You are not logged in.
****
Hardening Linux, minimal, to ultra.
I propose that we can perhaps come up with top ten ideas.
My ideas.
Put a tiny bit of blue tack in the laptop webcam hole.
See what Robert Shingledecker and Barry Kauler are doing, they're second to none.
Forget systemd.
For install, do not use mains, use battery. If you need mains get a leisure battery and an inverter about double the watts of your box.
Nuke the internal storage device, fdisk/gdisk and /dev/urandom|zero is OK. I don't use it.
Boot from a flash drive with a loader created by a professor/doctor i.e., Refind.
Do your own specific firmware(s,) choose versions.
Devuan Daedalus netinstall got ath10k in it, brings up wireless, Debian Bookworm netinstall has not does not.
Refracta seems to be happier with Intel i915, maybe, direct memory access or something.
Initial OS minimal install offline I don't install standard utilities.
Boot into OS, mount the install medium, dpkg -i libdbus-1-3 libpcsclite1 libnl-route-3-200 libiw30 wireless-tools wpasupplicant.
For what it's worth, README the wpa, and do the chmod.
See if you can IP masquerade in the new iw.
Build a live and go forward, first snapshot, minimal, no openssl, wget, X, etc.
IP masquerade does not work in systemd and wpa,
if config wlan0 hw ether TH:IE:VI:NG:XX:XX
ifconfig wlan0 hw ether `/usr/bin/hexdump -n 6 -e '/1 "%02x"' /dev/urandom`
Install cpufrequtils and cpufreq-set -u 50% or less, or run refractasnapshot and TOAST your storage device.
Refractasnapshot-base is not working in Daedalus.
/etc/live/boot.conf
DISABLE_DM_VERITY=true
****
and/or
****
/usr/share/initramfs-tools/hooks/live
line 148 copy_exec /bin/mount bin
****
Firmware Intel i915 may make a difference.
usrmerge is a one way ticket, questionable.
The problem is BI, bone idle.
Boot the live, dpkg -i xinit, startx, where's the config in Refracta to NOT go into X.
& to be able to startx in user install xserver-xorg-legacy &
/etc/X11/Xwrapper.config
allowed_users=anybody
needs_root_rights=yes
****
Purge information thieves reconnaissance handed on a plate crap, e.g., Chimaera,
dpkg --force-all -P elogind libelogind0 libpam-elogind libpolkit-agent-1-0 libpolkit-gobject-elogind-1-0 policykit-1 policykit-1-gnome
dpkg -i libsystemd0
apt-get -f install, problems, zero.
apparmor, bootlogd, others.
Don't use synaptics, use xserver-xorg-input-libinput.
****ULTRA****
Don't use the wireless card in your laptop.
Get a hotspot Wi-Fi Router (about as big as a disposable cigarette lighter, costs about ten bucks,) & an ethernet cable & an ethernet/USB adaptor if you need, & a powerbank for the magic router.
****
Disconnect the antenna cable inside your laptop.
Use leather gloves to prevent ESD, adequate.
Get a screwdriver(s) and a plastic card, credit-card or equivalent, to get in to your laptop.
Knock off the TINY Amphenol RF connector with a BIC biro top.
Put a tiny bit of tape round the plug.
If/When you reconnect the cable, be ULTRA careful, be DEAD level when you push it home.
See what you are doing with a magnifying glass.
This will MASSIVELY reduce the range from about as long as you like to about less than one metre.
****
Put some caravan tape in your wallet to shield your bank card so the alarm does not go off when you walk IN to the supermarket.
****
Last edited by andyp67 (2022-12-16 15:49:12)
Offline
For install, do not use mains, use battery.
Why?
Nuke the internal storage device, fdisk/gdisk and /dev/urandom|zero is OK.
If the drive is solid state you can use blkdiscard to clear the drive instantly, no need to wait for it to fill with zeros. Note however that neither blkdiscard nor dd can completely wipe a solid state drive because of overprovision. #securitytheatre
Boot from a flash drive with a loader created by a professor/doctor i.e., Refind.
Whilst I much admire and respect the work of Rod Smith I don't see why rEFInd should be preferred over the default bootloader. Do you have any sound technical reasons to prefer it?
EFI_STUB booting with a unified kernel image would be the best for security, especially if the kernel image is signed with a personal key. That's what I use anyway.
wpasupplicant
That program is ancient now. Try iwd instead — it's more modern and secure than wpasupplicant with fewer dependencies.
IP masquerade does not work in systemd and wpa
Yes it does: https://www.freedesktop.org/software/sy … asquerade=.
& to be able to startx in user install xserver-xorg-legacy &
/etc/X11/Xwrapper.config
allowed_users=anybody
needs_root_rights=yes
****
Running X via a setuid binary wrapper is the exact opposite of good security. Don't do that. Just use a proper login session.
Don't use synaptics, use xserver-xorg-input-libinput
Why?
Put some caravan tape in your wallet to shield your bank card so the alarm does not go off when you walk IN to the supermarket
I can get bulk supplies of tin foil really cheap if you're interested. PM me for details.
Last edited by Head_on_a_Stick (2022-12-16 16:32:05)
Brianna Ghey — Rest In Power
Offline
William Gibson.
The blood of a zaibatsu is information, not people. The structure is independent of the individual lives that comprise it. Corporation as life form.
Certainly I think it is possible to hack down the DC. Ask MSS Guoanbu & mil equiv for a one word answer.
Battery is a parameter choice.
It's the 'information economy,' tell em nowt.
Another idea, during install, after select and install software, I alt f2 and chroot /target and add to etc/fstab noatime.
Running X via a setuid binary wrapper, I do not have the amount of knowledge, I don't know if this is OK or not running in a boot=live toram.
Offline
Another idea, during install, after select and install software, I alt f2 and chroot /target and add to etc/fstab noatime.
That will break mutt and the increase in performance is so tiny as to be unmeasurable.
Running X via a setuid binary wrapper, I do not have the amount of knowledge, I don't know if this is OK or not
It's not. A huge amount of effort has been directed into removing setuid binaries because they present such a security risk. Using a setuid wrapper to avoid a correct login session will only degrade security.
Brianna Ghey — Rest In Power
Offline
Hello_Head_on_a_Stick
I hope you are well.
Let's throw them headless corpses into a skip full of petrol!
Your knowledge is great, noatime breaks mutt.
noatime is very very commonplace to ease wear on ssd's.
I use easyos 2.6.1 a lot, tons of tools, noatime in fstab,
I just ran PETget and low and behold mutt is not in the Barry Kauler kitchen sink distro.
PETget describes mutt as, text-based mailreader supporting MIME GPG PGP and threading.
What ideas you got on the post re hardening, apart from effective sovereign control and Microsoft buying shares in LSEG!
Last edited by andyp67 (2022-12-16 18:37:28)
Offline
What ideas you got on the post re hardening
Use Wayland instead of X. If you have to use X then run it with startx from a console login to ensure the server runs under the normal user instead of under root. You will need elogind but it does improve security so it's worth it (IMO).
I use OpenBSD instead of Linux if security is a concern. That operating system is pro-active in respect of security, which is certainly not the case for the Linux kernel developers. It doesn't have bash or glibc or any of the other GNU bloatware. It's wonderful.
Last edited by Head_on_a_Stick (2022-12-16 18:41:31)
Brianna Ghey — Rest In Power
Offline
I always run X startx in user account, without elogind, do xserver-xorg-legacy Xwrapper.config
I am most grateful for your opinion on OpenBSD, which I know zilch about but perceive it to be the gonh (ancient greek, gonads.)
Last edited by andyp67 (2022-12-16 18:56:57)
Offline
I'm a photographer, I've never submitted a bug report, I don't consider myself knowledgeable enough,
refractasnapshot-base does NOT work without editing
/usr/share/initramfs-tools/hooks/live
PLEASE can somebody submit a bug report or something,
it not working is a disaster,
Release Daedalus is coming.
Offline
Correction, installing refractasnapshot-base and dependencies catastrophically fails.
Offline
Bug reports have been submitted for the live-boot-initramfs-tools problem.
https://bugs.debian.org/cgi-bin/bugrepo … ug=1010951
The fix is in git.
https://salsa.debian.org/live-team/live … 8678106523
Still waiting for the package to be built with the fix. I really don't want to fork live-boot for this.
Offline
thank you very much fsmithred
The other day I did find the fix in git
As I wrote above, I did the simple edit to line 148
maybe there was something on forums dot debian dot net, about this
Offline
https://sourceforge.net/projects/refracta/files/tools/
I just uploaded fixed live-boot deb packages I made for myself in October. These have a newer version number than what's in the repo, so they will replace the broken live-boot packages. I used these to make the daedalus live test isos.
Offline
I'm really pleased with this progress.
A newbie probably wouldn't be able to hunt for that edit line 148.
Installing Devuan and Refracta fail would be disappointing.
Now I know that Refracta is brought to us by fsmithred, I must take this opportunity to say, on behalf of the planet, an ULTRA MASSIVE THANKYOU for a COLOSSALLY WONDERFUL gift, which is not difficult to use.
Easy making a personal boot=live toram is not unlike seeing a photographic image appearing in the developer.
Invaluable is not an adequate word.
Of course Refracta is not made by magic, but by hard work.
Offline
I boot with Roderick 'Refind' Smith into lets hope fsmithred is Frederick 'Refracta' Smith!
Last edited by andyp67 (2022-12-16 21:27:46)
Offline
I will logout of this small piece of crap telephone and login to my Asus E203N cos it's morning elsewhere in the world.
Come on folks, Hardening Linux.
Offline
There is always https://wiki.debian.org/Hardening but it's a bit out of date now. And the hardening-runtime package as well, don't forget that.
Brianna Ghey — Rest In Power
Offline
& Securing Debian Manual, not just the latest version, is a whopper. html online & package harden-doc
I secure my home with a highly trained from birth panther!
Offline
We go libssl1.1 to libssl3
can openssl be tinkered with and improved
Last edited by andyp67 (2022-12-16 22:06:01)
Offline
The OpenSSL devs claim their code is now as good as OpenBSD's LibreSSL fork. I don't believe them but LibreSSL isn't generally available for Linux. OpenBSD wins again. IMO.
EDIT: just found a Debian port for LibreSSL by one of the OpenBSD devs:
https://github.com/reyk/libressl-deb
Hasn't been updated for almost two years though and the libtls library is statically linked so it's probably best not to use it for anything critical. Just in case.
Last edited by Head_on_a_Stick (2022-12-17 15:39:11)
Brianna Ghey — Rest In Power
Offline
Head_on_a_Stick
Thank you for your info on libreSSL, which I learned a little about browsing these days.
I have Daedalus on my Asus E203N laptop.
Today I did apt-get install linux-image-amd64.
Today I've learned apt-mark hold to prevent firmware-linux-free being installed.
I am inclined to think this is WRONG.
Offline
Today I've learned apt-mark hold to prevent firmware-linux-free being installed
The free firmware should be "safe", at least theoretically, because the source code is available.
Brianna Ghey — Rest In Power
Offline
I'd really like to try submarine linux, i.e., never turn the thing off, reboot.
I feel like I havn't got the time, I'm getting older, living in western lands bullshit lifestyle, and I need to be frugal and not spend any money on another box because my sister is getting divorced and I want to help her with money.
I wonder how much learning zero downtime computing is, I wish I had a mini HOWTO.
Last edited by andyp67 (2022-12-18 14:59:45)
Offline
I'm sceptical on the firmware, oxymoron comes to mind.
By the way, greek verb, skeptome - I think.
Offline
Why don't I have /var/log/messages anymore,
not because I have noatime in fstab, and rsync installed.
I hope it's not a new feature.
tail -f /var/log/messages is handy.
I have a minimal console install, I'm being extremely careful, I havn't broken anything, I do that in a RefractaSS.
Offline
Why don't I have /var/log/messages anymore,
not because I have noatime in fstab, and rsync installed.
I hope it's not a new feature.
tail -f /var/log/messages is handy.
I have a minimal console install, I'm being extremely careful, I havn't broken anything, I do that in a RefractaSS.
You might be running into this problem:
https://dev1galaxy.org/viewtopic.php?id=5096
Offline