How Secure Are We?

Mars · 2015-01-28 17:30:34

Hello there, Arch users.

I'm a fairly secure user of Windows and Android operating systems. I've also recently wanted to further expand and harden my privacy and security out of a need, as I live under not-so-favorable conditions.

I've switched my desktop OS to Linux less than a couple of months ago. Started with Linux Mint Debian Edition (a Debian "rolling release"). Was a fine learning experience and I've got to administer my home Linux box in a secure manner until it broke (nothing related to security, just that proprietary drivers broke over an update.. too lazy to fix it)

Now I intend to install Arch after testing Antergos and getting to use the Arch environment. I'm interested in reading good tips on how to secure is the system and how to further increase security in terms of remote exploitation specifically. Should I depend on Arch as a daily *secure* driver for everyday needs? I need to address that firstly as it's the uncontrollable part; unlike human-infrastructure type of attacks. I did read the Security wiki, but I also need more tips from experience as what can be installed or what should be avoided.

Some guidance questions:

1- As this is a rolling release OS, is it more or less secure than long-support release systems?

2- What specific tips can we use to further secure our systems?
I'm currently using Antergos, but I intend to switch to full Arch install in about 2 weeks (will have free time by then). I like the Arch environment (and forums) and I'm interested in ways to further secure it.
Also, a good tip would be like: you need to install ufw and gufw and run

 # sudo gufw

and turn ufw on.

3- How long, on average, does it usually take to patch vulnerabilities found in Linux, from your experience? i.e. Is it usually faster or slower than other distros? An educated guesstimate would work, as I don't expect to find standardized info.

4- AUR! I need someone to go on all day about anything related to security about AUR. Awesome ArchWiki doesn't have much on this.
For example:
- When a package I installed is updated from vendors/authors, does my package pull from the source vendor and immediately update (most importantly, Google Chrome), or does my system have to wait for the package maintainer to actually update his work for yaourt to pull from? i.e. Does the system update packages as soon as the vendor updates them, or as soon as the maintainer updates them?
- ~~When I pacman -Syu, does this include updating AUR?~~ Here

5- What VPN do you guys use?

# mod edit: less inflammatory title

Last edited by jasonwryan (2015-01-28 20:22:08)

Trilby · 2015-01-28 17:39:23

Mars wrote:

I actually installed Antergos to simplify the Arch install.

No, you actually installed Antergos to install Antergos. That's a different OS with different settings that we don't know about and can't help with. You'll have to ask on their forums - these forums are for arch linux support only.

~~Closed. Binned.~~

EDIT: as for GHOST that is not at all recent. It's recently been in the major media outlets - but the relevant patch was in the archlinux repos over a year and a half ago.

EDIT: reopened upon appeal from the OP who plans to install arch proper. @ Mars please note there was nothing at all punitive about the move of this topic to the dustbin - this is simply the wrong place to ask about Antergos. But if you'd like to learn about arch linux itself before you install it, you are more than welcome to participate on these forums. For an effective discussion, though, you may want to read a bit from the wiki and other posts to see what parts of your questions are already well answered, then fine tune your question(s) to focus on what is not yet clear.

Last edited by Trilby (2015-01-28 19:54:06)

Mars · 2015-01-28 20:03:11

Trilby wrote:

Mars wrote:
I actually installed Antergos to simplify the Arch install.
No, you actually installed Antergos to install Antergos. That's a different OS with different settings that we don't know about and can't help with. You'll have to ask on their forums - these forums are for arch linux support only.
Closed. Binned.
EDIT: as for GHOST that is not at all recent. It's recently been in the major media outlets - but the relevant patch was in the archlinux repos over a year and a half ago.
EDIT: reopened upon appeal from the OP who plans to install arch proper. @ Mars please not there was nothing at all punitive about the move of this topic to the dustbin - this is simply the wrong place to ask about Antergos. But if you'd like to learn about arch linux itself before you install it, you are more than welcome to participate on these forums. For an effective discussion, though, you may want to read a bit from the wiki and other posts to see what parts of your questions are already well answered, then fine tune your question(s) to focus on what is not yet clear.

Thanks, Mod.
Updated the topic to better follow rules.

I did read the forum. "Security" keyword alone has 285 pages. I read several interesting topics, but it's unrealistic to go through all of those pages just to post, I did also Google topics, and I need some experience from users. Appreciate your directions though.

Last edited by Mars (2015-01-28 20:22:11)

jasonwryan · 2015-01-28 20:21:03

Mars wrote:

1- As this is a rolling release OS, is it more or less secure than long-support release systems?

Look at the list of distros vulnerable to Ghost. Arch patched this 18 months ago.

2- What specific tips can we use to further secure our systems?

https://wiki.archlinux.org/index.php/Security

3- How long, on average, does it usually take to patch vulnerabilities found in Linux, from your experience? i.e. Is it usually faster or slower than other distros? An educated guesstimate would work, as I don't expect to find standardized info.

See 1. Also, see http://oswatershed.org/

4- AUR! I need someone to go on all day about anything related to security about AUR. Awesome ArchWiki doesn't have much on this.
For example:
- When a package I installed is updated from vendors/authors, does my package pull from the source vendor and immediately update (most importantly, Google Chrome), or does my system have to wait for the package maintainer to actually update his work for yaourt to pull from? i.e. Does the system update packages as soon as the vendor updates them, or as soon as the maintainer updates them?
- ~~When I pacman -Syu, does this include updating AUR?~~ Here

https://wiki.archlinux.org/index.php/AUR

5- What VPN do you guys use?

OpenVPN.

frank604 · 2015-01-28 22:33:48

I'm just going to leave this here http://allanmcrae.com/2015/01/who-you-gonna-call/

Awebb · 2015-01-29 00:38:06

I strongly advise you ditch yaourt for a while and learn how the AUR works by first using a browser + makepkg and then a simple helper like cower. Once you know what you are doing, you could return to yaourt any time, although I doubt you will want to do that.

fukawi2 · 2015-01-29 01:16:29

Mars wrote:

1- As this is a rolling release OS, is it more or less secure than long-support release systems?

Two totally different things; "LTS" distributions aim to provide support to a generally "fixed" set of packages (ie, same major kernel, same major toolchain etc), usually back-porting security fixes to those packages where required. Rolling release aims to provide the latest packages of everything -- this can lead to a lot more breakages than an "LTS" distro if not managed properly. LTS is generally more forgiving of "lazy" management.
As far a security goes, it's difficult to compare. LTS releases generally get security patches back-ported, but sometimes they may not, especially towards the end of the LTS life cycle, or if implementing the fix would significantly change expected behaviour of the software. On a Rolling Release, you'll get the latest which includes any security fixes, but also includes any NEW security issues (probably not even discovered yet) introduced in recent versions.

Mars wrote:

2- What specific tips can we use to further secure our systems?

This is the same regardless of your distribution. The standard list applies: minimize your attack surface (use a firewall, disable services you don't need), use good passwords, enforce MAC instead of DAC (eg, SELinux or AppArmour).

Mars wrote:

3- How long, on average, does it usually take to patch vulnerabilities found in Linux, from your experience? i.e. Is it usually faster or slower than other distros? An educated guesstimate would work, as I don't expect to find standardized info.

You say "in Linux" then "other distros" -- are you wanting to compare Linux to other operating systems, or Arch to other distributions? If it's the later, then Arch is generally quite on the ball. Looking at recent vulnerabilities:
http://allanmcrae.com/2015/01/who-you-gonna-call/
http://allanmcrae.com/2014/09/shellshoc … rch-linux/

Mars wrote:

- When a package I installed is updated from vendors/authors, does my package pull from the source vendor and immediately update (most importantly, Google Chrome), or does my system have to wait for the package maintainer to actually update his work for yaourt to pull from? i.e. Does the system update packages as soon as the vendor updates them, or as soon as the maintainer updates them?

makepkg will do whatever the PKGBUILD tells it to do. If the PKGBUILD is for a specific version of a package (as is generally the case) then that is what it will build. You are free to download the PKGBUILD from the AUR and modify it yourself if it is not the version you want/latest version. This is fairly straightforward generally, and there is lots of information in the wiki, on man pages and generally around the web.
The exception to this is git packages, which often pull the latest git tree before building, which means you'll *really* have the latest version, probably not even a version that has been released by the upstream developer.

Mars wrote:

- ~~When I pacman -Syu, does this include updating AUR?~~ Here

No, read up on the wiki the difference between the official repos, the community repo and the AUR.

Mars wrote:

5- What VPN do you guys use?

OpenVPN to my own VPS.

clfarron4 · 2015-01-29 01:33:56

Mars wrote:

1- As this is a rolling release OS, is it more or less secure than long-support release systems?

I'd typically expect less "security vulnerabilities" to be knocking around in the packages used in the ArchLinux main repositories because being on the bleeding edge often means we pull in patches many months before other distributions do. However, it's a difficult one because I'd typically expect any relevant security patches to be backported to the LTS releases (I definitely see this with the kernel).

Mars wrote:

Does the system update packages as soon as the vendor updates them, or as soon as the maintainer updates them?

If you're not planning to check yourself when the packages themselves are updated from the source, then it'll be when the maintainer updates the sources in the AUR.

I know there are people who take the PKGBUILDs for my AUR packages, bump the package version and build the package themselves before I upload the PKGBUILD to the AUR. Why? It's a combination of them checking kernel.org themselves and the point that I tend to prefer building all of my packages before uploading the new source tarballs.

Mars wrote:

2- What specific tips can we use to further secure our systems?

Most of the essential stuff has already been said. If you want to go further than that, then there are bits from the NSA's guide to securing a Red Hat 5 installation which are still relevant today.

EDIT: It just so happens that Red Hat released Red Hat 6 if you don't want to touch the NSA's servers.

Last edited by clfarron4 (2015-01-29 01:34:55)

Arch Linux

#1 2015-01-28 17:30:34

How Secure Are We?

#2 2015-01-28 17:39:23

Re: How Secure Are We?

#3 2015-01-28 20:03:11

Re: How Secure Are We?

#4 2015-01-28 20:21:03

Re: How Secure Are We?

#5 2015-01-28 22:33:48

Re: How Secure Are We?

#6 2015-01-29 00:38:06

Re: How Secure Are We?

#7 2015-01-29 01:16:29

Re: How Secure Are We?

#8 2015-01-29 01:33:56

Re: How Secure Are We?

Board footer