Linux Security Subforum on OpenSUSE Forums

I thought it might be useful…

This is discussed manytimes. Mostly in Forums comments of course.
Search for the discussions.

Four people voted “YES”, and only two “NO”. We should have an openSUSE Security subforum :stuck_out_tongue:
hcvv, it’s easier to have them in one place then to search for Security-related questions/answers each time, IMHO.
Also, a Security subforum is common to many other Linux distros, so there wouldn’t be anything special about it.

At the very least, such posts should be tagged appropriately.

Which reminds me… getting slightly off-topic there should be a PROMINENT listing of available tags, and people should be encouraged to tag their posts.
The way things work right now, I just make up some tags and if something I make up is similar to something already used then a suggestion appears…

Much better to offer options which can be checked although I understand it’s a GUI design dilemma to offer so many options in an organized quick way.

TSU

Additional,
At the very least a separate Forum should/would post stickies that would point users to relevant support/design documents.

Security is a mystery to most people, and it touches everything that is done at many, many levels.sec

If it’s helpful, maybe a separate Forum might be scoped to be “Security by Design” focused on implementing security <systems> (both on openSUSE and openSUSE participating in Network Security) rather than all security. That way seurity related to Applications would stay in Applications, security specific to Virtualization would stay in the at forum, etc.

Specific Security topics for a proposed separate forum might include
<Local Policy>
SELinux
Enhanced AppArmor

<Network Policy>
LDAP, SAMBA Authentication

<Configuring Security Components>
GPGP and other local key stores
OpenSSL
OpenSSH

IMO,
TSU

we really need an dummies guide for “securing openSUSE”
Each version must be preferably put up after each release.
optional:creating DE based versions like KDE,GNOME,LXDE,XFCE etc

On Mon, 17 Dec 2012 04:16:01 +0000, vazhavandan wrote:

> we really need an dummies guide for “securing openSUSE”

Generally pretty easy to do - don’t turn off the firewall. Don’t host
services unless you know what you’re doing.

> Each version must be preferably put up after each release.

Someone needs to volunteer to create one - sounds like a great community
project.

> optional:creating DE based versions like KDE,GNOME,LXDE,XFCE etc

Probably unnecessary, since the options to configure the firewall are in
YaST. In doc writing (something I do professionally these days), the
best doc isn’t doc that gives step by step instructions on how to
accomplish a specific task, but is a combination between good UI design
and documenting generally about what one needs to accomplish with
pointers to get the user to the right place in the UI.

Jim

Jim Henderson
openSUSE Forums Administrator
Forum Use Terms & Conditions at http://tinyurl.com/openSUSE-T-C

It seems pretty secure out of the box.

I usually add apparmor, though that might well be overkill.

I have noticed that some apps don’t provide GUI GTK versions but off qt based GUI and in some case the qt option wants to pull entire bunch KDE libraries :slight_smile: onto my GNOME desktop.

On 2012-12-17 05:56, nrickert wrote:
> I usually add apparmor, though that might well be overkill.

It is a reasonable thing to do.


Cheers / Saludos,

Carlos E. R.
(from 11.4, with Evergreen, x86_64 “Celadon” (Minas Tirith))

On Mon, 17 Dec 2012 05:06:01 +0000, vazhavandan wrote:

> I have noticed that some apps don’t provide GUI GTK versions but off qt
> based GUI and in some case the qt option wants to pull entire bunch KDE
> libraries :slight_smile: onto my GNOME desktop.

Sure, some apps don’t have QT or GTK+ interfaces, but from a security
standpoint, all that’s needed really is YaST, and that provides both.

Jim


Jim Henderson
openSUSE Forums Administrator
Forum Use Terms & Conditions at http://tinyurl.com/openSUSE-T-C

==>does installing apparmor and default profiles(installed by default) suffice on a desktop machine which is typically used for browsing and watching videos?
==>Should i download a virus scanner like the one in security repo and scan every file that i put onto my machine(clamtk),Index of /repositories/security/openSUSE_12.2
==>What about rootkit scanners(rkhunter ,chkrootkit etc…). Should we install them and run them regularly
==> firewall settings on typical desktop ,services that need to turned off :
Note:- i install all updates that flow in through YaST(OSS,Non-OSS,Update,Non-OSS update)

In my opinion, yes.

As far as I know, the main use of a virus scanner, is if you serving files for windows boxes and you want to protect those windows boxes.

I installed “rkhunter” on my current system. And, after a few weeks, I uninstalled it. It sent an email every day with messages that weren’t relevant. It explained how to turn off those messages, but that never worked for me.

The firewall seems pretty secure out-of-the-box. Be cautious about opening ports.

i’m gonna give you my opinions which fit my situation and needs…

> ==>does installing apparmor and default profiles(installed by default)
> suffice on a desktop machine which is typically used for browsing and
> watching videos?

yes, if you exercise sound practices (like not browsing as root,
maintaining physical security of your machine, etc etc etc etc)

> ==>Should i download a virus scanner like the one in security repo and
> scan every file that i put onto my machine(clamtk),‘Index of
> /repositories/security/openSUSE_12.2’
> (http://download.opensuse.org/repositories/security/openSUSE_12.2/)

no way it is needed to protect your Linux box…now, if you want to
help your less fortunate friends who still run the Virus Magnet, then
you can clean mail as it flows to them…

> ==>What about rootkit scanners(rkhunter ,chkrootkit etc…). Should we
> install them and run them regularly

depends on your level of interest and willingness to pay attention…what
i mean: the only way to use them is to install them on Day One, first
install day…and immediately run them against that KNOWN clean machine,
and turn off all of the false-positives…

and then, react when you get any new warning…

problem is that you WILL get false positives and they can drive you
crazy if you are not prepared to pay attention!!

> ==> firewall settings on typical desktop ,services that need to turned
> off :
> Note:- i install all updates that flow in through
> YaST(OSS,Non-OSS,Update,Non-OSS update)

most potentially unsafe services are off in a default install (like
httpd, sshd, telnet, etc etc etc)…so, nothing to do but use normal
safety practices


dd http://tinyurl.com/DD-Caveat

@dd,nrickert
Many thanks for the kind replies.

help your less fortunate friends who still run the Virus Magnet,
Talk to people on phone and facehook . so that is covered:-)

if you serving files for windows boxes and you want to protect those windows boxes.
Reason i came to Linux is that virus and malware drove me crazy and i spent most of my day hunting them instead of customising my system. The reason i am asking this “virus” question is sometimes load my family’s pen drives onto my system and i see those wretched exes(you know the thumbs.db,folder.exe,*.sys etc… yakati yak) in them.

most potentially unsafe services are off in a default install (like httpd, sshd, telnet, etc etc etc)…so, nothing to do but use normal safety practices
thanks for confirming.

yes, if you exercise sound practices (like not browsing as root,maintaining physical security of your machine, etc etc etc etc)
i never logged in as root. Doesn’t the default installation create a user and so on and allow us to login etc… Only time i change to root is when running YaST(asks for admin permissions) and then when running zypper(using sudo zypper up …)

One final set of queries:-
==> I want to install mysql
==>To run it ,i set run level in YaST. What should be the level
==> Will installing apparmor after installation of mysql automatically install the relevant profile too :slight_smile:

On 12/17/2012 08:16 PM, vazhavandan wrote:
>
> The
> reason i am asking this “virus” question is sometimes load my family’s
> pen drives onto my system and i see those wretched exes(you know the
> thumbs.db,folder.exe,*.sys etc… yakati yak)

those can’t hurt you…they won’t run in linux…well, i guess some of
them might run in WINE but…but, i don’t WINE here and i don’t know
much about how to try to force a Windows virus to make damage…i guess
it might be possible to do something minor…

hmmm, i remember some years ago someone did that, took a fresh WinVirus
and played with it in WINE (or whatever) until they got it to run, but
it did nothing (as recall) because it was hard wired to do certain
things to files that didn’t exist on the Linux machine…so DUH!

> One final set of queries:-
> ==> I want to install mysql

off topic for this thread (and this forum)
anyway, i know nothing about that except it is a db

> ==>To run it ,i set run level in YaST. What should be the level

probably 3 and 5

> ==> Will installing apparmor after installation of mysql automatically
> install the relevant profile too :slight_smile:

guess: probably


dd http://goo.gl/PUjnL

What would you suggest?

riderplus wrote:
>
> vazhavandan;2511384 Wrote:
>> I have noticed that some apps don’t provide GUI GTK versions but off qt
>> based GUI and in some case the qt option wants to pull entire bunch KDE
>> libraries :slight_smile: onto my GNOME desktop.
>
> What would you suggest?
>
>
Well,first this is a very old thread and second is we are yet to get
such a guide and finally thanks to Linux i am pretty much virus
free/malware free/worm free machine for the past few years :slight_smile:


GNOME 3.6.2
openSUSE Release 12.3 (Dartmouth) 64-bit
Kernel Linux 3.7.10-1.16-desktop