Section 3

License

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

HOME PC - LAPTOPS

Security Level

HARDWARE
======

  • Encrypt you disks
  • Create for /boot a usb flash disk (laptops)
  • Dont connect to unknown wifi networks

    • OS
    ======

    LINUX
  • Now days things are very complicate. Linux systems are not KISS systems, and modern philosophy is more close to windows boxes than old UNIX...

    Thats why I dont like systemd.
    1.Because log files must always be plain.txt files and not binaries files

    So I can pipe them ... Not only for debug but mostly for security reasons...
    If you can understand that then keep going here, else there is no reason loosing your time!

    • I dont like the way that distros configure systemd as a root commander and do things that kernel must do.
    Also systems that are designed to be simple , with systemd using windows philosophy of interlocking depencencies,
    well thats the best way to break things.
    So these systems or must have Linux systemd or nothing! Really?
    And one more question, who is now developing systemd? A microsoft guy? hm...

    2. PAM
    Learn PAM, how it works and how you can modify things to connect your services/users etc...
  • Auth
  • Account
  • Password
  • Session

    ALSO:
  • Requisite
  • Required
  • Sufficient
  • optional

    • 3. Investigate:
    /lib64/security/ those modules and libs are speaking to system for get access
    Most module there are pre-build and come with your Linux system. But also new can be added there if needed.
    If this option was not include in PAM then we should rebuild pam every time new RSA token or other login methond was out...
    I think man pam_unix is your friend...
    On the other hand all modules in /lib64/security/ are encrypted so you cant find something, but what you can find is what modules your new installed package call, if so... why or how?.
    Then man module_name and read what this module do...
    Or is there any module that you should add to your configuration?

    Remember pam is not only for logins but also for /var/logs/ read logs...

    Applications
    ======

    Remember that first target is your data

    In other words your information

    You probably think now that I will say:

  • Dont install binaries
  • Dont run AppImages
  • Build your own packages..etc

    • I won`t
  • Althought these are true and correct, how many of you can understand the code you build? So what is the point?
  • I almost dont most of the times but when and if I can, should I have to read all code first and then build it?

    Again, now days things are very complicate, Linux systems are not KISS systems, and modern philosophy is more close to windows boxes than old UNIX...
    I mean yeah, dont install everything from everyware and dont run varius scripts but... thats not the real problem, real problem is that we lost the path.

    Thats why I dont like systemd.

    Because log files must always be txt files and not binaries files


    So I can pipe them, use them in other apps, read them, edit them... Not only for debug but mostly for security reasons now days...
    For the same reason /etc is the most important directory in a Linux system.
    So command: egrep -v "bash|false" /etc/passwd and egrep -v "bash|nologin" /etc/passwd
    Read and understand wtf is going on with your services, apps etc...
    Thats things are more or the same important like from were you build or install packages...

    USERS
    ======

    Privilege
  • Who gets what?
  • Who can access what?
  • How can access ?
    •

    1. Always access you system and login manually.

    2. Specify what files needed to have access your user(s), and what limits:
    User acounts
    File Systems
    System access
    System conf files
    OS network

    All above must have carefully and manually configuration, speaking for personal pc...
    We had speak earlier how to give smart ID to your first user in your Linux. Also we had speak about xudo.

    Learn how to read:

    cat /etc/group
    root:x:0:root
    bin:x:1:root,bin
    daemon:x:2:root,bin,daemon
    sys:x:3:root,bin,adm
    adm:x:4:root,adm,daemon
    tty:x:5:
    disk:x:6:root,adm
    lp:x:7:lp,omen,test2
    mem:x:8:
    kmem:x:9:
    cat /etc/shadow
    root:$6$Mrg0wCRDMovdedqC$O.eg9SdqagfA64kOMkteyTyvz6oIp0wA18wS8:19628:0:::::
    bin:*:9797:0:::::
    daemon:*:9797:0:::::
    adm:*:9797:0:::::
    lp:*:9797:0:::::
    sync:*:9797:0:::::
    shutdown:*:9797:0:::::
    halt:*:9797:0:::::
    mail:*:9797:0:::::
    news:*:9797:0:::::
    uucp:*:9797:0:::::
    operator:*:9797:0:::::
    games:*:9797:0:::::
    ftp:*:9797:0:::::
    $ id $(whoami)
    uid=10000(test2) gid=100(users) groups=100(users),7(lp),11(floppy),
    17(audio),18(video),19(cdrom),71(input),83(plugdev),84(power),86(netdev),93(scanner)

    Something useful to learn is how can edit /etc/security/faillock.conf and /etc/pam.d/system-auth since old pam_tally2 is not in Slackware.

    But more useful would be to understand /etc/default/useradd and modify it exaclty for your user needs

    I almost forgot, one very unknown file for "regular" linux users that you must focus and learn, thats /etc/login.defs

    By reading and understand ALL these files you should secure your users as needed...

    <~~ || -->