Difference between revisions of "Software projects/OS/Slackware/Advanced usage/Hardening"

From Pandora Wiki
Jump to: navigation, search
 
Line 15: Line 15:
 
* This is the most critical and dangerous vulnerability. When someone can get a physical access to your devices, you're potentially screwed.
 
* This is the most critical and dangerous vulnerability. When someone can get a physical access to your devices, you're potentially screwed.
 
* If you intend to hire or work with someone who calls himself a security expert, ask him what is the most dangerous vulnerability. If he doesn't answer this, throw him away, and far.
 
* If you intend to hire or work with someone who calls himself a security expert, ask him what is the most dangerous vulnerability. If he doesn't answer this, throw him away, and far.
 +
 +
= The Pandora bootloader =
  
 
= The installed programs =
 
= The installed programs =

Latest revision as of 13:35, 6 May 2012

About this document

  • It's a WIP. Security is a huge subject. May take monthes to have something consistent here.
  • I'm not a security expert.

GNU/Linux and free software

  • Slackware, as almost every Linux distribution, is not secured by default. In fact, almost no Linux distribution is shipped with an acceptable security level.
  • It's up to the administrator to work it out to reach the needed security level.
  • When nicely secured, the main danger will come from the administrator's lack of attention.
  • Avoid weakening your network with proprietary OS, even UNIX-based:
There's people who know things about the proprietary OS that you don't know.
  • It means big proprietary vendors can put one hundred backdoors in their OS. When someone finds one, they will release a patch saying "Look at how we are trusty, we patched in less than one day". Still, there's ninety-nine backdoors left for them to sell.
  • Use free software.

The physical access

  • This is the most critical and dangerous vulnerability. When someone can get a physical access to your devices, you're potentially screwed.
  • If you intend to hire or work with someone who calls himself a security expert, ask him what is the most dangerous vulnerability. If he doesn't answer this, throw him away, and far.

The Pandora bootloader

The installed programs

The updates

  • Of course, updates are critical.
  • See this.

The logs

The kernel

  • For a top-level security, you have to recompile your kernel as non-modular, only including the needed options.
  • There's pros and cons about using a long-term stable or a latest kernel. I'm not able to give enlightened advices on this subject.

The users

The groups

The password policy

The network

The devices

  • Following my advice about the physical access, don't let anybody plug any device into your machines, especially USB ones.

The emails

The security tools

  • chkrootkit
  • rkhunter
  • snort
  • Nessus