Security for Slackware

Discussion in 'all things UNIX' started by Gullible Jones, Jun 28, 2012.

Thread Status:
Not open for further replies.
  1. There several things that are typically recommended for improving security on Slackware...

    - Partition setup and mount options. Don't allow suid binaries anywhere that a limited user can write to.

    - Use chroot sandboxes for internet-facing programs and daemons.

    - Use NoScript.

    Also, Slackware 13.37 has vm.mmap_min_addr set to something very high by default (maybe because of the huge kernel?).

    But otherwise not much security stuff is offered. No MAC built into the kernel for instance, and no further methods for mitigating memory-based exploits and kernel vulnerabilities.

    Are there any other "native" security mechanisms I should be aware of? Or does a better security setup for Slackware require a custom kernel?
     
  2. chronomatic

    chronomatic Registered Member

    Joined:
    Apr 9, 2009
    Posts:
    1,343
    It will require you to compile your own kernel, but that is really sort of the point of distros like Slack and Gentoo.

    The MAC systems pretty much come with the vanilla kernel (SELinux and AppArmor, etc.) so you would just have to configure the kernel to include them and recompile it.

    As for all the ASLR stuff, I have no idea. I am not sure if there are kernel options for this or what, as it has been a few years since I compiled my own kernel. You may have to have certain GCC flags passed at compile time. I simply don't know.

    But this is why I don't use Gentoo anymore. All that compiling is a waste of time. I just use Ubuntu. It comes with all the ASLR/NX/RELRO stuff compiled into the kernel by default and comes with AppArmor enabled.
     
  3. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    I'd go for Gentoo if you're looking for security.

    Use the USE flag 'hardened' and compile a hardened kernel. You can significantly reduce attack surface with USE flags (don't compile in support for XYZ) and it only builds what it needs to.

    If you're using the hardened toolchain a default install is going to have ASLR everywhere and Grsec implements multiple defenses against ASLR bypasses (ie: detect bruteforcing etc)
     
  4. Thanks, chronomatic and Hungry Man. Unfortunately my main 'puter is an EeePC - very efficient, but performance is about on par with the high-end laptops of a decade ago. So I've no particular desire to compile my own kernel, and Gentoo is right out.

    (I might yet try it on my Core 2 Duo uberworkstation though.)

    Instead I've decided to bite the bullet and switch to a more "modern" distro for my primary machine. Hopefully this goes well.
     
  5. BrandiCandi

    BrandiCandi Guest

    What distro did you go with?
    I guess there are advantages to being able to custom build a system specifically for your hardware. But it kind of confounds me. Are the performance gains (if that in fact is why you would go to the trouble) really that staggering?
     
  6. Currently Debian Sid. Which reminds me - I have to install AppArmor. :p

    [Edit: make that Tomoyo, AppArmor is broken on Sid. BTW, never ever do a Google search for "tomoyo" in a public place without accompanying the word with "linux."]

    No. Not at all. Actually...
    - Helpfulness of some optimizations depends a lot on hardware, and some can even harm performance depending on your setup
    - Too much optimization can make things unstable (e.g. -O3 is contraindicated on recent GCC versions)

    Compiling a minimal kernel can get you spectacular boot times, but that's about it. IMO the only use for Gentoo in this day and age, is to create server installations with very low attack surface (via system hardening and avoiding dependencies). On a desktop it is a waste of time - even for learning about Linux, because Portage and company automate everything.

    But do take my opinion with a grain of salt...
     
    Last edited by a moderator: Jul 10, 2012
  7. mack_guy911

    mack_guy911 Registered Member

    Joined:
    Mar 21, 2007
    Posts:
    2,677
  8. chronomatic

    chronomatic Registered Member

    Joined:
    Apr 9, 2009
    Posts:
    1,343
    Another issue with Gentoo is they do not digitally sign the tarballs in the repository. I shouldn't have to explain why this is horrible for security.
     
  9. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    There's a parameter for emerge that will only install signed software.
     
  10. What? :eek: I thought they signed everything by default since the UnrealIRCD fiasco!
     
  11. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    I agree that it's a waste of time for learning about Linux. You can learn about Linux on any distro.

    But any hardware since P4 is going to benefit from -march=native optimization. -O3 is not a good example, no one should be using it as it leads to larger code, which is slower and the gentoo handbook strongly discourages it. But all kernels should be compiled with -O2 and they are by default (or -Os).

    It's only instructions sets that aren't compiled for and instruction sets can make a big difference when every piece of software is optimized with it. For boot times? Barely anythign will change. For something like rendering videos? Yeah, you could see massive performance improvements.

    What's more important than all of this is the USE flags, which allows you to really lower attack surface. You can also USE hardened-sources, which is a fully PaX and Grsec enabled kernel + toolchain.

    If you use hardened toolchain + kernel you won't have any of the ASLR bypasses for other OS's that I know of. The only bypasses will be bruteforcing and, more importantly, information leakage. There are also issues with specific bug classes but overall you're way more secure on Gentoo.

    The question is whether or not it's worth it. Installing the OS is a PITA and compiling can take a while on older machines.
     
Loading...
Thread Status:
Not open for further replies.