Secure oriented distro.

corsakh · 2010-04-25 11:17:21

Hi,

I am looking to build a small and hardened system whose whole purpose will be to give secure access to a small group of highly sensitive email boxes and a couple of financial websites cos I can not trust my main bleeding edge OS with this stuff.

Obv I can go Debian Stable but I am no security expert so a DIY solution is out of the window. Same for OpenBSD. Currently I am thinking about Fedora due to all the security features that RedHat puts into it by default like SELinux and AppArmour. Any other suggestions?

If there is a secure and efficient solution to fully sandbox Thunderbird + Firefox combo I would consider it too.

Last edited by corsakh (2010-04-25 11:19:41)

flamelab · 2010-04-25 11:19:05

Gentoo with hardened profile.

http://www.gentoo.org/proj/en/hardened/

corsakh · 2010-04-25 11:26:12

My only problem with Gentoo is that it is still rolling and bleeding edge.

Last edited by corsakh (2010-04-25 11:26:45)

flamelab · 2010-04-25 11:40:49

corsakh wrote:

My only problem with Gentoo is that it is still rolling and bleeding edge.

Νο it isn't. It's rolling only if you choose to use packages from "~" (Debian testing equivalent) or masked packages (Debian sid/experimental equivalent).

brebs · 2010-04-25 12:13:18

flamelab wrote:

Νο it isn't.

You need to look up rolling release and bleeding-edge and "do-it-yourself" in the dictionary. 'Cos you're wrong about all three.

Edit: Oops, I'm wrong about bleeding-edge

Last edited by brebs (2010-04-25 23:54:19)

Infinity717 · 2010-04-25 12:24:50

Give FreeBSD a spin if you feel like it. It has a great security record OOB, very stable and quick installation.

FreeBSD comes with TrustedBSD MAC Framework by default, UFS / ZFS ACLs and pf firewall from OpenBSD.

lustikus · 2010-04-25 12:27:43

gentoo is rolling, but not "bleeding-edge" if you don't touch "~" packages, just as flamelab said.
I use gentoo on my server and I'm very happy with it. It currently has a 2.6.31 stable kernel in x86_64 and 2.6.32 in x86. Security issued are usually fixed immediately after a patch is available.

You might also have a look at pardus linux http://www.pardus.org.tr/eng/

flamelab · 2010-04-25 14:14:54

brebs wrote:

flamelab wrote:
Νο it isn't.
You need to look up rolling release and bleeding-edge and "do-it-yourself" in the dictionary. 'Cos you're wrong about all three.

No it isn't. I insist. As I never said that it's not rolling.

Last edited by flamelab (2010-04-25 15:30:38)

schuay · 2010-04-25 14:16:13

What about using a known good liveCD + an encrypted disk/partition if you need to store anything?

falconindy · 2010-04-25 15:39:13

schuay wrote:

What about using a known good liveCD + an encrypted disk/partition if you need to store anything?

The only thing that grants you is a free data wipe on reboot/power-outage. It doesn't make the OS you're running any more inherently secure.

Vote for FreeBSD here. The only downside to FreeBSD is the outrageously poorly designed installer. Makes me glad to have people like Dieter@be on Arch's side.

corsakh · 2010-04-25 15:56:24

Infinity717 wrote:

Give FreeBSD a spin if you feel like it. It has a great security record OOB, very stable and quick installation.
FreeBSD comes with TrustedBSD MAC Framework by default, UFS / ZFS ACLs and pf firewall from OpenBSD.

Actually, I decided to give OpenBSD a try. Shockingly enough, it was a lot easier to install than Arch. It is certainly not the fastest OS I tried but it has Firefox 3.5, Thunderbird 2.0 and Openbox and that is almost all I need. Is its default install secure or do I have to read a book or two make it good?

ps I thought OpenBSD was the ultimate security OS. Or are you saying that FreeBSD is even better?

schuay wrote:

What about using a known good liveCD + an encrypted disk/partition if you need to store anything?

This is actually a interesting idea. Something like Ubuntu Privacy Remix perhaps. Provided I can build a custom CD I don't need the disk at all because all I need is a secure access point, like a Kiosk. Nothing to store. Then I could even take the iso and run it on my main box in virtual machine without a worry, right? And that would be even safer than OpenBSD or Hardened Gentoo option? Now that I think about it I really like it because then I could just take the CD with me and use it at any computer.

Discovered BDSanywhere, OpenBSD Live CD.
And a guide to build your own OpenBSD Live.

Last edited by corsakh (2010-04-25 16:07:03)

Kooothor · 2010-04-25 16:39:22

OpenBSD or http://www.engardelinux.org/

lustikus · 2010-04-25 16:55:08

btw, this is also an interesting project, but not released yet:
http://qubes-os.org/Home.html

Infinity717 · 2010-04-25 16:59:53

Well, most people believe that BSD is hard. It is not.

Maybe it is for people that are used to GUIs for administration and they are dead in front of the cli.

The BSDs are very well designed and mature OSes with great documentation, if you are able to RTFM you wont have any issue.

Both FreeBSD and OpenBSD have great security. I prefer FreeBSD because it has better hw support, software (~21k ports), it is full SMP capable and pf is available

Which ever distro you use it is still Linux, at least use something with PAX and SELinux enabled.

Security advisories for FBSD 1996 - 2010.

Anikom15 · 2010-04-25 17:47:29

OpenBSD is a good choice, as for Linux, SuSE and Fedora have good setups. There are probably other lesser known distributions designed for security.

pogeymanz · 2010-04-25 18:56:53

Doesn't Fedora has SELinux configured by default? One of the only distros I know of with it. I believe Ubuntu has AppArmour, which is almost as good, I hear.

Other than SELinux, you just need a decent firewall and you're golden.

brebs · 2010-04-25 23:53:23

pogeymanz wrote:

Doesn't Fedora has SELinux configured by default?

Yes, but it can also be considered bleeding-edge. Except maybe towards the end of its life-cycle, at which point it will be imminently unsupported

I got the definition of bleeding-edge wrong, sorry Can't believe it, mustn't have had enough coffee.

corsakh · 2010-04-27 09:40:17

Anyway, I figured I am gonna get a small nettop (something like FIT-PC2) and put pfSense on it to run firewall/router. Since it is compatible with FreeBSD ports I will add xserver and hopefully it will all run smooth and I can connect it from my desktop through some SSH utility. Atom Z530 1.6Ghz with 1GB of RAM should be able to handle this without too much problem I think. Sounds reasonable? Do you think I should be able to squeeze a samba share and a local postgresql server on this machine as well?

Last edited by corsakh (2010-04-27 09:45:47)

Misfit138 · 2010-04-27 13:43:56

If you have not already gone forward, why not give CentOS a chance? It should offer what you need, while remaining relatively secure. It's proven stable unlike Fedora, not to mention it's free of charge, unlike RHEL.

Arch Linux

#1 2010-04-25 11:17:21

Secure oriented distro.

#2 2010-04-25 11:19:05

Re: Secure oriented distro.

#3 2010-04-25 11:26:12

Re: Secure oriented distro.

#4 2010-04-25 11:40:49

Re: Secure oriented distro.

#5 2010-04-25 12:13:18

Re: Secure oriented distro.

#6 2010-04-25 12:24:50

Re: Secure oriented distro.

#7 2010-04-25 12:27:43

Re: Secure oriented distro.

#8 2010-04-25 14:14:54

Re: Secure oriented distro.

#9 2010-04-25 14:16:13

Re: Secure oriented distro.

#10 2010-04-25 15:39:13

Re: Secure oriented distro.

#11 2010-04-25 15:56:24

Re: Secure oriented distro.

#12 2010-04-25 16:39:22

Re: Secure oriented distro.

#13 2010-04-25 16:55:08

Re: Secure oriented distro.

#14 2010-04-25 16:59:53

Re: Secure oriented distro.

#15 2010-04-25 17:47:29

Re: Secure oriented distro.

#16 2010-04-25 18:56:53

Re: Secure oriented distro.

#17 2010-04-25 23:53:23

Re: Secure oriented distro.

#18 2010-04-27 09:40:17

Re: Secure oriented distro.

#19 2010-04-27 13:43:56

Re: Secure oriented distro.

Board footer