Linux Hardening Threat

Who veracrypt

>>58034848
Now is the time for tinfoil autism. Secure your computers, router, modem, cellphone, videogame console, TV, printer, car, hvac, lights, doorlocks. They will be used against us and you.

>>58034531
bump

>>58034531
/fucko/ in the title please

Anyone else notice a bug in recent cryptsetup that doesn't let you create a detached header file?

Anyone rocking a grsec kernel?

>>58035292
>Anyone else notice a bug in recent cryptsetup that doesn't let you create a detached header file?
I don't have detached headers on my partitions. Do you keep them on USB flash? What version of cryptsetup are you using?

>>58035381
The newest in arch repos. Im trying to setup a blind system that only boots from a USB key, and contains just seemingly random data otherwise, so naturally the luks header has to be detached. I think it's a recent regression. But maybe it's my syntax, I was throwing a few dozen parameters at it

lmao

encrypt this dick

>>58034531
>no grsec section

>>58035425
post it faggot, what are you scared of?

>>58034531
Go away with your shitty links

Here have some real ;
https://wiki.gentoo.org/wiki/Project:Hardened
https://wiki.gentoo.org/wiki/Security_Handbook/Pre-installation_concerns
https://grsecurity.net/research.php
https://en.m.wikibooks.org/wiki/Grsecurity

>>58034531
>Linux """"""""""Hardening""""""""""
So a shitty version of OpenBSD?

Quick tip: install firejail, and use it to sandbox your default media programs. PDF readers, image viewers, music and video players especially should all be sandboxed. Usually adding firejail to each program's desktop file under /use/share/applications should do the trick. They should have --seccomp and --net=none to block network access. The more paranoid can have complicated setups where the only thing on the disk they can access is the PDF you just clicked.

On a related note, anyone have a good way of sandboxing the default gnome/Nautilus thumbnailers? I can't even find which binary is producing them. They have known attack vectors and I'd rather patch em.

>>58035549
>OpenBSD
So a shitty version of FreeBSD?

>>58035553
>FreeBSD
>literally OpenBSD with old packages and less security features turned on in the kernel

>>58035549
Openbsd is only """""""""""""""""""""""'secure"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" when you stay in their limited software repo,once you branch out of that, its hands up and the same as any other distro

>>58035593
>>58035560
>>58035553
>>58035549
BSD wannabes GET OUT! REEEEEEEE

>>58035549
>>58035553
>>58035560
>>58035593

the hipsters have arrived

Oh I forgot the actual papers good read if you just starting out ;

https://grsecurity.net/papers.php

Also donate to grsecurity

>>58035593
>limited software repo
It's like you never wrote your own software using OpenBSD's style guide to make sure it's secure.

File: 1471540327011.png (1MB, 1094x4290px) Image search: [Google]

1MB, 1094x4290px

>>58035605
*cucked*

>>58035615
>donate to grsecurity
>literal autists that rageban people when they point out bugs in their shitty software

File: 60.gif (82KB, 599x199px) Image search: [Google]

82KB, 599x199px

>>58035638
put some red boxes in there
i am not reading all of this trash
give me a comprehensive list of os's/distros safer than openbsd

>>58035629
Why not write your own kernel then?

>>58035659
why don't you build your own house or design your own car

>>58035670
Ah, nice fallacy.
+1

File: 220px-Roger_Needham.jpg (11KB, 220x220px) Image search: [Google]

11KB, 220x220px

>>58035551

>the x86 designers collapsed the read and execute memory flags into one in order to save space. Since a page can either be writable or readable and executable it is not useful to set buffers as non-executable since they would no longer be readable. So on x86 PaX emulates this behavior at a software level, which introduces overhead but is very helpful for system security.

why you do this x86 designers, space is so cheap in 2016

>>58035687
nice argument, nice reply with literally 0 content
what a great platform for discussion 4chan is, really attracts the smartest people

>>58035702
>space is so cheap in 2016
>meanwhile Intlel's processors are actually getting slower because they're dedicating more of that precious space to vidya hardware

>>58034531
new thread
>>58035734

>>58035790
>>encrypted partition
>Enjoy losing all your data from random bit flip
That's why you have multiple HDD

>>58035790
This has never happened to me. The only data that would be sensitive to a single bit flip would perhaps be the encrypted master key. But of course, you backed up your encryption headers, right?

>>58035705
You expect a response to your fallacy?
+1
There ya go kiddo.

>>58035892
"i am so correct that i don't even need to argue. i can just say words and win because i am better."
it's a rough life once you're out of high school, kid

>>58035931
+1
+1

File: 1473965509432.png (19KB, 931x969px) Image search: [Google]

19KB, 931x969px

>>58035940

Hardening doesn't do shit if you're logged in and get a drive by media attack thanks to the absolute shit security of Linux (((desktop))).

Good luck faggots.

>>58036627
>drive by media
Thank you /pol/. Fortunately some of us don't install Gstreamer bad plugins or Adobe software.

>>58034531
how do I encrypt and dual boot

>>58034531
This look like a good thread to have around. Contribooting.

Privacy Tools - Encryption against global mass surveillance: https://www.privacytools.io/

PRISM Break - Opt out of global data surveillance programs like PRISM, XKeyscore, and Tempora: https://prism-break.org/en/

I suggest to use either Firefox-esr or Icecat, then here are addons and the reasons to use it:

For (Cross-)Site Request, Anti-XSS, Trackers, Referer, User-Agent, Cookies: uMatrix (https://addons.mozilla.org/en-US/firefox/addon/umatrix/).
Content Delivery Blocker: Decentraleyes (https://addons.mozilla.org/en-US/firefox/addon/decentraleyes/).
Security Settings: Privacy Settings (https://addons.mozilla.org/en-US/firefox/addon/privacy-settings/).
SSL (strict HTTPS): HTTPS by default (https://addons.mozilla.org/en-US/firefox/addon/https-by-default/).
URL Deobfuscator: Pure URL (https://addons.mozilla.org/en-US/firefox/addon/pure-url/).
Plugin And Mimetype Enumeration: Currently nothing available.
Passwords: KeePassX "autocomplete" (https://www.keepassx.org/)
Browsing History Cleaner: Bleachbit.
LSO Cookies: BetterPrivacy (https://addons.mozilla.org/en-US/firefox/addon/betterprivacy/).
Log in to many websites with another profile: BugMeNot (https://addons.mozilla.org/en-US/firefox/addon/bugmenot/).

grsecurity vs selinux vs apparmor?

If you're running X you mayaswell give up now.

>>58037463
https://grsecurity.net/compare.php

>>58039258
Depends with grsecurity you have strong mprotect & RBAC if your policy is good even root can't do anything on the system.

>>58036752
encrypt with luks, then lvm, then make your regular partitions if you want windows (which of course, defeats the purpose of encryption if you will give your data over network while in ram)

>>58041591
How do I get good with policies? I am new to this.

>>58042198
https://en.m.wikibooks.org/wiki/Grsecurity/The_RBAC_System

>>58043462
Thanks.

Apparently grsecurity has much I could use, but some reviews on the internet say is good for beginners.

I wish there where an up to date MAC that uses inodes instead of SELinux labels thou.

>>58035848
>But of course, you backed up your encryption headers, right?

No... How to senpai?

>>58043581
Yea i don't like SELinux because it's way to complicated to setup a full strict policy, most distros have only enforced so only few applications are confined

>>58035186
>car, hvac, lights, doorlocks.

Not securing your pens, pencils, crayons, markers...

A great reading https://blog.codinghorror.com/welcome-to-the-internet-of-compromised-things/