Security set up guided for 11.2?

Hi

I just installed 11.2 yesterday and i wondering if there are some guides online where i can be told how to secure open suse 11.2?

For example this is linux so pc viruses cant attack me right?

Also i set automatic updates on-but how often do updates occur?

and where can i find more default apparmor profiles-right now im using firefox without a profile…

:idea: To the persons in charge, I would suggest the creation of a Security Section in the forums.


To answer your questions check this first:

Securing openSUSE - openSUSE

Also, I also would suggest disabling SHH if you don’t use it. You can see what services are enabled in yast control center, system section, system services (Runlevel). There you can enable and disable them.

As for the AV, there aren’t virures in the wild for Linux, yet is a good practice to have an AV (just in case) Even when it will have more work checking your Windows partition. :slight_smile:

Here you have it http://software.opensuse.org/search/download?base=openSUSE%3A11.2&file=security%2FopenSUSE_11.2%2Fclamtk.ymp&query=clam

Also a couple of rootkits scanners, Rootkit Hunter and chkrootkit. Both are available in one click download. Search for them here:

Software.openSUSE.org

About Apparmor here the profiles repo Profiles: index

And general info about it AppArmor - openSUSE

And here general info about the security features in the distribution:

Security Features - openSUSE

Thanks for that there was a lot of useful information in that post.

Comprehensive security guides seems to be really hard to find for open suse.

How secure is sudo on a default installation of desktop open suse 11.2?

im off to find out now if i can use truecrypt to make a encrypted private home folder…

I guess you saw by now that truecrypt is available here, I am not using it for now so cannot comment much about it.

About sudo… Suse doesn’t use it. (Well you can but the file ownership will be transfered to root) Note, the root account exist in suse, and is accessible. It is understood that you’ll know how to use it appropriately. Some useful info here Become su in Terminal - HowTo - openSUSE Forums

And here SDB:Login as root - openSUSE

But as you know all safety that relays in passwords is as strong as the password itself and the hashing algorithm used to cypher it. The good news are that suse uses one of the strongest available, stronger than the traditional one used in Linux. I was researching this for a while. :slight_smile:

The most important property of bcrypt (and thus crypt_blowfish) is that it is adaptable to future processor performance improvements, allowing you to arbitrarily increase the processing cost of checking a password while still maintaining compatibility with your older password hashes. Already now bcrypt hashes you would use are several orders of magnitude stronger than traditional Unix DES-based or FreeBSD-style MD5-based hashes.

Today, a number of other operating systems, besides OpenBSD, support bcrypt password hashes, with Niels’ original implementation, with this implementation (crypt_blowfish), or otherwise. These systems include recent versions of FreeBSD and NetBSD, Solaris 10, and indeed the Linux distributions that have integrated crypt_blowfish (see below for a list). Only some of these systems use bcrypt for newly set passwords by default, though.

crypt_blowfish is fully integrated into Owl, distributions by ALT Linux team, and Annvix as the default password hashing scheme. It is a part of the glibc package on SUSE Linux and ASPLinux.

Check it here Modern password hashing (“password encryption”) for your software and your servers

More info here So Why The Long Passwords? - Reviews, News, and How To Geeks

For what I know, as a general rule, if is not dictionary based you’ll be safe with a password of more than 14 characters. If you can make it complex with special characters, caps, numbers etc, even better. But as long as it is not in any dictionary and has some complexity… and is at least 14 characters in length… is safe.

So from what i read from those links on sudo-by default opensuse makes it really difficult to log in directly as root in the gui interface. Whenever a program requires root access it will ask you for the password. And passwords are encrypted using blowfish which is based on AES.Im the only user on this pc so does that mean whenever i log in im a normal non root user and only temporarily root to do specific things like access YaST?

In relation to truecrypt it works wonders on external devices like drives and usb keys-have most my data backed up in AES partitions. Though when i tried to make a encrypted file partition in the opensuse home folder it did work but my pc went crazy slow-seems to eat up a lot of cpu power according to the system monitor. So now im not storing any important data on my local hard drives.

accessdeniedno wrote:
> by default opensuse makes
> it really difficult to log in directly as root in the gui interface.

true, because it is a really really bad idea!

you should never log into KDE/Gnome/XFCE or any other *nix-like
graphical user interface desktop environment as root…

doing so 1) opens you up to several different security problems, 2)
too many too easy ways to damage your system no matter how careful
your actions (example: just browsing in your home directory while
logged into KDE/Gnome/etc as root can lock you out later as yourself
due to permissions damage), 3) and, anyway logging into KDE/etc as
root is never required to do any and all administrative duties…

so, always log in as yourself, and “become root” by using a root
powered application (like YaST, File Manager Superuser Mode) or using
“su -”, sudo, kdesu, or gnomesu in a terminal to launch whatever tool
is needed (like Kwrite to edit a config file)…read more on all that
here:

http://en.opensuse.org/SDB:Login_as_root
http://docs.kde.org/stable/en/kdebase-runtime/userguide/root.html
http://tinyurl.com/6ry6yd
http://tinyurl.com/ydbwssh


DenverD (Linux Counter 282315)
CAVEAT: http://is.gd/bpoMD
posted via NNTP w/TBird 2.0.0.23 | KDE 3.5.7 | openSUSE 10.3
2.6.22.19-0.4-default SMP i686
AMD Athlon 1 GB RAM | GeForce FX 5500 | ASRock K8Upgrade-760GX |
CMedia 9761 AC’97 Audio

I agree with you that for something like 99% of the time root access is not necessary. However, Opensuse is SLED with newer and more packages, which is an enterprise distro – with the strengths and virtues of an enterprise quality distribution – aimed at professionals. When you need to deploy a lot of machines, configure… and maintain them, you should have access to the administrator account. This is by default a professional distro which assumes you know what to do. And for that reason, no, is not hard to log as root at all, you just log as such. This is not an ubuntu-like distro, that thinks that knows better than you and holds your hand… fortunately.

As an aside, in my experience (from the time I begun with Linux circa 04, installing Gentoo from scratch with no issues), and maintaining it at the low level you need there, is that is not that easy to mess your system just by editing configuration files… heck even compiling the kernel manually almost every other day as happens there. :slight_smile:

Never had any issue. Is not so easy to break the system if you are careful. And if the system breaks for any reason, you can always use a live cd and log and change things as necessary. (I never forbid that login option just in case) When people break their Windows installation in most cases they will need to reinstall it, with Linux you log and fix it.

So for some administrative tasks the root account is there; yet the rest of the time it is safer to be as user – the main reason for it is security. Also the system is built by default in the assumption that you have your home partition separated from your root partition, by design is expecting you to work under that scheme.

Northern2 wrote:
> So for some administrative tasks the root account is there

no.

there are no administrative tasks which require you to log into
KDE/Gnome/etc as root…

never do it.

always log into KDE/Gnome/etc as yourself, a regular user and THEN
become root correctly, in a terminal or by using a root powered
application (like YaST, File Mmanager - Superuser Mode, or just KWrite
launched with root privileges)


DenverD (Linux Counter 282315)
CAVEAT: http://is.gd/bpoMD
posted via NNTP w/TBird 2.0.0.23 | KDE 3.5.7 | openSUSE 10.3
2.6.22.19-0.4-default SMP i686
AMD Athlon 1 GB RAM | GeForce FX 5500 | ASRock K8Upgrade-760GX |
CMedia 9761 AC’97 Audio

no.

there are no administrative tasks which require you to log into
KDE/Gnome/etc as root…

never do it.

always log into KDE/Gnome/etc as yourself, a regular user and THEN
become root correctly, in a terminal or by using a root powered
application (like YaST, File Mmanager - Superuser Mode, or just KWrite
launched with root privileges)

As I said before that is true for 99% of the cases but not for everything. For example users accounts management (privileges) – I don’t allow users to give themselves more rights even while logged as root, to help avoid privilege escalation attacks. A user is not allowed to change privileges in his/her account. Only root can do so.

Also there is little things, for example klamav, which won’t allow you to check items in quarantine even if you launched it with kdesu. Of course, you can always go to that directory by other means, but then you cannot see what problems each file was supposed to have. After using it as user I needed to go to root just to deal with the quarantine (fortunately were false alarms in windows) Also before a mayor upgrade or when you are going to change many things in the system, it is there for your convenience. And also for sys administrators in IT departments. :slight_smile:

Under your idea this would be Ubuntu, which considers that their users don’t have the preparation to know its purpose, and thus, gives them a different usage of “sudo” But this is aimed at the enterprise, people that are more than familiar with UNIX-like systems. That’s why the account is there.

Northern2 wrote:
> That’s why the account is there.

no. it is NOT there for even 1% of the time, i say again there is no
admin duty which requires logging into KDE/Gnome/etc as root…

your user account management example is easily done at the command
line once logged in there as root…or in YaST > Security & Users >
User Management and/or Group Management…zero need to log into
KDE/Gnome/etc as root for that…

klamav quarantines windows files? just delete them!

logging into KDE/Gnome as root to “look at them” is certainly NOT what
you want or need to do…what are you gonna do? look at them and
decide to ignore klamav? then why run it?

delete C:/ is a better move for overall system security than to let it
cause you to decide to log into the GUI as root!


DenverD (Linux Counter 282315)
CAVEAT: http://is.gd/bpoMD
posted via NNTP w/TBird 2.0.0.23 | KDE 3.5.7 | openSUSE 10.3
2.6.22.19-0.4-default SMP i686
AMD Athlon 1 GB RAM | GeForce FX 5500 | ASRock K8Upgrade-760GX |
CMedia 9761 AC’97 Audio

no. it is NOT there for even 1% of the time, i say again there is no
admin duty which requires logging into KDE/Gnome/etc as root…

your user account management example is easily done at the command
line once logged in there as root…or in YaST > Security & Users >
User Management and/or Group Management…zero need to log into
KDE/Gnome/etc as root for that…

You are funny.

You don’t know what you are talking about. Just to begin with, in work settings you need to establish what user is in what group, the specifics access of each user and group, and none of them can change it from their user account (you are supposed to forbid it for everyone except the sys administrator for obvious reasons) Also deploying and configuring many systems and keep them. Did you ever work as a sys administrator for a large company? (Or even small one) Clearly not. So save your “advise” to people who ask for it.

Similar to that, as I told you before, in my personal system I disabled (take note since I said it before but you don’t get it) account management to users – users aren’t allowed to change privileges in their own accounts even when logged as root – Perhaps you don’t understand it because you never in your life logged in the administrator account in any system – but from there you can forbid any user from changing their account privileges even when they log as root. If that tool didn’t exists, users at companies everywhere would be allowed to set themselves with any privileges, any access, any groups… That’s why you can forbid that from the administrator account.

And what idiocy about just erase all files with klamav? We are talking of broken heuristics issues, not malware, quarantine exist exactly for that purpose.

I wonder what a person like you is doing in a distro that is aimed at the enterprise; but behaving here as if everyone but you were idiots. And giving blind “homely advise” left and right when is uncalled. You would be more at home in distros aimed at newbies, people here are going to take offense at your condescending aptitude.

Northern2 wrote:
> You are funny. … You don’t know what you are talking about …
> what idiocy … You would be more at home in distros aimed at
> newbies … your condescending aptitude

my “condescending aptitude [sic]” developed after i had already told
you twice, nicely, that there are zero administrator duties in
openSUSE requiring logging into KDE/Gnome/etc as root…and only one
reason that is true is because openSUSE is NOT a distro aimed at
the enterprise!!

instead SUSE Linux Enterprise Desktop (SLED) and SUSE Linux Enterprise
Server (SLES) are aimed at the enterprise…and sold/serviced by
Novell for that purpose

here we volunteers help and support folks in the openSUSE community
with their systems…mostly individuals with personal systems…while
we bash the bugs in the code which will EVENTUALLY make its way into
the enterprise product…

we don’t try to teach folks here how to be Enterprise Administrators
such as yourself…

the largest majority of the folks here in these fora asking for help
are newbies at some level…either new to openSUSE, new to Linux,
new to administering their own system, new to setting up a home or
office network, new at managing a firewall, or just simply new at
whatever they are having problems with today…

99.99% are absolutely NOT folks who need to be encouraged to log into
KDE/Gnome/etc as root…instead, they need to NOT log into the GUI as
root and instead learn how to correctly setup and maintain their
system without reverting to the Redmond way of logging in and running
as ‘administrator’…

your statement “This is by default a professional distro which assumes
you know what to do.” is absolutely wrong!! this is NOT a
“professional distro” it is a free and open source community distro
and we can NOT assume the folks asking questions here “know what to
do” or have even found the first document and read what to do…

if you wish to hang around and give advice you are welcome…but,
please do more looking around and see what we are involved in here,
and much less advising for a while (this is, after all, your fourth
day here)…

on the other hand, if you want to teach budding system administrators
how to log into KDE/Gnome/etc as root in SLED you are welcome to do
that, over in forums.novell.com where THAT professional/enterprise
disto is discussed and supported… [and let me know how many of the
other professional administrators over there agree with your
assessment that some administrative duties DO require you to log into
KDE/Gnome/etc as root…hmmmm, please explain to me how you do that
in SLES which most usually will not even have X installed???]

“You are funny … You don’t know what you are talking about … what
idiocy”–care to fire another volley of personal attacks?

i’ll not respond in kind.


DenverD (Linux Counter 282315)
CAVEAT: http://is.gd/bpoMD
posted via NNTP w/TBird 2.0.0.23 | KDE 3.5.7 | openSUSE 10.3
2.6.22.19-0.4-default SMP i686
AMD Athlon 1 GB RAM | GeForce FX 5500 | ASRock K8Upgrade-760GX |
CMedia 9761 AC’97 Audio

Northern2 wrote:
> :idea: To the persons in charge, I would suggest the creation of a
> Security Section in the forums.

all good ideas appreciated…

but, this is not the correct forum for such, instead please visit
http://forums.opensuse.org/forums-feedback/forums-comments-suggestions/

but, before you do you might wish to review the several different
times your good idea has been offered before, discussed at length by
the community and rejected, see: http://forums.opensuse.org/search.php


DenverD (Linux Counter 282315)
CAVEAT: http://is.gd/bpoMD
posted via NNTP w/TBird 2.0.0.23 | KDE 3.5.7 | openSUSE 10.3
2.6.22.19-0.4-default SMP i686
AMD Athlon 1 GB RAM | GeForce FX 5500 | ASRock K8Upgrade-760GX |
CMedia 9761 AC’97 Audio

accessdeniedno,

i’m very sorry your questions got overlooked while i tried to get the
other poster to stop giving you bad poop…now, let me focus on your
questions and needs

-=welcome=-

accessdeniedno wrote:
> I just installed 11.2 yesterday and i wondering if there are some
> guides online where i can be told how to secure open suse 11.2?

yes, there are so many things on line that the hardest part is
figuring out where to look first…imo it is generally best to look
specifically at info for openSUSE first…

and, if possible look at the info written for THE version you are
using…see, the problem is that openSUSE moves SO fast the info
written for version 10.2 might be good or bad for 11.2…

if you can’t find info in our wiki, or this forum then branch out…

that said, please see a previous posting of mine which presents
openSUSE info first, and then more generic Linux info further down…

> For example this is linux so pc viruses cant attack me right?

so far, about 99.999% of the viruses and malware on earth has been
written to attack products marketed by Microsoft…

generally those will have no affect on your system…i have personally
not run any anti-virus on any of my machines since 1995 when i moved
away from MS-Windows…

some say Linux users should run ClamAV so that if a virus gets to our
machine we won’t pass it on to a Window’s using friend…but, my
thought is it is not my job to protect folks from their own choices…

on the other had there ARE bad folks out there who know how to install
a “root kit” <http://en.wikipedia.org/wiki/Rootkit> if you give them
the opportunity…so, you should have a STRONG root password and give
it to NO one…that, will stop most root kit installers in their tracks…

one of the reasons i talk about logging into KDE/Gnome/etc as root
is because doing so gives away your first line of defense…because if
you are out browsing as root and get compromised you are probably
gonna get rooted…

and, then you might as well give them every secret you have on the
machine…

> Also i set automatic updates on-but how often do updates occur?

it depends…since you say you just installed 11.2, and since i assume
you did that will connected to the next, then i assume it downloaded
and install a big boat load of updates…and, since we are very close
to 11.3 coming out i GUESS the updates for 11.2 have slowed down…so,
let me guess: maybe you should expect one or two per week, maybe
(someone running 11.2 can pitch in here and please improve that guess!!)

> and where can i find more default apparmor profiles-right now im using
> firefox without a profile…

relax a little…first you are not running a Virus & Malware Magnet
made in Washington State…

your openSUSE is born so much more secure than any Windows you ever
bought you can’t believe it!! it has a running firewall and if you
elected to give it a separate and STRONG root password, then just
cruise a while…safely…

learn how and where to get scrubbed clean code and do a LOT of reading
of the documentation i referenced above…


DenverD (Linux Counter 282315)
CAVEAT: http://is.gd/bpoMD
posted via NNTP w/TBird 2.0.0.23 | KDE 3.5.7 | openSUSE 10.3
2.6.22.19-0.4-default SMP i686
AMD Athlon 1 GB RAM | GeForce FX 5500 | ASRock K8Upgrade-760GX |
CMedia 9761 AC’97 Audio

I gave you examples (just a couple I could give you many more) where the administration account is necessary here. I set the policy I explained to users, (where they cannot escalate their rights even if they log as root) and that only can be done there.

I know that OpenSuSE is not yet SLED or SLES… or is, just with newer packages, choice of DE, and more packages. For those reasons is not a newbie distro. You are too heavy handed and dogmatic, one thing is to understand that in every day tasks you should work as user for security reasons, another is to assume that the users … all of them, lack all criteria in managing their systems. Lets give correct information, some tasks, even when they are managing their own system might need administrator account, and the house won’t explode because of it. :slight_smile:

I understand that you are worried that users that just landed from windows might try to be all the time as administrator, but you can explain (I did too) how it works here, without sounding like a zealot.

And about sys administration, of course X is used, (for example here in Linux tools like zenworks) also keep in mind that you need to set the desktop environment for each user, some need custom icons for the applications they use, you might want to remove the programs that they wont use, or wont need… in a word, configure their working environment.

My position on this is that we need to inform users, and then they can use their own criteria. Let’s not be dogmatic, and remember everyone can break the system when logged as root, there isn’t any sure proof way to be here if they are going to administer their systems at all.

I saw that you commented how long I has been in suse, to tell you the truth I has been here for some months, but is my second installation, I used it in my older computer time ago (as main OS) and once I build my new one, I didn’t have the chance to install it until some time ago. I don’t know if the forums keep the old usernames. I begun with linux relatively late (04 with Gentoo) I come from the time of MS DOS, back in 92, OS/2 and win 3.1 (which I hated) Before that time I learned basic, pascal and assembly. And many things since then. :slight_smile:

I hate all situations where someone thinks “they know better” I like to inform and help people, and make them trust their own criteria and capabilities, not deal with them as if were dumb cattle.

Yikes DenverD, there you are again all condescending and assuming he/she doesn’t have a clue.

I already answered those questions. And please, don’t tell that person to “relax” on security when is asking about specific details about it – and telling things like don’t learn to use apparmor; while being all dogmatic about NEVER NEVER NEVER, EVER log in your root account even for 5 seconds thing.

Security is necessary here too. It is true that there aren’t any viruses in the wild but there are rootkits (incredible you gave that person the link to “explain” what they are…) There you are again assuming that must be some uninformed idiot (please).

We were dealing with system security… Only. You rushed there making a lot of assumptions. :\