Hardening Linux, minimal, to ultra.

andyp67 · 2022-12-18 13:02:58

Super fsmithred thank you.
I will check it out asap.
Right now I'm on a telephone, my laptop is creating a snapshot, and about to make my third and last coffee of the day, I had a bottle of Greek wine yesterday evening, that's one and a half kilos.

andyp67 · 2022-12-18 14:51:39

I minimal installed daedalus netinstall unstarred standard system utilities.
Installed wireless and net-tools for ifconfig hw ether MAC.
Network up and install bzip2 rsync cpufrequtils man-db gdisk dosfstools mtools iptables debfoster psmisc usbutils locate discover mdetect mime-support gdbm-l10n and bsdextrautils, for hexdump.
Install refractainstaller-base and refractasnapshot-base and dpkg -P sudo.
Make a snapshot, boot snapshot and network up and install X and download xinit.
I copy /var/cache/apt/archives and xinit to ssd.
I make another snapshot, boot that and install X and xinit.
I network up and install icewm and netsurf-gtk.
I startx from user.
Here I am right now and on my display I have UXTerm and Beaver editor(copy paste password,) and Netsurf.
Anacron is not installed.
Andy!
and vi+148 /usr/share/initramfs-tools/hooks/live

Last edited by andyp67 (2022-12-18 14:56:08)

andyp67 · 2022-12-18 15:11:42

This post had nearly 500 views.
I wish Robert Shingledecker was here, he's the man.

Devarch · 2022-12-18 20:30:36

To my mind there is no hardening without immutability. The system must be vierge after reboot.

andyp67 · 2022-12-18 21:37:36

The modalities - cardinal, fixed, mutable.
Devarch I like your words, I need to take some time and think about them.

Cheerful Charlie · 2022-12-18 22:29:55

Using ssh etc? Install fail2ban.

andyp67 · 2022-12-18 22:41:19

ooh,
something new to me Cheerful Charlie.
Magic.
Reasons to be Cheerful part 3 (Ian Dury & the Blockheads.)

Head_on_a_Stick · 2022-12-19 16:38:35

Devarch wrote:

immutability

How about overlayfs? Mount the root partition read-only with a writeable overlay that is lost on reboot.

Alpine uses overlayfs to run in RAM:

https://gitlab.alpinelinux.org/alpine/m … it.in#L535

Devarch · 2022-12-19 18:52:48

Head_on_a_Stick wrote:

Devarch wrote:
immutability
How about overlayfs? Mount the root partition read-only with a writeable overlay that is lost on reboot.
Alpine uses overlayfs to run in RAM:
https://gitlab.alpinelinux.org/alpine/m … it.in#L535

Yes, I'm using overlayfs

The script looks too complicated. There are much simplier solutions:

1. https://packages.debian.org/bullseye/bilibop uses overlayfs or aufs if aufs is in the kernel, easy to use

2. https://www.kicksecure.com/wiki/Grub-li … ng_started adds live boot entry

did not find smth similar for BSD family. They are using unionfs but I've no idea if it is useful and how to use it.

Also I do not understand the concept of "reasonably secure operating system" qubes. They are using systemd and have no immutability. All the logs, traces or malvares are persistent. Strange.

Head_on_a_Stick · 2022-12-19 18:54:47

Devarch wrote:

The script looks too complicated

That's the entire init script from Alpine's initramfs. The only bits that are needed are a few fstab lines — the mount commands in my link show what options are needed for that.

Thanks for the links, very useful.

EDIT: and in respect of Qubes and their "secure" virtualisation:

Theo de Raadt wrote:

> Virtualization seems to have a lot of security benefits.
You've been smoking something really mind altering, and I think you
should share it.
x86 virtualization is about basically placing another nearly full
kernel, full of new bugs, on top of a nasty x86 architecture which
barely has correct page protection. Then running your operating
system on the other side of this brand new pile of shit.
You are absolutely deluded, if not stupid, if you think that a
worldwide collection of software engineers who can't write operating
systems or applications without security holes, can then turn around
and suddenly write virtualization layers without security holes.
You've seen something on the shelf, and it has all sorts of pretty
colours, and you've bought it.
That's all x86 virtualization is.

https://marc.info/?l=openbsd-misc&m=119318909016582

Last edited by Head_on_a_Stick (2022-12-19 19:15:36)

chris2be8 · 2022-12-20 17:22:48

The latest issue of Linux Magazine (called Linux Pro in some countries) has an article on Lynis, a tool to help harden Linux systems. I've not had time to read the article, but it's probably worth looking at (just put Lynis into your favourite serach engine and you should find it).

HTH

Head_on_a_Stick · 2022-12-20 18:27:53

And there's also samhein & tripwire, which are Suggests for the lynis package in Devuan.

EDIT: debsecan is another good one.

Last edited by Head_on_a_Stick (2022-12-20 18:28:37)

Head_on_a_Stick · 2022-12-21 11:46:40

The overlayrootfs package is now available in testing/unstable:

This package adds functionality to an initramfs built by initramfs-tools. When installed and configured, the initramfs will mount an overlayfs filesystem on top of a read-only root volume.

The officially official Devuan Forum!

#26 2022-12-18 13:02:58

Re: Hardening Linux, minimal, to ultra.

#27 2022-12-18 14:51:39

Re: Hardening Linux, minimal, to ultra.

#28 2022-12-18 15:11:42

Re: Hardening Linux, minimal, to ultra.

#29 2022-12-18 20:30:36

Re: Hardening Linux, minimal, to ultra.

#30 2022-12-18 21:37:36

Re: Hardening Linux, minimal, to ultra.

#31 2022-12-18 22:29:55

Re: Hardening Linux, minimal, to ultra.

#32 2022-12-18 22:41:19

Re: Hardening Linux, minimal, to ultra.

#33 2022-12-19 16:38:35

Re: Hardening Linux, minimal, to ultra.

#34 2022-12-19 18:52:48

Re: Hardening Linux, minimal, to ultra.

#35 2022-12-19 18:54:47

Re: Hardening Linux, minimal, to ultra.

#36 2022-12-20 17:22:48

Re: Hardening Linux, minimal, to ultra.

#37 2022-12-20 18:27:53

Re: Hardening Linux, minimal, to ultra.

#38 2022-12-21 11:46:40

Re: Hardening Linux, minimal, to ultra.

Board footer