The officially official Devuan Forum!

You are not logged in.

#1 2020-05-06 04:35:21

bimon
Member
Registered: 2019-09-09
Posts: 172  

Please add a hardened kernel by @anthraxx (Levente Polyak)

https://github.com/anthraxx/linux-hardened

Preferably a Libre variant without BLOBs like this:

https://web.archive.org/web/20200508081 … -hardened/

Is gentoo-hardened still more secure than Devuan when used with the same anthraxx kernel ?

Last edited by bimon (2020-05-08 08:21:44)

Offline

#2 2020-05-06 12:13:09

Head_on_a_Stick
Member
From: London
Registered: 2019-03-24
Posts: 3,125  
Website

Re: Please add a hardened kernel by @anthraxx (Levente Polyak)

That's the same kernel configuration as is used by Arch's linux-hardened package, which no longer includes firmware blobs.

You can build your own kernel with that configuration by following https://kernel-team.pages.debian.net/ke … n-official

bimon wrote:

Is gentoo-hardened still more secure than Devuan when used with the same anthraxx kernel ?

What makes you think Gentoo is more secure than Devuan? Their PaX integration is no longer officially supported now that grsecurity have moved to a paying model.


Brianna Ghey — Rest In Power

Offline

#3 2020-05-06 17:58:03

bimon
Member
Registered: 2019-09-09
Posts: 172  

Re: Please add a hardened kernel by @anthraxx (Levente Polyak)

Head_on_a_Stick wrote:

What makes you think Gentoo is more secure than Devuan? Their PaX integration is no longer officially supported now that grsecurity have moved to a paying model.

Gentoo still has a so called hardened profile though without PAX. It is most likely a set of some compiler options.

I wonder if Devuan security level is worse than Gentoo hardened profile?

Btw, is it possible to rebuild a complete workable subset (like for a mini debootstrap) of Devuan/Debian packages for i586? Only for text mode SSH session?
In Gentoo I can rebuild world for i586 (and even for i486).

If we look at https://forums.whonix.org/c/news
there is so much work is done for improving distro security, unfortunately it is based on Debian instead of Devuan.

There are so many hardening manuals for Linux, like for Windows too.
Why not having a Linux distro with default configuration similar to OpenBSD, which is the most secure by default and any custom change would be an opt out of security rather than opt in?

Last edited by bimon (2020-05-06 18:14:18)

Offline

#4 2020-05-06 18:25:05

bimon
Member
Registered: 2019-09-09
Posts: 172  

Re: Please add a hardened kernel by @anthraxx (Levente Polyak)

Another question:

I have found only a very few of distros convenient for myself:

Universal OS (e.g. for host): Devuan, OpenBSD
Guest OS (less stable, rolling): Parabola, Gentoo, GUIX

It seems for Linux based virtualization hosts  only Devuan is suitable IMHO.
But it would be better to have a backup path having one more distro to be on the safe side.
It shall be very stable not rolling, I guess Slackware Salix could be good, but it lacks a feature to verify installed files:
https://wiki.archlinux.org/index.php/Pa … and_repair

Unfortunately I do not know any other stable Linux distros except Devuan and Slackware Salix free of systemD.

Alpine seems to be less rolling than Arch/Parabola but it lacks installed files verification too.

Last edited by bimon (2020-05-06 18:33:48)

Offline

#5 2020-05-06 18:45:11

bimon
Member
Registered: 2019-09-09
Posts: 172  

Re: Please add a hardened kernel by @anthraxx (Levente Polyak)

Distros look for me like following list now:

Main OS: Devuan, OpenBSD (non Linux)
Alternative main OS: Alpine, Salix
Guest OS: ^above, Parabola, Gentoo, GUIX

All mentioned above distributions except OpenBSD and GUIX support at least OpenRC init system, and some of them provide more options for their init system. None of them forces you to use systemD without your choice.
So OpenRC is supported in: Devuan, Alpine, Salix (Slackware), Parabola and Gentoo.

Devuan, Alpine, Salix and OpenBSD have release model suitable for stability in production usage.
Parabola and Gentoo are rolling distributions without release cycles, so they provide more recent, fresh versions of the software but not always stable enough, therefore they are only good for experimenting, e.g. as VM guests.

Legacy usable OS: Debian v4-v7, RH/Centos v4-v6
Unusable shit OS: any distro nailed to systemD without a choice to replace it with something else like OpenRC or at least sysv.

Last edited by bimon (2020-05-08 04:22:33)

Offline

#6 2020-05-06 20:52:13

Head_on_a_Stick
Member
From: London
Registered: 2019-03-24
Posts: 3,125  
Website

Re: Please add a hardened kernel by @anthraxx (Levente Polyak)

bimon wrote:

Btw, is it possible to rebuild a complete workable subset (like for a mini debootstrap) of Devuan/Debian packages for i586?

I don't think so but I may be wrong.

bimon wrote:

Why not having a Linux distro with default configuration similar to OpenBSD, which is the most secure by default and any custom change would be an opt out of security rather than opt in?

Arch is similar to OpenBSD in that respect — no services are enabled automatically, unlike Devuan & Debian.

But the main problem with security in GNU/Linux is that the kernel devs just don't give a damn: https://lkml.org/lkml/2008/7/14/465

bimon wrote:

Alpine seems to be less rolling than Arch/Parabola but it lacks installed files verification too.

Alpine Linux do offer an edge branch which is rolling but their stable release schedule is about every six months. They do sign their repositories though and apk verifies the packages before installation. Alpine Linux rocks but the musl libc base might prove slightly limiting.


Brianna Ghey — Rest In Power

Offline

#7 2020-05-07 02:59:24

bimon
Member
Registered: 2019-09-09
Posts: 172  

Re: Please add a hardened kernel by @anthraxx (Levente Polyak)

Head_on_a_Stick wrote:

Alpine Linux do offer an edge branch which is rolling but their stable release schedule is about every six months.

At least Alpine keeps packages from earlier releases so that it is possible to switch config to them or manually download them if needed.

Rolling distros not keeping earlier versions of packages are hardly suitable for production usage especially on physical hosts.

On virtual host it is easier to fix rolling installation especially if using host's ZFS zvol with snapshots for a guest file system.

Head_on_a_Stick wrote:

They do sign their repositories though and apk verifies the packages before installation.

Sure Alpine package integrity is verified before installation, but after files have been installed how to verify them once again say like by

wajig integrity

in Devuan?

Head_on_a_Stick wrote:

Alpine Linux rocks but the musl libc base might prove slightly limiting.

It seems to miss binary compatibility with other distros which is not convenient but at least overcomeable by building from source.

Last edited by bimon (2020-05-07 03:03:44)

Offline

#8 2020-05-07 03:09:23

bimon
Member
Registered: 2019-09-09
Posts: 172  

Re: Please add a hardened kernel by @anthraxx (Levente Polyak)

Head_on_a_Stick wrote:

Arch is similar to OpenBSD in that respect — no services are enabled automatically, unlike Devuan & Debian.

I can easily configure services in any distro free from systemD, it is relatively non time consuming task, example (Devuan ASCII):

root@backup:/# free
              total        used        free      shared  buff/cache   available
Mem:        2002032      251196     1673404        7948       77432     1632964
Swap:             0           0           0

root@backup:/# pstree
init─┬─cron
     ├─6*[getty]
     ├─matchbox-deskto
     ├─nodm─┬─Xorg─┬─{InputThread}
     │      │      └─2*[{Xorg:disk$0}]
     │      └─nodm───x-session-manag───sakura─┬─bash
     │                                        ├─{gmain}
     │                                        └─{sakura:disk$0}
     ├─rsyslogd─┬─{in:imklog}
     │          ├─{in:imuxsock}
     │          └─{rs:main Q:Reg}
     ├─screen───sh───sleep
     ├─sshd─┬─sshd───bash───pstree
     │      └─sshd───bash───watch
     ├─udevd
     └─zed───{zed}

root@backup:/# zpool list
NAME      SIZE  ALLOC   FREE  EXPANDSZ   FRAG    CAP  DEDUP 
Backup  5.44T  5.22T   227G         -     9%    95%  1.00x 
system   57.5G  15.2G  42.3G         -     3%    26%  1.00x

But there is much more security in OpenBSD, then just minimum amount of services, if I would compare OpenBSD to Linux I would mention at least following manual config actions for Linux needed:

Kernel needs to be Libre and sometimes patches needed with many compile time and startup time options for enabling different security settings.
Need to configure AppArmor.
Settings in sysctl
/etc/ configs of services often need to be customized for better security.

Last edited by bimon (2020-05-07 11:28:06)

Offline

#9 2020-05-07 10:01:13

pcalvert
Member
Registered: 2017-05-15
Posts: 216  

Re: Please add a hardened kernel by @anthraxx (Levente Polyak)

bimon wrote:

Sure Alpine package integrity is verified before installation, but after files have been installed how to verify them once again say like by

wajig integrity

in Devuan?

You could use something like this:
https://packages.debian.org/stable/fcheck

I think the best way to use this would be to scan the system while it's offline by using a live USB Devuan, with the database also stored on an external drive.

Phil


Freespoke is a new search engine that respects user privacy and does not engage in censorship.
Another one is called Luxxle.

Offline

#10 2020-05-07 10:34:38

Head_on_a_Stick
Member
From: London
Registered: 2019-03-24
Posts: 3,125  
Website

Re: Please add a hardened kernel by @anthraxx (Levente Polyak)

bimon wrote:

Sure Alpine package integrity is verified before installation, but after files have been installed how to verify them once again say like by

wajig integrity

in Devuan?

Individual packages can be verified after installation:

apk verify $package
bimon wrote:

It seems to miss binary compatibility with other distros which is not convenient but at least overcomeable by building from source.

Have you actually tried building much software from source using a musl libc base? Most software is intended for use with GNU's bloated libc variant and so might not compile under musl without patching.

bimon wrote:

I can easily configure services in any distro free from systemD

Yes but it is irritating to have to disable services after installing packages. And it's spelled "systemd" btw, it doesn't end with a capital "d".

bimon wrote:

But there is much more security in OpenBSD

Yes indeed, unlike the Linux devs the developers of that operating system prioritise security over shiny new features.

But it's not perfect: https://madaidans-insecurities.github.io/openbsd.html

See also https://madaidans-insecurities.github.io/linux.html

bimon wrote:

Need to configure AppArmor.

AppArmor is enabled by default for Debian buster and I think Devuan's beowulf release will also follow that path.

Last edited by Head_on_a_Stick (2020-05-07 10:36:29)


Brianna Ghey — Rest In Power

Offline

#11 2020-05-07 11:00:49

bimon
Member
Registered: 2019-09-09
Posts: 172  

Re: Please add a hardened kernel by @anthraxx (Levente Polyak)

Head_on_a_Stick wrote:

Individual packages can be verified after installation:

apk verify $package

It seems that this command verifies only a package signature, but NOT checksums of the files already installed earlier? I wonder how is it possible to use such a distro in production, all serious distros like Debian apt, RH yum, Arch pacman and even Gentoo allow to verify earlier installed files.

Head_on_a_Stick wrote:

Have you actually tried building much software from source using a musl libc base? Most software is intended for use with GNU's bloated libc variant and so might not compile under musl without patching.

Good notice, I did not try to build software written in relatively low level languages like C on Alpine Linux. Though using Alpine just as a KVM hypervisor host seems workable idea to me if for some unfortunate reason sometimes we do not have our lovely Devuan for that purpose and if even Slackware/Salix stalls its development. Alpine looks being very actively developing in spite of any problems in other systemd free distros.

Last edited by bimon (2020-05-08 04:49:45)

Offline

#12 2020-05-08 09:52:50

Head_on_a_Stick
Member
From: London
Registered: 2019-03-24
Posts: 3,125  
Website

Re: Please add a hardened kernel by @anthraxx (Levente Polyak)

bimon wrote:

I wonder how is it possible to use such a distro in production

Well Alpine is very popular indeed, it's the default image for Docker. And it's fundamentally incompatible with systemd thanks to the musl libc base.


Brianna Ghey — Rest In Power

Offline

#13 2020-05-08 10:25:43

bimon
Member
Registered: 2019-09-09
Posts: 172  

Re: Please add a hardened kernel by @anthraxx (Levente Polyak)

Head_on_a_Stick wrote:
bimon wrote:

I wonder how is it possible to use such a distro in production

Well Alpine is very popular indeed, it's the default image for Docker. And it's fundamentally incompatible with systemd thanks to the musl libc base.

For a standalone usage on physical hosts without local or remote ZFS root would not it be good to have a verification of earlier installed files?

Even with a root placed to ZFS directly or to extX over zvol verification of installed files in a package manager is still very convenient as a first place to check installation integrity and see at least which config files were changed from their default state since packages installed.

Last edited by bimon (2020-05-08 10:34:41)

Offline

#14 2020-05-08 14:03:12

bimon
Member
Registered: 2019-09-09
Posts: 172  

Re: Please add a hardened kernel by @anthraxx (Levente Polyak)

I think it may be some type of a discord of another nature like following:

If we look at OpenBSD community and talk to them, we will know that they prohibit USA citizens to work on OBSD crypto at least because of USA export restrictions on cryptography, they see Linux sponsors often being controlled by USA and NSA, they recommend to NOT use Libreboot and GNU code as it may be infected by hardly visible NSA backdoors. The most obvious backdoor is systemD, btw.

I think such open source GNU backdoors are targeted at modern hardware closed source trojans, UEFI plugins and other bootkits. But then OpenBSD may include some software backdoors from GB MI5/MI6?

If we look at american Whonix they promote Linux, undocumented security patches by @anthrax and GNU software welcomed by NSA.

Of course I may be wrong, just an idea.

Also add here China (often sponsored by London) vs USA commercial collisions (if they are not just a political theater).

Last edited by bimon (2020-05-15 10:11:02)

Offline

Board footer