SECURITY MATTERS. -- OpenSuse Super-Secured.

You’ve just read the most important principle behind working with data. It’s simple, yet powerful and effective.
**
Now let me ask you this: HOW to make OpenSuse as secure as possible? **Isomnia? YES, PLEASE! Disconnecting the machine from the net? Um… good thought, but not an option here.

I’ve heard that SELinux is an “Addon” for the kernel that makes Suse even more secure. also it seems, that the community sets high hopes in App-Armor, which should prevent intrusion. Weird: App-Armor won’t be improved in the future since its developers “lost” their job in 2007. Even then: How to configure App-Armor for a super-secure system? On my personal as well as business machines KlamAV is installed - but does that suffice?

Here comes the next word. S-E-C-U-R-E. Secure does not mean to let OpenSuse read my fingerprint everytime I open a file. It means to be able to know that my system is not compromisable without cutting my hand of.
If you are technically on the bleeding edge and open your ears/eyes for the worlds headlines you probably know that even governments cope in developing the perfectly undetectable trojan for a number of systems… you get the point. I know that there is no “uncompromisable” system, but for sure I want to give pussies the hardest time they’ve ever had.

To be clear: I know it’s tempting to talk some bullsh!t, but I expect you guys to only hand me grown-up answers. Thanks.

Hi
You could use the /etc/permissions.paranoid file, install chrootkit,
rootkit hunter, snort etc. The other one is nessus

clamav is only for windows viruses and so you don’t potentially pass
them on via email.

But all of these things need to be done on a clean install, the other
of course is disk encryption.

All of the above mean squat though if someone has physical access to
your machine…

–
Cheers Malcolm °¿° (Linux Counter #276890)
SUSE Linux Enterprise Desktop 11 (x86_64) Kernel 2.6.27.25-0.1-default
up 1 day 8:30, 2 users, load average: 0.09, 0.07, 0.05
GPU GeForce 8600 GTS Silent - Driver Version: 185.18.14

Thanks for the lightning-fast reply, malcolmlewis.
Thing is, I don’t want to kill my disc with too many tools either. Maybe you could be so friendly and re-direct me to a place where I could…

a.) find information on how to correctly configure App-Armor for MY needs.
b.) tell me how to set my system in mode “paranoid” (where to enable the appropriate file permoission mode)
c.) give me a hint which tools would be very recommendable to install - I know there’s a lot of code out there…

Mh… I just noticed that OpenSuse won’t accept roots password when file permissions are set to “paranoid”. Weird.

Hi
I would start with AppArmor http://en.opensuse.org/AppArmor and take it
from there.

–
Cheers Malcolm °¿° (Linux Counter #276890)
SUSE Linux Enterprise Desktop 11 (x86_64) Kernel 2.6.27.25-0.1-default
up 1 day 9:07, 2 users, load average: 0.54, 0.20, 0.06
GPU GeForce 8600 GTS Silent - Driver Version: 185.18.14

Easy answer. Would you please give me hint on point #3 also? Thanks.

TheMask adjusted his/her AFDB on Saturday 25 Jul 2009 04:06 to write:

>
> Mh… I just noticed that OpenSuse won’t accept roots password when file
> permissions are set to “paranoid”. Weird.
>
>

Well I call that pretty secure not weird.

If you cannot login as root you cannot change anything unless a
vulnerability is found somewhere, and as no software is immune because that
is the nature of the beast then it is about as secure as you get I suppose.

Don AFDB

configure everything you need (offline), get it running as you like it then
make as much as possible read-only, encrypt anything that needs it, no root
login, behind a good well configured hardware fire wall then connect to net
if you really really need it, unplug from power supply, take away keyboard,
take away mouse take away monitor, remove all static USB/Floppy ports,
password BIOS ( stop me if I am going to far )

There is paranoid and then there is usable.

If “THEY” are out to get you they will

bingo

Beware the Black Helicopters.

–
Mark
Caveat emptor
Nullus in verba
Nil illegitimi carborundum

TheMask wrote:
> Easy answer. Would you please give me hint on point #3 also? Thanks.

YOU have to decide the balance between the security of your system and
the inconvenience to you…that is, if you are trying to keep the NSA
from being able to read your machine you have to unplug it from the
net forever, and melt the hard drive every time you leave the room it
is in…

of course that is not so convenient for you (if tomorrow you wanna use
it, again)…

on the other hand, if you just need to keep out all those folks who
are today infecting, collecting key strokes, ripping off XP and
Windows users, and operating botnets then you were pretty much DONE if
you accepted a default install (with its default firewall) and then
connected your machine through a combo router/hardware firewall (AND
replaced the default router password with a STRONG one) and then to
the cable box, ISP provided xDSL modem etc…

well, after doing that, to protect your machine (if it ONLY runs
Linux) from well over 99% of the crackers and snoopers out there,
adding SELinux and KlamAV is overkill!

another way to say that is: no matter what anyone tells you you can
always throw back “I don’t want to kill my disc with too many tools
either”…only YOU know what YOU are willing to suffer through…like
i said, to protect yourself from the NSA you are gonna have to suffer
though a LOT! protection from microsoftie-script-kiddies is pretty easy…

–
brassy

I find the discussion a bit pointless. openSUSE is currently designed to be not particularly secure (you can see that if you install the default way, when they offer to use the same password for root and user). It is also extremely easy to change your root password if you have physical access to the PC.

So, first would be to have a mobile and not a fix PC and to make sure that nobody has free physical access to it.

Second would be to install only the foreseen software, so bye bye to libdvdcss, packman codecs and all the beautiful rest of it.
If you would use them, then you cannot be sure that the signatures provided are correct, as there is no written paper support in newspapers that report the fingerprint of the GNUpg signatures of the repositories (as far as I know).

Encryption and SElinux is overkill? Depends on your personal life and the use you are doing of the pc. I think for me personally it would be very useful to achieve full disk encryption with /boot on usb-key and to activate SE linux. But I can assure you it is far from easy, the howtos for me did not work at all and then in this forum they are going to tell you not to bother. So my suggestion would be, you study first the boot sequence of suse, password protect grub for not allowing the substitution of the root password (look also at the write permissions) and once you are able to do it, to encrypt the root partition with external usb-key (good luck!).

KlamAV is actually counterproductive because it is a not required functionality, with a program that requires root access, if you want to run it with real time file access. IMHO just a way of having one first day exploit more.

If you are worried (and have reason to be worried) then you would probably also deactivate the time coordination functionality via the nist internet time service.

As you see, there are a lot of things you can do, you do not use any add ons in firefox any more, not even the eyecandy stuff. You deactivate javascript, flash and deactivate bluetooth.

All depends what you are searching for.

Try first the easy and fast steps. How is your password?
Is it long enough?
Do you change it regularly.
Is it maybe even random for root?
Did you configure wallet to close soon if not used by an application?
If you are just worried for your privacy:
noscript, foxyproxy, privoxy and tor.
But there if you are going paranoia then you could argue that tor servers have been setup in masses by certain agencies (not the travel ones) that are interested in the net traffics. But it does protect you against commercial data collection, to a certain extend.
Deactivate cookies or set private data to be eliminated by your browser after closing the session.
You will use a mailbox with POP3 that offers secure transport and secure password, you will change the password frequently. You will use openVPN and a VPN server to avoid exposure of your mails and pc in hot-spots when traveling.

But I would agree that SElinux and easy achievable disk encryption should be part of the basic features of opensSUSE. A notebook can be stolen and contain data important for you and for others, private photos and bank informations, business documents and so on and so forth. As far as I know they are candidates / in evaluation for 11.2 and maybe we are going to see finally very useful features like a working vpn service with networkmanager, a good coordination with kwallet and a working and conveniently configured SElinux as well as full and easy disk encryption via Luks.

If SE linux is too complicated and AppArmor is not developed any more you could have a look on the Tomoyo project.

In the meanwhile you could just begin to study the howtos and technical info available on the internet. More knowledge you have more you are on the safe side. For whatever you may be afraid of.

P.S. I forgot the most important feature for free internet and protection of privacy:
Vote!
And think well before, for** WHOM** you are voting

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Just as a last point on SELinux/AppArmor/TOMOYO, they all use the same
hooks into the kernel (LSM) to do what they do, though one may be easier
to use or more-fully-featured than another. It looks like TOMOYO managed
to get into the main kernel at 2.6.30 so perhaps it adds something new but
I did not bother reading u pon it at this point.

Regarding this thread, it has come up a few times that “it depends” on how
much security you want. It is important that you define that. Security
from young siblings? Security from your boss (who owns the laptop or PC)?
Security from the NSA? Security from me or others you may never meet in
real life? The needs to reach that security vary significantly. As
mentioned you MUST maintain control of the physical box to consider it
secure regardless of what else you do (same with any OS). This means
protecting (legally) from your Boss can be tricky, as (s)he can take the
box at any time. Disk encryption may help but you need to make sure you
are ready to tell your boss ‘No’ when asked for the encryption
key/passphrase. Security from the other categories is more or less there
out of the box (except the NSA, for the same reason as your Boss) as long
as you have decent passwords and keep your box with you and do not enable
something dumb.

Good luck.

stakanov wrote:
> I find the discussion a bit pointless. openSUSE is currently designed to
> be not particularly secure (you can see that if you install the default
> way, when they offer to use the same password for root and user). It is
> also extremely easy to change your root password if you have physical
> access to the PC.
>
> So, first would be to have a mobile and not a fix PC and to make sure
> that nobody has free physical access to it.
>
> Second would be to install only the foreseen software, so bye bye to
> libdvdcss, packman codecs and all the beautiful rest of it.
> If you would use them, then you cannot be sure that the signatures
> provided are correct, as there is no written paper support in newspapers
> that report the fingerprint of the GNUpg signatures of the repositories
> (as far as I know).
>
> Encryption and SElinux is overkill? Depends on your personal life and
> the use you are doing of the pc. I think for me personally it would be
> very useful to achieve full disk encryption with /boot on usb-key and to
> activate SE linux. But I can assure you it is far from easy, the howtos
> for me did not work at all and then in this forum they are going to tell
> you not to bother. So my suggestion would be, you study first the boot
> sequence of suse, password protect grub for not allowing the
> substitution of the root password (look also at the write permissions)
> and once you are able to do it, to encrypt the root partition with
> external usb-key (good luck!).
>
> KlamAV is actually counterproductive because it is a not required
> functionality, with a program that requires root access, if you want to
> run it with real time file access. IMHO just a way of having one first
> day exploit more.
>
> If you are worried (and have reason to be worried) then you would
> probably also deactivate the time coordination functionality via the
> nist internet time service.
>
> As you see, there are a lot of things you can do, you do not use any
> add ons in firefox any more, not even the eyecandy stuff. You deactivate
> javascript, flash and deactivate bluetooth.
>
> All depends what you are searching for.
>
> Try first the easy and fast steps. How is your password?
> Is it long enough?
> Do you change it regularly.
> Is it maybe even random for root?
> Did you configure wallet to close soon if not used by an application?
> If you are just worried for your privacy:
> noscript, foxyproxy, privoxy and tor.
> But there if you are going paranoia then you could argue that tor
> servers have been setup in masses by certain agencies (not the travel
> ones) that are interested in the net traffics. But it does protect you
> against commercial data collection, to a certain extend.
> Deactivate cookies or set private data to be eliminated by your browser
> after closing the session.
> You will use a mailbox with POP3 that offers secure transport and
> secure password, you will change the password frequently. You will use
> openVPN and a VPN server to avoid exposure of your mails and pc in
> hot-spots when traveling.
>
> But I would agree that SElinux and easy achievable disk encryption
> should be part of the basic features of opensSUSE. A notebook can be
> stolen and contain data important for you and for others, private photos
> and bank informations, business documents and so on and so forth. As far
> as I know they are candidates / in evaluation for 11.2 and maybe we are
> going to see finally very useful features like a working vpn service
> with networkmanager, a good coordination with kwallet and a working and
> conveniently configured SElinux as well as full and easy disk encryption
> via Luks.
>
> If SE linux is too complicated and AppArmor is not developed any more
> you could have a look on the ‘Tomoyo project’
> (http://tomoyo.sourceforge.jp/).
>
> In the meanwhile you could just begin to study the howtos and technical
> info available on the internet. More knowledge you have more you are on
> the safe side. For whatever you may be afraid of.
>
>
> P.S. I forgot the most important feature for free internet and
> protection of privacy:
> Vote!
> And think well before, for* WHOM* you are voting
>
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJKayDdAAoJEF+XTK08PnB5kD0P/R8NJGdgNyufpXVk0s4F4ND7
Q/4K9b/GEJ++i9M+vqczQ1tWbdPGRvWPsBS8GYHK73yqlRwqD1HrIel+kl0J5uKZ
TGr0RTT0eQG4JjWfegmngSUo0QLebswbxI+c8IfsnyQxYRzC0MGgcXVyVrCYLT01
drGl7hkxpulceB1+zQMl6RSdt7XW+dY0TnTnllt3c11tTDisgCKpSEqbI5DFb0n2
vMP5NYjHiXJKtJyF/0438xyVRt6koz4a6fNpdtbOPFQ8KXL4helKPIJcx3/8PlBL
e7JhmCB6g+WWFOUIrSgbRwLwa7OL34zqll1BJZAbEZG6ZRzZZHuws6xhyLkzFCZG
RiapWYgcClKk65/HsB2o3WOkeXWT60OSjsmlGoIQk4WBvWHEDbqpxQzP4QzdN0Pj
Q+HU7PppKOG1x8uDX5U6CghSzlZrIGYfsrpE17mhT+tVH2MmjuAe3XDmdfGiz6AK
t3M0Ps1XHlTdFQHAjtVjmNMf5EH5TlARq/v1s3qA0pGdoglisAw92o/XbN1iKKM6
6SAgQ/4VavEqQUqWkcD+4yxvAnuNnD7rnC8AJkH39AffbdsF3ssyjELAeW8+MiSD
xKlUh0ae3AXoAUmhBukMLRKicxMSXEy5T3PA/EsIE0h9UyRmcAMWuXccHrTXTWPc
B7+JDV1eSTvpe/eqKIOf
=pQ2V
-----END PGP SIGNATURE-----

Thanks for your VIP-response, ab@novell.com.

Mainly I want to ensure that persons that I won’t meet in real live don’t have access to the computer when shut off/while on the internet/screensaver is running.
And baskitcaise, you are right stating that there’s a significant difference between security and usability.

I’ve thought about installing full disc encryption as well. TrueCrypt doesn’t seem to work for this task so…how to accomplish? Do you have a link to a good tutorial for me?

Thank you all for your enlightning contributions.

If you are ok with full root encryption and /boot on the same HDD without having it on an external usb key then the “summary procedure” with the scripts installed DO work. You can find the link to the script in the “references” below the article/howto.
If you want the full story with usb-key, you can read the thread I did write about it (and gave up for the time being). You will study the whole howtos articles and wikis mentioned in the reference and then once you are a full crack you will teach us how to do it.
The link is Encrypted Root File System - openSUSE
You could also try the LVM thing. I personally didn’t.

As far as I remember it is quite easy to deactivate the screensaver in a running xserver. But I do not recall the reference sorry.
And bear in mind that even if you have an encrypted disk but the system is running, your data is accessible. So we are back to the point to have a close eye on your PC.
Cheers.

Here’s another question: Besides the fact that Kaspersky® Anti-Virus for Linux Workstation is a commercial application - is there a significant difference between KAV for Linux and KlamAV?
As far as I know, KlamAV is mainly for windows files - but Kaspersky… hm. Does it scan for the same rootkits as RKHunter?

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Wouldn’t know… I don’t run AV on any boxes (Linux or other, including
windows). If I had a server that many people accessed for file sharing or
perhaps e-mail I’d care and scan to prevent propagation of evil inside the
network but for host-based protection I do not really believe it works,
and reading up on virus experts’ works they seem to agree. The entire
battle seems to be a cold war between if the virus kills the AV before the
AV detects it, and updates on both sides happen too fast to make it worth
my while to bother in either case. Training and good practices (not
running privileged, not running unnecessary services) will do a lot more
for you than AV, I think. Still, for the other stuff like scanning e-mail
or whatever, it may still have its place.

Good luck.

TheMask wrote:
> Here’s another question: Besides the fact that Kaspersky® Anti-Virus for
> Linux Workstation is a commercial application - is there a significant
> difference between KAV for Linux and KlamAV?
> As far as I know, KlamAV is mainly for windows files - but Kaspersky…
> hm. Does it scan for the same rootkits as RKHunter?
>
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJKa70yAAoJEF+XTK08PnB5wRsP/3bPQYX2NjA0+fz4A9OJRseH
9r3n48ss+m9BHJx0PUAK4P8j7V13UYt75FkWBeYtI5lg0+os/ALm8+6tMtGwmmAC
iYzA+CZL8YPp49TKe6fJ7TPhaSucPRvRJkz9ChoATz6P/XUPnz71ObUXvCQ53gRm
Rqusw13BgbyRlNM9njqZncG/g2rnbMxZsqhryJV3mHFdQCHyc8OsJV8twRyMuVQk
4rZPfEzoweJRVYJIg5IAzzcb3piHE3gecgKj7YXouGp7E2m/WWvRMYSk5MLI1caX
oBT7g463YTkMrlaZ9r06XLuWZzWXbSTl7+/rgnvDYw7PvoN2T4Yj5j2JzznAlewI
pDgLzMNLXhHObXMg7GAoqJFMUh4IQIJ4QI2BAr6uMU2rGkKa7p5JOywzyNtbOznS
Ex9LpUlXNNfWkvIe9ZyVZGmYsujpqHxrW3QY6ldv7HTCZEVBuDIk6kSLrzTFd69K
Z3J1eCL6ETpzXYKObaNaOMDyXL42uNrTRJkBjj4hSFcM9yHjJdMBu6qSA+V9pC1Q
3RTIn3bZjHDJQ46zN4jZckuCQ+MwCFYauLJdt3VesATirkZJsjC2gKRbaQg5s99W
ckWBmEQEDWio4YZ5u8sYK8JulFl1jrdvYnRwOf/VfscUbiOFKXFofslEfk9+Srv6
oL7o+lRKeztXW5bg4zqS
=ZJjn
-----END PGP SIGNATURE-----

(Man, we have had one severe storm after another here in Alabama for the past month and a half. This is the first chance I’ve had in a while just to jabber. )

Mask-Man,

Excellent suggestions here. Mine is to NOT forget physical security. This starts with securing the machine so that just anyone can’t get to it. Next, encrypt the hard drive. Otherwise, you could be facing the hilarious situation where you’ve used clever passwords, you’ve put something like SELinux or App Armor on there, you’ve even got a good Anti-Virus running … … … only to have it be rendered pointless when some bozo sits down at the machine, while you’re at lunch, and boots onto a Live CD with some tools that let him hack away.

Or, if he’s in a hurry or is just into outright data theft, he simply unplug your PC and haul it out with him. Or, if you have pluggable hard drives, he’ll yank one of those.

I’ve never been a big fan of virus and malware scanners. They’re too easy to spoof. That said, if you use one, learn to build your own live CD. Boot onto the live CD and scan your hard drive that way.

By the way, the next wave of malware attacks are probably going to focus on virtualization – so called “ring -1” (and “ring -2,” and so on) attacks. If a rootkit can get into the hypervisor, it runs “above” (or “below,” depending on your point of view) and owns the machine, period. That’s been the tre chic topic of discussion at the Black Hat conferences lately, judging from the articles I’ve read.

One excellent idea, to harden security, is to make the system executables (especially your virtualization software) hardware read-only – for example, always boot from a CD and then simply mount the local read-write hard drives (which should also be encrypted) for normal access.

Many ways to go here. Many good suggestions, and there’s not one good answer. But learn to think like a Bad Guy. Say to yourself, “If I wanted to hack The Mask’s machine, how would I do it?”

PS - and by the way – and on a related topic …

I’ve been warning for a year or two now that, before long, you will see burglars breaking into homes and stealing the PC. They’ll bypass the electronics and the jewelry, because if they can snag your computer and hack into your personal files, they can clean out your bank accounts before you even get home from work.

You read it here first. It’s gonna happen …

@Mask: I think you are aware of this Top 100 Network Security Tools, still I post the link, in case not.
Have fun.

On Sun, 26 Jul 2009 03:26:01 GMT, smpoole7
<smpoole7@no-mx.forums.opensuse.org> wrote:

>
>PS - and by the way – and on a related topic …
>
>I’ve been warning for a year or two now that, before long, you will see
>burglars breaking into homes and stealing the PC. They’ll bypass the
>electronics and the jewelry, because if they can snag your computer and
>hack into your personal files, they can clean out your bank accounts
>before you even get home from work.
>
>You read it here first. It’s gonna happen …

Cool reminder. Never write down or trust to the computer important
passwords. They must be in your head only.

Thanks for the link, I’m familiar with that.

@smpoole7: Thinking of physical security again: You won’t get into any of my computers after they’ve been turned off. Period. I’ve been hacking like crazy there - and hardware protection simply rocks.
But talking of software security: Does it help any using LUKS? Sure. Does anyone here use it and can report on its usability/stableness/security? I’d love to hear some personal statements on this…