Dev1 Galaxy Forum / Hardening Linux, minimal, to ultra.

Re: Hardening Linux, minimal, to ultra.

dummy@example.com (Head_on_a_Stick) — Wed, 21 Dec 2022 11:46:40 +0000

The overlayrootfs package is now available in testing/unstable:

This package adds functionality to an initramfs built by initramfs-tools. When installed and configured, the initramfs will mount an overlayfs filesystem on top of a read-only root volume.

Re: Hardening Linux, minimal, to ultra.

dummy@example.com (Head_on_a_Stick) — Tue, 20 Dec 2022 18:27:53 +0000

And there's also samhein & tripwire, which are Suggests for the lynis package in Devuan.

EDIT: debsecan is another good one.

Re: Hardening Linux, minimal, to ultra.

dummy@example.com (chris2be8) — Tue, 20 Dec 2022 17:22:48 +0000

The latest issue of Linux Magazine (called Linux Pro in some countries) has an article on Lynis, a tool to help harden Linux systems. I've not had time to read the article, but it's probably worth looking at (just put Lynis into your favourite serach engine and you should find it).

HTH

Re: Hardening Linux, minimal, to ultra.

dummy@example.com (Head_on_a_Stick) — Mon, 19 Dec 2022 18:54:47 +0000

Devarch wrote:

The script looks too complicated

That's the entire init script from Alpine's initramfs. The only bits that are needed are a few fstab lines — the mount commands in my link show what options are needed for that.

Thanks for the links, very useful.

EDIT: and in respect of Qubes and their "secure" virtualisation:

Theo de Raadt wrote:

> Virtualization seems to have a lot of security benefits.
You've been smoking something really mind altering, and I think you
should share it.
x86 virtualization is about basically placing another nearly full
kernel, full of new bugs, on top of a nasty x86 architecture which
barely has correct page protection. Then running your operating
system on the other side of this brand new pile of shit.
You are absolutely deluded, if not stupid, if you think that a
worldwide collection of software engineers who can't write operating
systems or applications without security holes, can then turn around
and suddenly write virtualization layers without security holes.
You've seen something on the shelf, and it has all sorts of pretty
colours, and you've bought it.
That's all x86 virtualization is.

https://marc.info/?l=openbsd-misc&m=119318909016582

Re: Hardening Linux, minimal, to ultra.

dummy@example.com (Devarch) — Mon, 19 Dec 2022 18:52:48 +0000

Head_on_a_Stick wrote:

Devarch wrote:
immutability
How about overlayfs? Mount the root partition read-only with a writeable overlay that is lost on reboot.
Alpine uses overlayfs to run in RAM:
https://gitlab.alpinelinux.org/alpine/m … it.in#L535

Yes, I'm using overlayfs

The script looks too complicated. There are much simplier solutions:

1. https://packages.debian.org/bullseye/bilibop uses overlayfs or aufs if aufs is in the kernel, easy to use

2. https://www.kicksecure.com/wiki/Grub-li … ng_started adds live boot entry

did not find smth similar for BSD family. They are using unionfs but I've no idea if it is useful and how to use it.

Also I do not understand the concept of "reasonably secure operating system" qubes. They are using systemd and have no immutability. All the logs, traces or malvares are persistent. Strange.

Re: Hardening Linux, minimal, to ultra.

dummy@example.com (Head_on_a_Stick) — Mon, 19 Dec 2022 16:38:35 +0000

Devarch wrote:

immutability

How about overlayfs? Mount the root partition read-only with a writeable overlay that is lost on reboot.

Alpine uses overlayfs to run in RAM:

https://gitlab.alpinelinux.org/alpine/m … it.in#L535

Re: Hardening Linux, minimal, to ultra.

dummy@example.com (andyp67) — Sun, 18 Dec 2022 22:41:19 +0000

ooh,
something new to me Cheerful Charlie.
Magic.
Reasons to be Cheerful part 3 (Ian Dury & the Blockheads.)

Re: Hardening Linux, minimal, to ultra.

dummy@example.com (Cheerful Charlie) — Sun, 18 Dec 2022 22:29:55 +0000

Using ssh etc? Install fail2ban.

Re: Hardening Linux, minimal, to ultra.

dummy@example.com (andyp67) — Sun, 18 Dec 2022 21:37:36 +0000

The modalities - cardinal, fixed, mutable.
Devarch I like your words, I need to take some time and think about them.

Re: Hardening Linux, minimal, to ultra.

dummy@example.com (Devarch) — Sun, 18 Dec 2022 20:30:36 +0000

To my mind there is no hardening without immutability. The system must be vierge after reboot.

Re: Hardening Linux, minimal, to ultra.

dummy@example.com (andyp67) — Sun, 18 Dec 2022 15:11:42 +0000

This post had nearly 500 views.
I wish Robert Shingledecker was here, he's the man.

Re: Hardening Linux, minimal, to ultra.

dummy@example.com (andyp67) — Sun, 18 Dec 2022 14:51:39 +0000

I minimal installed daedalus netinstall unstarred standard system utilities.
Installed wireless and net-tools for ifconfig hw ether MAC.
Network up and install bzip2 rsync cpufrequtils man-db gdisk dosfstools mtools iptables debfoster psmisc usbutils locate discover mdetect mime-support gdbm-l10n and bsdextrautils, for hexdump.
Install refractainstaller-base and refractasnapshot-base and dpkg -P sudo.
Make a snapshot, boot snapshot and network up and install X and download xinit.
I copy /var/cache/apt/archives and xinit to ssd.
I make another snapshot, boot that and install X and xinit.
I network up and install icewm and netsurf-gtk.
I startx from user.
Here I am right now and on my display I have UXTerm and Beaver editor(copy paste password,) and Netsurf.
Anacron is not installed.
Andy!
and vi+148 /usr/share/initramfs-tools/hooks/live

Re: Hardening Linux, minimal, to ultra.

dummy@example.com (andyp67) — Sun, 18 Dec 2022 13:02:58 +0000

Super fsmithred thank you.
I will check it out asap.
Right now I'm on a telephone, my laptop is creating a snapshot, and about to make my third and last coffee of the day, I had a bottle of Greek wine yesterday evening, that's one and a half kilos.

Re: Hardening Linux, minimal, to ultra.

dummy@example.com (fsmithred) — Sun, 18 Dec 2022 12:53:25 +0000

andyp67 wrote:

Why don't I have /var/log/messages anymore,
not because I have noatime in fstab, and rsync installed.
I hope it's not a new feature.
tail -f /var/log/messages is handy.
I have a minimal console install, I'm being extremely careful, I havn't broken anything, I do that in a RefractaSS.

You might be running into this problem:
https://dev1galaxy.org/viewtopic.php?id=5096

Re: Hardening Linux, minimal, to ultra.

dummy@example.com (andyp67) — Sun, 18 Dec 2022 12:47:45 +0000

Why don't I have /var/log/messages anymore,
not because I have noatime in fstab, and rsync installed.
I hope it's not a new feature.
tail -f /var/log/messages is handy.
I have a minimal console install, I'm being extremely careful, I havn't broken anything, I do that in a RefractaSS.