Security Focused Distribution Recommendation

Discussion in 'all things UNIX' started by driekus, May 4, 2016.

  1. driekus

    driekus Registered Member

    Joined:
    Nov 30, 2014
    Posts:
    489
    I currently use Netrunner (Ubuntu derivative) and have played around with Qubes and love it, but the stability is really an issue on newer hardware.

    I am looking for a recommendation for my Lenovo P50 - Nvidia Quadro M2000, Intel Xeon 1535, NVME PCIe SSD. Because of the SSD I need to run UEFI. Dual boot is not an issue as the laptop has multiple bays so can have an OS on each drive.

    The key compatibility issue is Virtualbox and I would like to be able to run the Nvidia display driver. The operating systems I have the most experience with are Netrunner (Ubuntu), Manjaro (16.06 onwards), Linux Mint Debian, Qubes and Xubuntu. Visually I really like what Manjaro and Netrunner are doing.

    Some of the OS's that I have tried and had issues with are: BlackArch, ParrotOS, Manjaro (prior to 16.06).

    What I am looking for from an OS is one with solid security built in or a good basis for getting there. Privacy is also high on my concern. I run VPNs and TOR 90% of the time.
     
  2. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,028
    I mostly use Debian, with default Gnome. Sometimes I use a server netinst ISO, and add xfce or lxde.
     
  3. amarildojr

    amarildojr Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    1,975
    Location:
    Brasil
    Sorry to tell you this, but by using these two programs (yes, a driver is still a program) you're giving up a lot on security. I'd recommend the grsec Kernel (the best for security - apparmor and SeLinux are weak), but you'll have to patch the Kernel in a way that is not supported by the grsec guys and disable mprotec for the Kernel modules and so on.

    My personal recommendation is Debian with grsec (from corsac's repo) or Arch with grsec, both are very easy to deal with and provide the best security out there (the Debian grsec Kernel is safer by default).

    If you don't want to use grsec (because it's not compatible with nvidia or vbox), I'd say Debian Jessie, and use Firejail for all your programs. It disables numerous syscalls and restrics the attack surface by it's blacklisting, it's a very secure sandbox.
    Iceweasel on Debian still has some privacy concerning issues, so you can get a fresh copy of the settings of Iceweasel from Parabola, here [link].

    Arch is by far the most stable distro I've used, and there's firejail there too. There's also the advantage of having always the latest software, with a minimalistic setup that fits your needs.
    You can install Iceweasel from Parabola right on Arch with no problems.

    I guess that's it for me. If you want real security you give up Virtualbox and use qemu, give up nvidia obscure blobs (that share code with Windows), and use gsrec with nouveau. Nouveau right now is not completely up to pair with the proprietary driver, but if you read some articles at Phoronix you'll see that it's almost there at the latest git versions, soon you'll be able to play games with the same performance as if using proprietary blob.
     
  4. MisterB

    MisterB Registered Member

    Joined:
    May 31, 2013
    Posts:
    1,103
    Location:
    Southern Rocky Mountains USA
    A simpler approach if you're using virtualbox is to just minimalize the host system to a bare minimum essential to running Virtualbox. No browsers for the host which are the major attack vectors. No apps at all except for essential services and drivers would be the best approach both for security and performance. Then you can focus the security on the guest systems which will contain all the working apps and any kernel security enhancements like Grsecurity. The host system would not need it due to low exposure to any attack vectors. Even in the worst case scenario of a security breach, the guest systems are easily reset to a previous snapshot.

    KVM and Qemu are much more difficult to work with than Virtualbox. The easiest way to set up KVM vms I know of is, ironically, Qubes which has automated setup of them. I don't know of any real world security problems with Virtualbox or the Nvidia drivers. Virtualbox also has options that could be used to make guests more secure. Check some of the virtual disk options.
     
  5. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,028
    You can run VBoxHeadless on a minimal server install, and then VRDP via LAN from a desktop VM :)
     
  6. driekus

    driekus Registered Member

    Joined:
    Nov 30, 2014
    Posts:
    489
    Thanks for the feedback. Hard decision to make. For now I think I am going to stick with Qubes and bare with some of the bugs.
     
  7. chrome_sturmen

    chrome_sturmen Registered Member

    Joined:
    Apr 29, 2006
    Posts:
    785
    Location:
    Sverige
    Basically you are saying, do anything internet related in a vm?

    Also, if one minimizes the host system down to a bare minimum, and runs internet facing applications in the vm, well what about applications that have nothing to do with the internet? Wouldn't they go on the host system? Unless the host and guest were dedicated just to web surfing/internet
     
  8. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,028
    @chrome_sturmen - I do everything in VMs. I do no work in host machines. I just keep them patched and updated, and perhaps manage a VPN client. Most of my VMs are for online stuff. Each persona has its own VM. I also use VMs for crunching data, and they're offline most of the time. Some are LiveCD VMs, and they're never online. I also segregate activities among host machines. My meatspace-persona stuff lives in a dedicated host, on a separate LAN.
     
  9. MisterB

    MisterB Registered Member

    Joined:
    May 31, 2013
    Posts:
    1,103
    Location:
    Southern Rocky Mountains USA
    The host system is optimized for drivers and hardware interfacing and doesn't need much more. So nothing at all gets done in the host except hosting the VMs which should have the bare minimum of drivers necessary to function in the host system. Any real work gets done in a VM whether internet related or not. By clearly separating host and guest functions you not only get better security, you also get better performance because the VMs are not burdened by having to load drivers and the host is not burdened by the apps and all the libraries and services that they need to function which would also add vulnerabilities and attack surface to the host..
     
  10. kinder2

    kinder2 Registered Member

    Joined:
    Aug 17, 2015
    Posts:
    51
    I want to do the VMs method. What OS do you have for host? Do you have grsecurity installed for the host, what else? I want to make the perfect host for hosting VMs.
     
  11. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,028
    I just use stock Debian.
     
  12. AutoCascade

    AutoCascade Registered Member

    Joined:
    Feb 16, 2014
    Posts:
    625
    Location:
    United States
    Qubes looks very promising when they get the bugs out of it as does Subgraph OS.
     
  13. MisterB

    MisterB Registered Member

    Joined:
    May 31, 2013
    Posts:
    1,103
    Location:
    Southern Rocky Mountains USA
    I would put Grsecurity in the guests, not the host. It is the guests that are exposed to the dangers and exploits of the internet. The host should be optimized for performance and that would mean a light kernel. Most modern CPUs have built in virtualization functions that will keep host and guest memory completely isolated from each other among other things. You can set up many guests with different levels of security appropriate for what each on is doing.

    I am using a somewhat stripped down Ubuntu 14.04 at present but the VMs could easily be migrated to another OS that supports Virtualbox. I like unity as a GUI for running Virtualbox because it leaves most of the desktop free for the guest OSes.

    One thing I should elaborate from earlier posts is that you should avoid overlap of functions. The host is what deals with the hardware and that, ideally, should be all that it is doing. The driver support should be complete for the host OS but it doesn't need much more than that. Remove all services and processes that are going to be used by the guest OSes that aren't necessary for the host to function. The guests should be set up with the minimum of virtual hardware they need to function so they aren't overburdened with loading drivers. That is the hosts function so remove any unnecessary and redundant virtual devices in them. Then you end up with lean host and guest OSes without any overlap of function and a greatly reduced attack surface on the host.

    I started using Virtualbox this way after using Qubes. Qubes is a bit rigid for a lot of what I like to do and doesn't have much support for Windows guests. The main issue I've had with Qubes is driver support, I haven't run into many bugs. It has performed extremely well for me but lacked a couple of hardware devices like support for switchable graphics.
     
    Last edited: May 18, 2016
  14. kinder2

    kinder2 Registered Member

    Joined:
    Aug 17, 2015
    Posts:
    51
    Thank you for explaining your way. But do you worry about your host Ubuntu getting compromised when it updates? Updates need to be done with an internet connection, and if your ISP is bad, it can redirect your updates download to malicious code. The hash checking could be done against a compromised server too.
     
  15. chrome_sturmen

    chrome_sturmen Registered Member

    Joined:
    Apr 29, 2006
    Posts:
    785
    Location:
    Sverige
    I've been giving this some thought.
    Since I don't really understand linux that well, probably I would use windows as the host os then linux as guest (probably I would use this vm for internet related things) would this provide benefit over just using windows itself?

    It has been said to keep the host os clean, so then another small vm with my old xp for my non internet-related tools (no internet) ? But what if I wanted to listen to my windows media player while I surfed the web? Run both vms at once? This makes me dizzy *puppy*
     
  16. MisterB

    MisterB Registered Member

    Joined:
    May 31, 2013
    Posts:
    1,103
    Location:
    Southern Rocky Mountains USA
    I don't have that kind of paranoia and it takes less than a minute to restore the Ubuntu partition from a backup image if something goes wrong. I've had to do this more than once not due to a man in the middle attack but to the Ubuntu updates from the Ubuntu servers borking my system. Sometimes it's taken a couple of attempts to get it right.
     
  17. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,028
    I believe that Debian-family OS use GnuPG-signed repositories. Adding new keys requires root authentication, so anyone paying attention would see what's happening.
     
  18. amarildojr

    amarildojr Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    1,975
    Location:
    Brasil
    ISP's can do that, but they probably won't because they can't fake GnuPG signatures and this kind of redirect would likely cause a massive suit which could threaten the company's very existence.

    If your ISP ever does that, you'll get tons of warning regarding the packages signatures. Remember, they're digitally signed for a reason.
     
  19. MisterB

    MisterB Registered Member

    Joined:
    May 31, 2013
    Posts:
    1,103
    Location:
    Southern Rocky Mountains USA
    With Virtualbox you can create VMs in Windows and then migrate them to Linux. In any case Windows does work as a host, it just runs them a bit slower and the host OS is far more resource intensive.

    With a newer CPU like an i7, you can run several VMs at once as long as there is enough memory. I sometimes have one VM playing internet radio while I run a couple of others doing other things. Xp works great as a guest OS and running it in a VM deals with a lot of security issues. The main benefit running things in a VM is that everything is sandboxed. All the benefits of using a light virtualization program like Sandboxie or Shadow Defender apply plus many more. I usually restore a snapshot after every VM session so they start clean at every use. Anything I want to save gets saved to either a shared folder on the host or a removable drive.
     
  20. Palancar

    Palancar Registered Member

    Joined:
    Oct 26, 2011
    Posts:
    1,592
    Agreed ---- GnuPG would prevent this, at least from happening in the dark. Flags and bells would be sounding in all directions!
     
  21. kinder2

    kinder2 Registered Member

    Joined:
    Aug 17, 2015
    Posts:
    51
    I do not know much about GnuPG. So if it is faked by man in the middle, it will give flags and bells. What kind of warnings should a novice look for? Will the warnings appear in the Ubuntu update GUI box?

    Is there possibility a hacker can hack through the VM to install malicious code into the host? I remember reading it is possible. Does shared folder and shared clipboard between host and VM make the host more vulnerable to attacks through the VM?
     
  22. Anonfame1

    Anonfame1 Registered Member

    Joined:
    May 25, 2016
    Posts:
    193
    Arch and Gentoo are the only distros I know of that can reasonably have all at the same time:
    grsecurity/pax kernel/RBAC (though RBAC is painful on any rolling release distro)
    apparmor (on Arch recompile linux-grsec kernel with ABS and install userland from AUR)
    FullRELRO/canary/PIE for all running processes, or at least network-facing ones.
    Firejail available easily (especially if using Firefox)
    KVM easily available (for whonix gateway/workstation- KVM works on grsecurity kernels, while Virtualbox doesnt unless significant grsecurity protections are disabled and the kernel recompiled).
    I think Alpine maybe as well, but its documentation is sparse as is its repos. Xorg also runs as root since Alpine doesnt use systemd. Debian rebuilding packages for RELRO/canary/PIE is painful, though it does have grsecurity/pax and apparmor ready to go.

    I use Arch and have all the above- I need to recompile the kernel and about 25 packages as updates are released (usually never more than 2-3 need to be compiled per update), but thats much easier than recompiling everything with Gentoo. Recompiling a kernel in a distro which makes it easy (Arch is very easy in this regard) is a good idea anyways to reduce the attack surface by gutting out all the crap you dont need. My Arch setup uses openbox/xfce4-panel/firefox/network-manager/openvpn so stays fairly simple while still being a capable main/daily install. I should note that yaourt and customizepkg along with hardening-wrapper can be used to automate updating packages as FullRELRO/canary/PIE, but you should learn to use ABS/makepkg on their own first. Been using the same install since 2011 and all good..

    Combine the above with running the most simple system you can (which Arch and Gentoo encourage by starting you with just the package manager), and Arch/Gentoo seem to me the clear champions for now.

    Keeping an eye on Subgraph OS for a future champ.
     
  23. chrome_sturmen

    chrome_sturmen Registered Member

    Joined:
    Apr 29, 2006
    Posts:
    785
    Location:
    Sverige
    Yes I see it does now - I had forgotten how swiftly it moves when tightened up a bit. It's said not to go online with xp since it no longer receives security updates - can anyone tell me a bit more about the potential dangers? I have it online, it has no access to my home server, it has a shared folder with the host via virtualbox. Basically it is configured as a standalone machine. On it, I have a firewall, sandboxie, firefox has ublock and https everywhere. What's so bad about surfing the web with it? I had thought about using that vm to look up information about other linux vms i'm trying to learn to use.
    thx
     
  24. MisterB

    MisterB Registered Member

    Joined:
    May 31, 2013
    Posts:
    1,103
    Location:
    Southern Rocky Mountains USA
    Paranoid fud, I'm posting this from Xp in a real machine that is online hours daily. It hasn't been updated since support ended. I have two machines that run Xp and both are used online daily. One is for forums and the other for large downloads. Updates are only one part of security and updates alone won't secure any OS. In a VM, the risks are further diminished. Sandboxie in a VM that is already a sandbox sounds pretty secure to me. In the worst case scenario of being exploited by one of the vulnerabilities and the exploit succeeding in doing damage or resulting in the OS being pwned, the attacker wouldn't see much beyond the VM and any damage would be removed in seconds by restoring a snapshot.
     
Loading...