed security level.
+
* It's up to the administrator to work it out to reach the needed security level.
 
* When nicely secured, the main danger will come from the administrator's lack of attention.
 
* When nicely secured, the main danger will come from the administrator's lack of attention.
 
* Avoid weakening your network with proprietary OS, even UNIX-based:
 
* Avoid weakening your network with proprietary OS, even UNIX-based:
Line 15: Line 15:
 
* This is the most critical and dangerous vulnerability. When someone can get a physical access to your devices, you're potentially screwed.
 
* This is the most critical and dangerous vulnerability. When someone can get a physical access to your devices, you're potentially screwed.
 
* If you intend to hire or work with someone who calls himself a security expert, ask him what is the most dangerous vulnerability. If he doesn't answer this, throw him away, and far.
 
* If you intend to hire or work with someone who calls himself a security expert, ask him what is the most dangerous vulnerability. If he doesn't answer this, throw him away, and far.
 +
 +
= The Pandora bootloader =
  
 
= The installed programs =
 
= The installed programs =
Line 42: Line 44:
 
* Following my advice about the physical access, don't let anybody plug any device into your machines, especially USB ones.
 
* Following my advice about the physical access, don't let anybody plug any device into your machines, especially USB ones.
 
*
 
*
 +
 +
= The emails =
 +
 +
= The security tools =
 +
* chkrootkit
 +
* rkhunter
 +
* snort
 +
* Nessus
 +
 +
 +
[[Category:Network]]
 +
[[Category:Security]]
 +
[[Category:Slackware]]
 +
[[Category:Software]]
 +
[[Category:System]]

Latest revision as of 13:35, 6 May 2012

About this document

  • It's a WIP. Security is a huge subject. May take monthes to have something consistent here.
  • I'm not a security expert.

GNU/Linux and free software

  • Slackware, as almost every Linux distribution, is not secured by default. In fact, almost no Linux distribution is shipped with an acceptable security level.
  • It's up to the administrator to work it out to reach the needed security level.
  • When nicely secured, the main danger will come from the administrator's lack of attention.
  • Avoid weakening your network with proprietary OS, even UNIX-based:
There's people who know things about the proprietary OS that you don't know.
  • It means big proprietary vendors can put one hundred backdoors in their OS. When someone finds one, they will release a patch saying "Look at how we are trusty, we patched in less than one day". Still, there's ninety-nine backdoors left for them to sell.
  • Use free software.

The physical access

  • This is the most critical and dangerous vulnerability. When someone can get a physical access to your devices, you're potentially screwed.
  • If you intend to hire or work with someone who calls himself a security expert, ask him what is the most dangerous vulnerability. If he doesn't answer this, throw him away, and far.

The Pandora bootloader

The installed programs

The updates

  • Of course, updates are critical.
  • See this.

The logs

The kernel

  • For a top-level security, you have to recompile your kernel as non-modular, only including the needed options.
  • There's pros and cons about using a long-term stable or a latest kernel. I'm not able to give enlightened advices on this subject.

The users

The groups

The password policy

The network

The devices

  • Following my advice about the physical access, don't let anybody plug any device into your machines, especially USB ones.

The emails

The security tools

  • chkrootkit
  • rkhunter
  • snort
  • Nessus