Difference between revisions of "Software projects/OS/Slackware/Advanced usage/Hardening"
From Pandora Wiki
Linux-SWAT (talk | contribs) |
Linux-SWAT (talk | contribs) |
||
| (2 intermediate revisions by the same user not shown) | |||
| Line 5: | Line 5: | ||
= GNU/Linux and free software = | = GNU/Linux and free software = | ||
* Slackware, as almost every Linux distribution, is not secured by default. In fact, almost no Linux distribution is shipped with an acceptable security level. | * Slackware, as almost every Linux distribution, is not secured by default. In fact, almost no Linux distribution is shipped with an acceptable security level. | ||
| − | * It's up to the administrator to work it out to the needed security level. | + | * It's up to the administrator to work it out to reach the needed security level. |
* When nicely secured, the main danger will come from the administrator's lack of attention. | * When nicely secured, the main danger will come from the administrator's lack of attention. | ||
* Avoid weakening your network with proprietary OS, even UNIX-based: | * Avoid weakening your network with proprietary OS, even UNIX-based: | ||
| Line 15: | Line 15: | ||
* This is the most critical and dangerous vulnerability. When someone can get a physical access to your devices, you're potentially screwed. | * This is the most critical and dangerous vulnerability. When someone can get a physical access to your devices, you're potentially screwed. | ||
* If you intend to hire or work with someone who calls himself a security expert, ask him what is the most dangerous vulnerability. If he doesn't answer this, throw him away, and far. | * If you intend to hire or work with someone who calls himself a security expert, ask him what is the most dangerous vulnerability. If he doesn't answer this, throw him away, and far. | ||
| + | |||
| + | = The Pandora bootloader = | ||
= The installed programs = | = The installed programs = | ||
| Line 50: | Line 52: | ||
* snort | * snort | ||
* Nessus | * Nessus | ||
| + | |||
| + | |||
| + | [[Category:Network]] | ||
| + | [[Category:Security]] | ||
| + | [[Category:Slackware]] | ||
| + | [[Category:Software]] | ||
| + | [[Category:System]] | ||
Latest revision as of 13:35, 6 May 2012
Contents
About this document
- It's a WIP. Security is a huge subject. May take monthes to have something consistent here.
- I'm not a security expert.
GNU/Linux and free software
- Slackware, as almost every Linux distribution, is not secured by default. In fact, almost no Linux distribution is shipped with an acceptable security level.
- It's up to the administrator to work it out to reach the needed security level.
- When nicely secured, the main danger will come from the administrator's lack of attention.
- Avoid weakening your network with proprietary OS, even UNIX-based:
There's people who know things about the proprietary OS that you don't know.
- It means big proprietary vendors can put one hundred backdoors in their OS. When someone finds one, they will release a patch saying "Look at how we are trusty, we patched in less than one day". Still, there's ninety-nine backdoors left for them to sell.
- Use free software.
The physical access
- This is the most critical and dangerous vulnerability. When someone can get a physical access to your devices, you're potentially screwed.
- If you intend to hire or work with someone who calls himself a security expert, ask him what is the most dangerous vulnerability. If he doesn't answer this, throw him away, and far.
The Pandora bootloader
The installed programs
- The more programs installed, the more potential weaknesses.
- To install a minimal Slackware system, a good start is to take a look at tagfiles.
- They are located in the installation packages series. Tagfile example: the "a" (base system) serie tagfile: http://ftp.slackware.pl/pub/armedslack/armedslack-13.37/slackware/a/tagfile
The updates
- Of course, updates are critical.
- See this.
The logs
The kernel
- For a top-level security, you have to recompile your kernel as non-modular, only including the needed options.
- There's pros and cons about using a long-term stable or a latest kernel. I'm not able to give enlightened advices on this subject.
The users
The groups
The password policy
The network
The devices
- Following my advice about the physical access, don't let anybody plug any device into your machines, especially USB ones.
The emails
The security tools
- chkrootkit
- rkhunter
- snort
- Nessus
