Choose style:

Author Topic: PM6/Linux Hardening  (Read 863 times)

0 Members and 2 Guests are viewing this topic.

Offline Razznak

  • Jr. Member
  • **
  • Posts: 99
  • Karma: 15
    • View Profile
    • Quora
  • Peppermint version(s): 6 and 7
PM6/Linux Hardening
« on: December 29, 2015, 07:02:47 pm »
Hello all!

 I was poking around in the forums a bit but couldn't seem to find any topic related to hardening. For those unaware, hardening a computer is the process of securing a computer, or making it more secure. What are some things you've done to harden your PM6/Linux machine? Is there anything you've done specifically with PM6?
BTC Donations: 1rAZZNAkKp3GS4uc15YsbSxSPnFbfErt6

Online PCNetSpec

  • Administrator
  • Hero
  • *****
  • Posts: 19634
  • Karma: 2238
  • "-rw-rw-rw-" .. The Number Of The Beast
    • View Profile
    • PCNetSpec
  • Peppermint version(s): Peppermint 8 Respin (64bit)
Re: PM6/Linux Hardening
« Reply #1 on: December 29, 2015, 07:14:21 pm »
Nothing at all, I'm not that paranoid, and I don't see it as necessary on desktop Linux ;) .. now maybe if I were running a web facing server running services that are liable to attract the attention of "hackers" (misuse of the term, but you get my meaning) I'd take some steps to lock it down .. but for "desktop" use, which is really where Peppermint is liable to be used, nowt beyond being careful where I get my software :)
WARNING: You are logged into reality as 'root' .. logging in as 'insane' is the only safe option.

Team Peppermint
PCNetSpec

Offline Razznak

  • Jr. Member
  • **
  • Posts: 99
  • Karma: 15
    • View Profile
    • Quora
  • Peppermint version(s): 6 and 7
Re: PM6/Linux Hardening
« Reply #2 on: December 29, 2015, 07:18:25 pm »
Nothing at all, I'm not that paranoid, and I don't see it as necessary on desktop Linux ;) .. now maybe if I were running a web facing server running services that are liable to attract the attention of "hackers" (misuse of the term, but you get my meaning) I'd take some steps to lock it down .. but for "desktop" use, which is really where Peppermint is liable to be used, nowt beyond being careful where I get my software :)

Is there an "upvote" option? I guess the  :) or a "Thumbs up" shall do. I'm running Peppermint on a laptop that I bring almost everywhere, and I am that paranoid.  ;)
BTC Donations: 1rAZZNAkKp3GS4uc15YsbSxSPnFbfErt6

Online PCNetSpec

  • Administrator
  • Hero
  • *****
  • Posts: 19634
  • Karma: 2238
  • "-rw-rw-rw-" .. The Number Of The Beast
    • View Profile
    • PCNetSpec
  • Peppermint version(s): Peppermint 8 Respin (64bit)
Re: PM6/Linux Hardening
« Reply #3 on: December 29, 2015, 08:09:49 pm »
If you're paranoid about your "user" data in case of portable computer theft, I'd just go with a single encrypted storage directory, or not leave the data on the portable PC in the first place using something like owncloud or SpiderOak.

But encrypting the core OS files (full disk encryption) is IMHO not only completely unnecessary and over the top, but asking for problems ;)

Anything other than encryption is useless if they have local access (stolenlaptop) .. and local encryption comes with its own problems (risk of loosing the data yourself) .. so encrypt user data in the cloud, then if they steal your computer basically all they're going to get is a stock install of Peppermint and nothing much else :)
WARNING: You are logged into reality as 'root' .. logging in as 'insane' is the only safe option.

Team Peppermint
PCNetSpec

Offline Ulysses_

  • nOOb
  • *
  • Posts: 23
  • Karma: 0
  • New Forum User
    • View Profile
Re: PM6/Linux Hardening
« Reply #4 on: October 01, 2017, 05:52:30 pm »
What if you knowingly visit dangerous sites, perhaps to learn underground security? Aren't you almost as attractive for hacker attacks and attempts to take over as a web server would be? How would you harden peppermint for this use?
« Last Edit: October 01, 2017, 05:54:49 pm by Ulysses_ »

Online PCNetSpec

  • Administrator
  • Hero
  • *****
  • Posts: 19634
  • Karma: 2238
  • "-rw-rw-rw-" .. The Number Of The Beast
    • View Profile
    • PCNetSpec
  • Peppermint version(s): Peppermint 8 Respin (64bit)
Re: PM6/Linux Hardening
« Reply #5 on: October 01, 2017, 06:48:29 pm »
Use a sandboxed browser.

And no you're not as open to hackers as you're not running a server offering inbound connections.
« Last Edit: October 01, 2017, 06:53:26 pm by PCNetSpec »
WARNING: You are logged into reality as 'root' .. logging in as 'insane' is the only safe option.

Team Peppermint
PCNetSpec

Offline Ulysses_

  • nOOb
  • *
  • Posts: 23
  • Karma: 0
  • New Forum User
    • View Profile
Re: PM6/Linux Hardening
« Reply #6 on: October 02, 2017, 03:33:50 am »
Once malware is in a sandbox, does it not have less exploits to try against the sandbox code and the code if the system has some features uninstalled?

Offline pin

  • Trusted User
  • Member
  • *****
  • Posts: 608
  • Karma: 71
  • Peppermint User
    • View Profile
  • Peppermint version(s): Peppermint 7 Respin (64bit)
Re: PM6/Linux Hardening
« Reply #7 on: October 02, 2017, 04:37:27 am »
Why using your Peppermint machine for this?
You could, for example use Tails, see: http://distrowatch.com/table.php?distribution=tails
I would feel much more comfortable if I had any plans whatsoever to go into those places  ;)
« Last Edit: October 02, 2017, 04:39:16 am by pin »

Online PCNetSpec

  • Administrator
  • Hero
  • *****
  • Posts: 19634
  • Karma: 2238
  • "-rw-rw-rw-" .. The Number Of The Beast
    • View Profile
    • PCNetSpec
  • Peppermint version(s): Peppermint 8 Respin (64bit)
Re: PM6/Linux Hardening
« Reply #8 on: October 02, 2017, 07:31:18 am »
Once malware is in a sandbox, does it not have less exploits to try against the sandbox code and the code if the system has some features uninstalled?

Not sure what you're asking here ?
WARNING: You are logged into reality as 'root' .. logging in as 'insane' is the only safe option.

Team Peppermint
PCNetSpec

Offline Ulysses_

  • nOOb
  • *
  • Posts: 23
  • Karma: 0
  • New Forum User
    • View Profile
Re: PM6/Linux Hardening
« Reply #9 on: October 02, 2017, 08:06:42 am »
You use a sandboxed browser because the bugs in a normal browser could be used by an attacker to take control of some of the system. But sandboxing would have some bugs too, much fewer bugs but still possible. Maybe a sandbox bug is only a bug in the presence of some other software, like flash say. Flash is trivial to uninstall, but in a hardened peppermint what else should be uninstalled to reduce the attack surface that sandboxed malware sees?

Online PCNetSpec

  • Administrator
  • Hero
  • *****
  • Posts: 19634
  • Karma: 2238
  • "-rw-rw-rw-" .. The Number Of The Beast
    • View Profile
    • PCNetSpec
  • Peppermint version(s): Peppermint 8 Respin (64bit)
Re: PM6/Linux Hardening
« Reply #10 on: October 04, 2017, 03:53:35 pm »
Well sure, but you could say that for any hardening technique too ;)

I guess if you're using Firefox, as well as using a sandbox (such as firejail) you could enable the apparmor profile for firefox by running:
Code: [Select]
sudo rm -v /etc/apparmor.d/disable/usr.bin.firefox
then rebooting to pick up the changes.

Once rebooted you can check if the firefox apparmor profile is active and in 'enforce' mode by starting firefox, then running:
Code: [Select]
sudo apparmor_status



If you decide you want to disable the firefox apparmor profile again, run:
Code: [Select]
sudo ln -s /etc/apparmor.d/usr.bin.firefox /etc/apparmor.d/disable/usr.bin.firefox
then reboot.



There are other apparmor profiles (including one for chromium-browser) in the apparmor-profiles package.

and a few more in the apparmor-profiles-extra package.
« Last Edit: October 04, 2017, 04:07:55 pm by PCNetSpec »
WARNING: You are logged into reality as 'root' .. logging in as 'insane' is the only safe option.

Team Peppermint
PCNetSpec