Page 1 of 6 123 ... LastLast
Results 1 to 10 of 52

Thread: SECURITY MATTERS. -- OpenSuse Super-Secured.

  1. #1
    Join Date
    Jan 2009
    Location
    PARADISE
    Posts
    929

    Exclamation SECURITY MATTERS. -- OpenSuse Super-Secured.

    You've just read the most important principle behind working with data. It's simple, yet powerful and effective.

    Now let me ask you this: HOW to make OpenSuse as secure as possible?
    Isomnia? YES, PLEASE! Disconnecting the machine from the net? Um... good thought, but not an option here.

    I've heard that SELinux is an "Addon" for the kernel that makes Suse even more secure. also it seems, that the community sets high hopes in App-Armor, which should prevent intrusion. Weird: App-Armor won't be improved in the future since its developers "lost" their job in 2007. Even then: How to configure App-Armor for a super-secure system? On my personal as well as business machines KlamAV is installed - but does that suffice?

    Here comes the next word. S-E-C-U-R-E. Secure does not mean to let OpenSuse read my fingerprint everytime I open a file. It means to be able to know that my system is not compromisable without cutting my hand of.
    If you are technically on the bleeding edge and open your ears/eyes for the worlds headlines you probably know that even governments cope in developing the perfectly undetectable trojan for a number of systems... you get the point. I know that there is no "uncompromisable" system, but for sure I want to give pussies the hardest time they've ever had.

    To be clear: I know it's tempting to talk some bullsh!t, but I expect you guys to only hand me grown-up answers. Thanks.
    CHECK OUT THESE GitHub PROJECTS!

    https://secupwn.github.io/Android-IMSI-Catcher-Detector/
    https://github.com/SecUpwN/Spotify-AdKiller

  2. #2
    Join Date
    Jun 2008
    Location
    Podunk
    Posts
    27,228
    Blog Entries
    15

    Default Re: SECURITY MATTERS! -- Super-Securing OpenSuse.

    Quote Originally Posted by TheMask
    You've just read the most important principle behind working with data.
    It's simple, yet powerful and effective.
    *
    Now lemme ask you this: HOW to make OpenSuse as secure as possible?
    *Isomnia? YES! Disconnecting the machine from the net? Um... good
    thought, but not an option here.

    I've heard that SELinux is an "Addon" for the kernel that makes Suse
    even more secure. also it seems, that the community sets high hopes in
    App-Armor, which should prevent intrusion. Weird: App-Armor won't be
    improved in the future since its developers "lost" their job in 2007.
    Even then: How to configure App-Armor for a super-secure system? On my
    personal as well as business machines KlamAV is installed - but does
    that suffice?

    Here comes the next word. S-E-C-U-R-E. Secure does not mean to let
    OpenSuse read my fingerprint everytime I open a file. It means to be
    able to know that my system is not compromisable without cutting my hand
    of.
    If you are technically on the bleeding edge and open your ears/eyes for
    the worlds headlines you probably know that even governments cope in
    developing the perfectly undetectable trojan for a number of systems...
    you get the point.

    To be clear: I know it's tempting to talk some bullsh!t, but I expect
    you guys to only hand me grown-up answers. Thanks.
    Hi
    You could use the /etc/permissions.paranoid file, install chrootkit,
    rootkit hunter, snort etc. The other one is nessus
    http://www.nessus.org/nessus/

    clamav is only for windows viruses and so you don't potentially pass
    them on via email.

    But all of these things need to be done on a clean install, the other
    of course is disk encryption.

    All of the above mean squat though if someone has physical access to
    your machine.....

    --
    Cheers Malcolm (Linux Counter #276890)
    SUSE Linux Enterprise Desktop 11 (x86_64) Kernel 2.6.27.25-0.1-default
    up 1 day 8:30, 2 users, load average: 0.09, 0.07, 0.05
    GPU GeForce 8600 GTS Silent - Driver Version: 185.18.14


  3. #3
    Join Date
    Jan 2009
    Location
    PARADISE
    Posts
    929

    Default Re: SECURITY MATTERS! -- Super-Securing OpenSuse.

    Thanks for the lightning-fast reply, malcolmlewis.
    Thing is, I don't want to kill my disc with too many tools either. Maybe you could be so friendly and re-direct me to a place where I could...

    a.) find information on how to correctly configure App-Armor for MY needs.
    b.) tell me how to set my system in mode "paranoid" (where to enable the appropriate file permoission mode)
    c.) give me a hint which tools would be very recommendable to install - I know there's a lot of code out there...
    CHECK OUT THESE GitHub PROJECTS!

    https://secupwn.github.io/Android-IMSI-Catcher-Detector/
    https://github.com/SecUpwN/Spotify-AdKiller

  4. #4
    Join Date
    Jan 2009
    Location
    PARADISE
    Posts
    929

    Default Re: SECURITY MATTERS! -- Super-Securing OpenSuse.

    Mh... I just noticed that OpenSuse won't accept roots password when file permissions are set to "paranoid". Weird.
    CHECK OUT THESE GitHub PROJECTS!

    https://secupwn.github.io/Android-IMSI-Catcher-Detector/
    https://github.com/SecUpwN/Spotify-AdKiller

  5. #5
    Join Date
    Jun 2008
    Location
    Podunk
    Posts
    27,228
    Blog Entries
    15

    Default Re: SECURITY MATTERS. -- OpenSuse Super-Secured.

    Quote Originally Posted by TheMask
    Thanks for the lightning-fast reply, malcolmlewis.
    Thing is, I don't want to kill my disc with too many tools either.
    Maybe you could be so friendly and re-direct me to a place where I
    could...

    a.) find information on how to correctly configure App-Armor for MY
    needs.
    b.) tell me how to set my system in mode "paranoid" (where to enable
    the appropriate file permoission mode)
    c.) give me a hint which tools would be very recommendable to install -
    I know there's a lot of code out there...
    Hi
    I would start with AppArmor http://en.opensuse.org/AppArmor and take it
    from there.

    --
    Cheers Malcolm (Linux Counter #276890)
    SUSE Linux Enterprise Desktop 11 (x86_64) Kernel 2.6.27.25-0.1-default
    up 1 day 9:07, 2 users, load average: 0.54, 0.20, 0.06
    GPU GeForce 8600 GTS Silent - Driver Version: 185.18.14


  6. #6
    Join Date
    Jan 2009
    Location
    PARADISE
    Posts
    929

    Default Re: SECURITY MATTERS. -- OpenSuse Super-Secured.

    Easy answer. Would you please give me hint on point #3 also? Thanks.
    CHECK OUT THESE GitHub PROJECTS!

    https://secupwn.github.io/Android-IMSI-Catcher-Detector/
    https://github.com/SecUpwN/Spotify-AdKiller

  7. #7
    Join Date
    Nov 2008
    Location
    N. Wales
    Posts
    1,028

    Default Re: SECURITY MATTERS. -- OpenSuse Super-Secured.

    TheMask adjusted his/her AFDB on Saturday 25 Jul 2009 04:06 to write:

    >
    > Mh... I just noticed that OpenSuse won't accept roots password when file
    > permissions are set to "paranoid". Weird.
    >
    >


    Well I call that pretty secure not weird.

    If you cannot login as root you cannot change anything unless a
    vulnerability is found somewhere, and as no software is immune because that
    is the nature of the beast then it is about as secure as you get I suppose.

    Don AFDB

    configure everything you need (offline), get it running as you like it then
    make as much as possible read-only, encrypt anything that needs it, no root
    login, behind a good well configured hardware fire wall then connect to net
    if you really really need it, unplug from power supply, take away keyboard,
    take away mouse take away monitor, remove all static USB/Floppy ports,
    password BIOS ( stop me if I am going to far )

    There is paranoid and then there is usable.

    If "THEY" are out to get you they will

    bingo

    Beware the Black Helicopters.

    :-)

    --
    Mark
    Caveat emptor
    Nullus in verba
    Nil illegitimi carborundum

  8. #8
    brassy NNTP User

    Default Re: SECURITY MATTERS. -- OpenSuse Super-Secured.

    TheMask wrote:
    > Easy answer. Would you please give me hint on point #3 also? Thanks.


    YOU have to decide the balance between the security of your system and
    the inconvenience to you....that is, if you are trying to keep the NSA
    from being able to read your machine you have to unplug it from the
    net forever, and melt the hard drive every time you leave the room it
    is in..

    of course that is not so convenient for you (if tomorrow you wanna use
    it, again)..

    on the other hand, if you _just_ need to keep out all those folks who
    are today infecting, collecting key strokes, ripping off XP and
    Windows users, and operating botnets then you were pretty much DONE if
    you accepted a default install (with its default firewall) and then
    connected your machine through a combo router/hardware firewall (AND
    replaced the default router password with a STRONG one) and then to
    the cable box, ISP provided xDSL modem etc...

    well, after doing that, to protect your machine (if it ONLY runs
    Linux) from well over 99% of the crackers and snoopers out there,
    adding SELinux and KlamAV is overkill!

    another way to say that is: no matter what anyone tells you you can
    always throw back "I don't want to kill my disc with too many tools
    either"...only YOU know what YOU are willing to suffer through...like
    i said, to protect yourself from the NSA you are gonna have to suffer
    though a LOT! protection from microsoftie-script-kiddies is pretty easy..

    --
    brassy

  9. #9
    Join Date
    Jan 2009
    Location
    Somewhere in Fictionland
    Posts
    1,479

    Lightbulb Re: SECURITY MATTERS. -- OpenSuse Super-Secured.

    I find the discussion a bit pointless. openSUSE is currently designed to be not particularly secure (you can see that if you install the default way, when they offer to use the same password for root and user). It is also extremely easy to change your root password if you have physical access to the PC.

    So, first would be to have a mobile and not a fix PC and to make sure that nobody has free physical access to it.

    Second would be to install only the foreseen software, so bye bye to libdvdcss, packman codecs and all the beautiful rest of it.
    If you would use them, then you cannot be sure that the signatures provided are correct, as there is no written paper support in newspapers that report the fingerprint of the GNUpg signatures of the repositories (as far as I know).

    Encryption and SElinux is overkill? Depends on your personal life and the use you are doing of the pc. I think for me personally it would be very useful to achieve full disk encryption with /boot on usb-key and to activate SE linux. But I can assure you it is far from easy, the howtos for me did not work at all and then in this forum they are going to tell you not to bother. So my suggestion would be, you study first the boot sequence of suse, password protect grub for not allowing the substitution of the root password (look also at the write permissions) and once you are able to do it, to encrypt the root partition with external usb-key (good luck!).

    KlamAV is actually counterproductive because it is a not required functionality, with a program that requires root access, if you want to run it with real time file access. IMHO just a way of having one first day exploit more.

    If you are worried (and have reason to be worried) then you would probably also deactivate the time coordination functionality via the nist internet time service.

    As you see, there are a lot of things you can do, you do not use any add ons in firefox any more, not even the eyecandy stuff. You deactivate javascript, flash and deactivate bluetooth.

    All depends what you are searching for.

    Try first the easy and fast steps. How is your password?
    Is it long enough?
    Do you change it regularly.
    Is it maybe even random for root?
    Did you configure wallet to close soon if not used by an application?
    If you are just worried for your privacy:
    noscript, foxyproxy, privoxy and tor.
    But there if you are going paranoia then you could argue that tor servers have been setup in masses by certain agencies (not the travel ones) that are interested in the net traffics. But it does protect you against commercial data collection, to a certain extend.
    Deactivate cookies or set private data to be eliminated by your browser after closing the session.
    You will use a mailbox with POP3 that offers secure transport and secure password, you will change the password frequently. You will use openVPN and a VPN server to avoid exposure of your mails and pc in hot-spots when traveling.

    But I would agree that SElinux and easy achievable disk encryption should be part of the basic features of opensSUSE. A notebook can be stolen and contain data important for you and for others, private photos and bank informations, business documents and so on and so forth. As far as I know they are candidates / in evaluation for 11.2 and maybe we are going to see finally very useful features like a working vpn service with networkmanager, a good coordination with kwallet and a working and conveniently configured SElinux as well as full and easy disk encryption via Luks.

    If SE linux is too complicated and AppArmor is not developed any more you could have a look on the Tomoyo project.

    In the meanwhile you could just begin to study the howtos and technical info available on the internet. More knowledge you have more you are on the safe side. For whatever you may be afraid of.


    P.S. I forgot the most important feature for free internet and protection of privacy:
    Vote!
    And think well before, for WHOM you are voting ;-)

  10. #10

    Default Re: SECURITY MATTERS. -- OpenSuse Super-Secured.

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    Just as a last point on SELinux/AppArmor/TOMOYO, they all use the same
    hooks into the kernel (LSM) to do what they do, though one may be easier
    to use or more-fully-featured than another. It looks like TOMOYO managed
    to get into the main kernel at 2.6.30 so perhaps it adds something new but
    I did not bother reading u pon it at this point.

    Regarding this thread, it has come up a few times that "it depends" on how
    much security you want. It is important that you define that. Security
    from young siblings? Security from your boss (who owns the laptop or PC)?
    Security from the NSA? Security from me or others you may never meet in
    real life? The needs to reach that security vary significantly. As
    mentioned you MUST maintain control of the physical box to consider it
    secure regardless of what else you do (same with any OS). This means
    protecting (legally) from your Boss can be tricky, as (s)he can take the
    box at any time. Disk encryption may help but you need to make sure you
    are ready to tell your boss 'No' when asked for the encryption
    key/passphrase. Security from the other categories is more or less there
    out of the box (except the NSA, for the same reason as your Boss) as long
    as you have decent passwords and keep your box with you and do not enable
    something dumb.

    Good luck.





    stakanov wrote:
    > I find the discussion a bit pointless. openSUSE is currently designed to
    > be not particularly secure (you can see that if you install the default
    > way, when they offer to use the same password for root and user). It is
    > also extremely easy to change your root password if you have physical
    > access to the PC.
    >
    > So, first would be to have a mobile and not a fix PC and to make sure
    > that nobody has free physical access to it.
    >
    > Second would be to install only the foreseen software, so bye bye to
    > libdvdcss, packman codecs and all the beautiful rest of it.
    > If you would use them, then you cannot be sure that the signatures
    > provided are correct, as there is no written paper support in newspapers
    > that report the fingerprint of the GNUpg signatures of the repositories
    > (as far as I know).
    >
    > Encryption and SElinux is overkill? Depends on your personal life and
    > the use you are doing of the pc. I think for me personally it would be
    > very useful to achieve full disk encryption with /boot on usb-key and to
    > activate SE linux. But I can assure you it is far from easy, the howtos
    > for me did not work at all and then in this forum they are going to tell
    > you not to bother. So my suggestion would be, you study first the boot
    > sequence of suse, password protect grub for not allowing the
    > substitution of the root password (look also at the write permissions)
    > and once you are able to do it, to encrypt the root partition with
    > external usb-key (good luck!).
    >
    > KlamAV is actually counterproductive because it is a not required
    > functionality, with a program that requires root access, if you want to
    > run it with real time file access. IMHO just a way of having one first
    > day exploit more.
    >
    > If you are worried (and have reason to be worried) then you would
    > probably also deactivate the time coordination functionality via the
    > nist internet time service.
    >
    > As you see, there are a lot of things you can do, you do not use any
    > add ons in firefox any more, not even the eyecandy stuff. You deactivate
    > javascript, flash and deactivate bluetooth.
    >
    > All depends what you are searching for.
    >
    > Try first the easy and fast steps. How is your password?
    > Is it long enough?
    > Do you change it regularly.
    > Is it maybe even random for root?
    > Did you configure wallet to close soon if not used by an application?
    > If you are just worried for your privacy:
    > noscript, foxyproxy, privoxy and tor.
    > But there if you are going paranoia then you could argue that tor
    > servers have been setup in masses by certain agencies (not the travel
    > ones) that are interested in the net traffics. But it does protect you
    > against commercial data collection, to a certain extend.
    > Deactivate cookies or set private data to be eliminated by your browser
    > after closing the session.
    > You will use a mailbox with POP3 that offers secure transport and
    > secure password, you will change the password frequently. You will use
    > openVPN and a VPN server to avoid exposure of your mails and pc in
    > hot-spots when traveling.
    >
    > But I would agree that SElinux and easy achievable disk encryption
    > should be part of the basic features of opensSUSE. A notebook can be
    > stolen and contain data important for you and for others, private photos
    > and bank informations, business documents and so on and so forth. As far
    > as I know they are candidates / in evaluation for 11.2 and maybe we are
    > going to see finally very useful features like a working vpn service
    > with networkmanager, a good coordination with kwallet and a working and
    > conveniently configured SElinux as well as full and easy disk encryption
    > via Luks.
    >
    > If SE linux is too complicated and AppArmor is not developed any more
    > you could have a look on the 'Tomoyo project'
    > (http://tomoyo.sourceforge.jp/).
    >
    > In the meanwhile you could just begin to study the howtos and technical
    > info available on the internet. More knowledge you have more you are on
    > the safe side. For whatever you may be afraid of.
    >
    >
    > P.S. I forgot the most important feature for free internet and
    > protection of privacy:
    > Vote!
    > And think well before, for* WHOM* you are voting ;-)
    >
    >

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v2.0.9 (GNU/Linux)
    Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

    iQIcBAEBAgAGBQJKayDdAAoJEF+XTK08PnB5kD0P/R8NJGdgNyufpXVk0s4F4ND7
    Q/4K9b/GEJ++i9M+vqczQ1tWbdPGRvWPsBS8GYHK73yqlRwqD1HrIel+kl0J5uKZ
    TGr0RTT0eQG4JjWfegmngSUo0QLebswbxI+c8IfsnyQxYRzC0MGgcXVyVrCYLT01
    drGl7hkxpulceB1+zQMl6RSdt7XW+dY0TnTnllt3c11tTDisgCKpSEqbI5DFb0n2
    vMP5NYjHiXJKtJyF/0438xyVRt6koz4a6fNpdtbOPFQ8KXL4helKPIJcx3/8PlBL
    e7JhmCB6g+WWFOUIrSgbRwLwa7OL34zqll1BJZAbEZG6ZRzZZHuws6xhyLkzFCZG
    RiapWYgcClKk65/HsB2o3WOkeXWT60OSjsmlGoIQk4WBvWHEDbqpxQzP4QzdN0Pj
    Q+HU7PppKOG1x8uDX5U6CghSzlZrIGYfsrpE17mhT+tVH2MmjuAe3XDmdfGiz6AK
    t3M0Ps1XHlTdFQHAjtVjmNMf5EH5TlARq/v1s3qA0pGdoglisAw92o/XbN1iKKM6
    6SAgQ/4VavEqQUqWkcD+4yxvAnuNnD7rnC8AJkH39AffbdsF3ssyjELAeW8+MiSD
    xKlUh0ae3AXoAUmhBukMLRKicxMSXEy5T3PA/EsIE0h9UyRmcAMWuXccHrTXTWPc
    B7+JDV1eSTvpe/eqKIOf
    =pQ2V
    -----END PGP SIGNATURE-----

Page 1 of 6 123 ... LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •