Linux security mesures

xanb · 2013-12-16 14:33:44

Hi,

I found this paper of Theo De Raadt about the security mesures on OpenBSD. I just want to know if in linux and specifically in archlinux there are equivalent mesures and if so, if there are activate by default.

Thanks,
Xan

Last edited by xanb (2013-12-16 14:34:19)

tomk · 2013-12-16 15:37:25

Have you done any reading/research about it yourself?

teateawhy · 2013-12-16 16:44:31

https://wiki.archlinux.org/index.php/Security

clfarron4 · 2013-12-16 22:10:06

I'm wondering whether the NSA will update their security guide for RHEL, since quite a lot of it is quite usable as is on other Linux Distributions.

ANOKNUSA · 2013-12-16 23:55:54

xanb wrote:

Hi,
I found this paper of Theo De Raadt about the security mesures on OpenBSD. I just want to know if in linux and specifically in archlinux there are equivalent mesures and if so, if there are activate by default.
Thanks,
Xan

I (mostly) respect what Theo De Raadt and OpendBSD a lot, but computer security is really the only thing Theo De Raadt ever talks about and the only goal of OpenBSD is to achieve a nirvana-like state of computer security perfection. If you're looking for a UNIX-like operating system intended for typical desktop use with all the security measures like those in OpenBSD already present, you almost certainly won't find it.

fukawi2 · 2013-12-17 01:34:19

Moving to Networking, Server, and Protection

xanb · 2013-12-17 09:18:11

Please, don't argue you with each other. Not blame wars.

I just want to know if there is an alternative mesures to OpenBSD mesures. Yes, I have been investigated, but I don't know if archlinux has enabled by default ASLR protection, PIE protection, etc. I just know that Archlinux compiles all packages with ProPolice (gcc). Is it true?

Thanks,

Gulver · 2013-12-17 09:56:02

Not to hijack or mislead the thread but I'd also like to know what, if any, OpenBSD or relatives used as hasher alongside of RdRand and relatives.

brebs · 2013-12-17 14:16:08

Debian's hardening page is useful info. Compare the options there to Arch's default flags. Note that some packages have custom flags.

xanb · 2013-12-18 19:24:19

brebs wrote:

Debian's hardening page is useful info. Compare the options there to Arch's default flags. Note that some packages have custom flags.

What this mean? Is arch more/equal/less secure than debian by this way?

On the other hand, can someone help me to put something like this for archlinux? It could be useful for people searching security. I just know SSP policy: https://bugs.archlinux.org/task/18864

Thanks,
Xan

teateawhy · 2013-12-18 19:33:37

xanb wrote:

On the other hand, can someone help me to put something like this for archlinux? It could be useful for people searching security.
Thanks,
Xan

Arch Linux does not have release versions that means you can not create a table of security features per version as in ubuntu.
You could create one that reflects the current status quo of the options listed there. I would be interested in it, although i believe half of what is listed in the table are features of the linux kernel.

xanb · 2013-12-18 20:24:58

teateawhy wrote:

xanb wrote:
On the other hand, can someone help me to put something like this for archlinux? It could be useful for people searching security.
Thanks,
Xan
Arch Linux does not have release versions that means you can not create a table of security features per version as in ubuntu.
You could create one that reflects the current status quo of the options listed there. I would be interested in it, although i believe half of what is listed in the table are features of the linux kernel.

I started: https://wiki.archlinux.org/index.php/Security_features Please, improve it as long as you want.

xanb · 2013-12-19 12:26:58

More effort is needed in the section of Kernel Hardening and Userspace Hardening. Thanks,

ANOKNUSA · 2013-12-19 14:00:01

xanb, this is just my opinion here: I appreciate your curiosity and what you're trying to do, but I don't see how it's accomplishing anything, nor do I see how the table you've made will help the community in the long run. The uninitiated and, well... less-than-competent n00bs who see that table may assume those are actual security features in Arch; in fact, they are not. You're listing things in a very terse format that are not security features of Arch, but which a) can through the user's effort be installed, and aren't really included by default; or b) are part of the upstream source base, and aren't deliberately enabled by the Arch developers.

The inference new users may make is that these are things which make Arch more secure relative to other distributions, when in fact the opposite is true---they are things new users may wish to use to make the system more secure if necessary. The aforementioned "Security" page was meant to help folks concerned with security enable the features they need. Since you seem to have gotten most of the information from said "Security" page, the table is superfluous, and now you're asking people to contribute more superfluous (and potentially misleading) information.

Last edited by ANOKNUSA (2013-12-19 14:00:36)

xanb · 2013-12-20 08:07:14

ANOKNUSA wrote:

xanb, this is just my opinion here: I appreciate your curiosity and what you're trying to do, but I don't see how it's accomplishing anything, nor do I see how the table you've made will help the community in the long run. The uninitiated and, well... less-than-competent n00bs who see that table may assume those are actual security features in Arch; in fact, they are not. You're listing things in a very terse format that are not security features of Arch, but which a) can through the user's effort be installed, and aren't really included by default; or b) are part of the upstream source base, and aren't deliberately enabled by the Arch developers.
The inference new users may make is that these are things which make Arch more secure relative to other distributions, when in fact the opposite is true---they are things new users may wish to use to make the system more secure if necessary. The aforementioned "Security" page was meant to help folks concerned with security enable the features they need. Since you seem to have gotten most of the information from said "Security" page, the table is superfluous, and now you're asking people to contribute more superfluous (and potentially misleading) information.

Yes, surely you are right. I have no "new" information about how are the real "security" features Archlinux has. Maybe it's better to improve security page, and not creating new one. But I think that some information (which I don't know) is missing in security page (for example if by default we have pointer offuscation, heap protection, etc.). I think that it's missing a "Hardening Archlinux" in the wiki. Perhaps you could help. I helped with that.

Arch Linux

#1 2013-12-16 14:33:44

Linux security mesures

#2 2013-12-16 15:37:25

Re: Linux security mesures

#3 2013-12-16 16:44:31

Re: Linux security mesures

#4 2013-12-16 22:10:06

Re: Linux security mesures

#5 2013-12-16 23:55:54

Re: Linux security mesures

#6 2013-12-17 01:34:19

Re: Linux security mesures

#7 2013-12-17 09:18:11

Re: Linux security mesures

#8 2013-12-17 09:56:02

Re: Linux security mesures

#9 2013-12-17 14:16:08

Re: Linux security mesures

#10 2013-12-18 19:24:19

Re: Linux security mesures

#11 2013-12-18 19:33:37

Re: Linux security mesures

#12 2013-12-18 20:24:58

Re: Linux security mesures

#13 2013-12-19 12:26:58

Re: Linux security mesures

#14 2013-12-19 14:00:01

Re: Linux security mesures

#15 2013-12-20 08:07:14

Re: Linux security mesures

Board footer