Arch Security

duke11235 · 2009-10-14 21:22:14

I am a somewhat paranoid person.:cool: I understand arch takes a DIY approach to security. Does the Arch repos sign there packages? Is SELINUX viable on Arch? How does Arch compare security wise to something lke Fedora? This is the last thing I need to check before I choose whether or not to join the ranks of Arch users. Thank u

Last edited by duke11235 (2009-10-14 21:22:43)

sand_man · 2009-10-14 21:30:01

Arch is pretty much DIY. Everything is vanilla in the sense that it is the same as it is upstream.

fukawi2 · 2009-10-14 21:46:52

Security is a process, not a state of being.

SELinux is available for those of us masochistic enough to want to use it, and package signing is "in progress" (but not available at the moment).

rson451 · 2009-10-14 21:47:13

Package signing is not there. There are (were?) a few people pushing development in this area, but there is much work to be done -- especially on the repo side iirc.

gog · 2009-10-14 22:32:53

Serach for selinux in the aur, the userspace is there.

Keep in mind that you can't use ext4 and that profiling your apps to be able to use selinux takes more time than compiling your whole system.

duke11235 · 2009-10-15 00:48:36

So I shouldn't get crazy over package signing, well have that soon. Doesn't Fedora use SELinux as default and on ext4. I m pretty sure I have it on Fedora 11. Did they automatically configure it there? Is SELinux overkill, or useful in this sense?

Last edited by duke11235 (2009-10-15 00:54:05)

Anonymo · 2009-10-15 00:51:52

duke11235 wrote:

So I shouldn't get crazy over package signing, well have that soon. Doesn't Fedora use SELinux as default and on ext4. I m pretty sure I have it on Fedora 11. Did they automatically configure it there?

http://fedoraproject.org/wiki/SELinux

tl;dr but it should be in here

Allan · 2009-10-15 00:55:23

AFAIK, no-one is ever been interested in getting SELinux fully working on Arch. And when I say "interested", I mean interested enough to actually make a good start at getting it working properly. Sounds like it could be a good community project.

duke11235 · 2009-10-15 01:01:37

AFAIK, no-one is ever been interested in getting SELinux fully working on Arch.

Does this mean SELinux is mostly superflous? I assume Arch doesnt use AppArmor. Doesn't SELinux help prevent the takeover of your computer once a virus has invaded? I know there aren't many for Linux.....

Last edited by duke11235 (2009-10-15 01:02:33)

Allan · 2009-10-15 01:09:43

duke11235 wrote:

AFAIK, no-one is ever been interested in getting SELinux fully working on Arch.
Does this mean SELinux is mostly superflous? I assume Arch doesnt use AppArmor.

No, it means exactly what I said. No-one has been interested in getting it running. i.e. no-one appears to have thought the effort was worth the increased security given.

Doesn't SELinux help prevent the takeover of your computer once a virus has invaded? I know there aren't many for Linux.....

I suppose, if such a virus existed, then yes it would.

bruce · 2009-10-15 01:26:33

Seems to me like it could a good project for Dusty's Archbounty idea, if you feel its worth pursuing...
http://bounty.archlinux.ca/

MP2E · 2009-10-15 02:51:34

I'm interested in this, but I don't exactly understand how you make something "SELinux" compliant. I understand that you have to compile an SELinux compatible kernel, but what other measures have to be taken?

(I'd probably be interested in this in the future when I make an Arch Linux server)

gog · 2009-10-15 03:47:28

The other measure to be taken is to specify permissions for each application, an extremely time consuming affair.

Most apps aren't written with SE in mind. It's hard to guess what permissions would allow normal functioning, so it's mostly trial and error if there's no widely available policy for your program on the net.

Have you used Ubuntu? They provide profiles for AppArmor. Firefox, eclipse, etc. This is the same, only that SElinux is a lot more anal about things.

duke11235 · 2009-10-15 04:12:29

So SELinux is not available without major hassle. What steps should be taken to seal as many vulnerabilities as possible?

MP2E · 2009-10-15 04:25:40

duke11235 wrote:

So SELinux is not available without major hassle. What steps should be taken to seal as many vulnerabilities as possible?

Make sure you only use stable repositories, as in don't use testing, don't clear your Cache often so you can downgrade if something DOES break, check the bugtrackers and whenever a large new release comes out(aka a new KDE series, like 4.4 or something) wait a couple of days until some bugs pop up. Though this is the same instructions for keeping arch stable, I think it applies well to vulnerabilities as well. Perhaps SELinux will be a simpler option in the future...

Last edited by MP2E (2009-10-15 04:26:05)

.:B:. · 2009-10-15 05:45:02

I think you *should* use testing, not stable if you want to get bugfixes as quickly as possible.

Gen2ly · 2009-10-15 06:49:02

As gog pointed out, SELinux would take quit a bit of work. If a security project were to come out, I think that AppArmor would be the more reasonable of the two. The only distro to really be able to pull off a reasonable SELinux desktop integration is Fedora because they have the resources to do so.

2501 · 2009-10-17 15:35:27

It is a huge task to integrate SELinux with Arch. It took a long time for the Fedora community to get it to work where it is today.

It would be nice to offer something like it to the community but at the same time I wonder if we, as a community, can offer a similiar application but with a different spin....more simple and more efficient. Do we really need to rely on SELinux to provide protection to the operating system?

I just think that we should discuss this topic a little bit more and maybe we can figure out a way to implement such feature.

My question is: Is Arch Linux "well protected" right now?

-2501

Nezmer · 2009-10-17 17:43:26

People seem to always forget It's the user who can make his/her system as secure as he/she wants (provided he/she has the knowledge to do so) . And If you're important enough the chances you'll get hacked at least once are really high .

If you run sshd in port 22 , allow plain-text logins , allow root logins and choose "12345678" as your root password . No security framework will ever help you . I mean , just ask Phrakture how he managed to get himself hacked .

Speaking of security , SElinux , ssh and fedora . Didn't they have there infrastructure hacked not so long a go through ssh ? Didn't they have to generate new GPG keys to sign there packages ? How much time did they need to fix all that ?

If you ask me , the Arch's Emergency evacuation plan (including the lolcat pictures) is way more efficient .

Last edited by Nezmer (2009-10-17 17:45:21)

duke11235 · 2009-10-17 23:44:11

Ignore this post

Last edited by duke11235 (2009-10-17 23:45:04)

2501 · 2009-10-18 02:21:18

@Nezmer :

Fedora servers were hacked a while back ago...it is true. ...

I wrote this firewall a while back ago...it might help a little bit.

-2501

--

#!/bin/sh

firewall_start() {
iptables -F
iptables -t nat -F
iptables -t mangle -F

# Setting default policies
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP

# Basic Firewall
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

# Allow SSH
iptables -A INPUT -i eth+ -p tcp -m tcp --dport 22 -j ACCEPT

# (link 3) throw everything else away
iptables -A INPUT -j DROP

# Allow myself to be a non-passive FTP client
iptables -A INPUT -p tcp --dport ftp-data --jump ACCEPT

# No Telnet!
iptables -A OUTPUT -p tcp --dport telnet --jump REJECT

# Otherwise, drop inbound TCP packets with ICMP messages
iptables -A INPUT -p tcp --jump REJECT
iptables -A INPUT -p udp --jump REJECT

# Report
echo 'Firewall rules installed:'
iptables -L

}

Last edited by 2501 (2009-10-18 02:21:43)

sand_man · 2009-10-18 03:08:24

Nezmer wrote:

Speaking of security , SElinux , ssh and fedora . Didn't they have there infrastructure hacked not so long a go through ssh ? Didn't they have to generate new GPG keys to sign there packages ? How much time did they need to fix all that ?

I think that was apache. Not 100% sure what they were running but I think it was FreeBSD.

Arch Linux

#1 2009-10-14 21:22:14

Arch Security

#2 2009-10-14 21:30:01

Re: Arch Security

#3 2009-10-14 21:46:52

Re: Arch Security

#4 2009-10-14 21:47:13

Re: Arch Security

#5 2009-10-14 22:32:53

Re: Arch Security

#6 2009-10-15 00:48:36

Re: Arch Security

#7 2009-10-15 00:51:52

Re: Arch Security

#8 2009-10-15 00:55:23

Re: Arch Security

#9 2009-10-15 01:01:37

Re: Arch Security

#10 2009-10-15 01:09:43

Re: Arch Security

#11 2009-10-15 01:26:33

Re: Arch Security

#12 2009-10-15 02:51:34

Re: Arch Security

#13 2009-10-15 03:47:28

Re: Arch Security

#14 2009-10-15 04:12:29

Re: Arch Security

#15 2009-10-15 04:25:40

Re: Arch Security

#16 2009-10-15 05:45:02

Re: Arch Security

#17 2009-10-15 06:49:02

Re: Arch Security

#18 2009-10-17 15:35:27

Re: Arch Security

#19 2009-10-17 17:43:26

Re: Arch Security

#20 2009-10-17 23:44:11

Re: Arch Security

#21 2009-10-18 02:21:18

Re: Arch Security

#22 2009-10-18 03:08:24

Re: Arch Security

Board footer