2011
10.22
10.22
I’m currently scripting installer in bash. You will be then able boot from Gentoo install CD, download install script and build Securix. Alpha version of this script working fine on VirtualBox and KVM, but it is not yet prepared to be released as public (give me few weeks).
Things already done:
- Securix Installer (pre-Alpha)
- Predefined kernel setup
- Base system (Hardened Gentoo)
- PaX implemented (paxtest pass ok)
- GrSecurity implemented (no policy at this moment)
- System setup hardening (etc, limits, profile, sysctl, init, …)
- Base services secured by default (SSH, iptables, grub, …)
- Well-arranged IPtables script with port scan detection
- SHA512 hash used for system passwords
- Self-system monitoring with mail notification
- Applications compiled with PIE, SSP protection
- …
- …
Applications (without base system and tools):
- rkhunter & chkrootkit – rootkit hunters
- netwox – sniff, spoof, scan, network tool
- nmap – network scanner
- p0f – passive OS detection
- tcptraceroute – trace who block access on path
- fwknop – port knocking server/client
- fail2ban – block bruteforce attacks
Services (recommended):
- FTP – vsftpd
- SSH – OpenSSH
- Logger – syslog-ng
- Cron – vixie cron
- NTP – OpenNTPD (OpenBSD port)
Hello,
I’m writing on behalf of Open Invention Network (OIN) because I believe that you want Linux to remain an open and free platform. As OIN was formed in an effort to keep Linux open and free, I thought you would be interested in learning about and joining us.
There is no cost to join and many distributions and others in the Linux ecosystem have already joined. They joined because they see patent issues as a threat to their freedom to innobvate and, since OIN’s objective is to minimize/eliminate these threats they decided to join and support our efforts.
I’d be happy to send more information or you can go to our website to learn more.
I thank you for your time and hope you’ll become interested in joining us.
Cheers
This souds like a truely amazing project. I have never commented on anything anywhere EVER, but after having read the project outline I felt obligated to express my gratitude for the project in it’s entirety. Hardened Gentoo is wonderful though masochistic in many regards. If a project such as this were to provide all of the goodies of Hardened Gentoo (i.e. Grsecurity, PAX, SSP, PIE, RELRO, Source Based) and polish off some of the features included in other major distros (i.e. GUI installer supporting LUKS and LVM2), then I see no reason anyone would want to use any other *NIX varient. The GUI installer would certainly help new/potential Gentoo users in the transition from their current crusty OS to the enlightened world hardcore geeks such as myself have come to adore. Good luck with all of your GNU endeavors and I hope to meet you on the streets or in the clubs of Prague. Please don’t let this project die.
Thank you very much for feedback “Chester?” :]
I believe you can imagine how much work needs to be done, but I enjoy it. Philosophy of Securix is set in way where anyone can improve setup or bring new ideas so I hope that (with help of others) this project have potential in future.
You are very welcome, cm3l1k1. I would imagine starting a project of this magnitude is daunting to say the least. It seems as though the project is inline with my own thoughts, requirements and opinions of what a decent operating system should be. I just started using Gentoo about a week ago so I am not going to be of much help for a while. But I can say as longtime user of Grsecurity that Hardened Gentoo is certainly the most increadible OS I have ever come across. I will continue to post my current security related configuration files ( as I have done with the sysctl.conf amendment ) as soon as I have time figure out why Tinyproxy is crunching captchas ( probably javascript or the universal stripping of headers
). I would like to see the installation process become more user/newbie friendly as many veteran Gentoo users seem so adamantly opposed to though I see no reason an installer couldn’t just have the option of a text/ncurses or even purely shell based installer. For me one of the many reasons I find Linux ( Gentoo specifically ) so appealing is having OPTIONS and not being constricted to someone else’s potentially malformed opinion of what the best way to do something is. All I would ever ask is that you thoroughly scrutinize, and take ALL
the credit for, anything I ever submit. Anaconda is well refined, Tribe from the Chakra project is simply sexy though currently unstable. I am sure you will make an educated decision when the time is right. I apologize for misleading you into believing my name is “Chester”. I live in @m3r1k@ under an intrusive, subversive, secretly oppressive shadow government, and for that I am sorry. I promise I will go to Prague before I die even if I have to mail myself in a box. = )
Hi Chester,
Your comment is what propels me forward. Vision that this project will help somebody is exactly what I want to achieve. I believe that your impressive experience of Grsecurity ect. will be great benefit for this project.
Installer is written in bash and follow methods KISS (Keep It Simple Stupid) and DADQ (Dont Ask Dumb Questions). You will just type main things like hostname, root passphrase, network setup (default dhcp), if you want encrypt partitions, ect. and rest of installation is done by script.
If there is secure way how to be in touch with you please let me know.
Thanks a lot
I agree with KISS entirely. With Gentoo’s stages, My assumption that this project seems to be geared specifically towards servers (having looked at the wiki’s /etc/make.conf) and the fact you have specified the intentions of including the option of LUKS encrypted LVM partitions, a GUI installer would only provide cruft, potential for insecurities and the opportunity for a wealth of wasted time and unnecessary coding. Although, It may be helpful for users to be able to specify individual partitions sizes during the automated partitioning procedure so as to account for various drive sizes and the chance to include extra encrypted partitions containing backups or immutable and/or publicly accessable data, ect. As for secure forms of communication, I will come up with something (gpg?, cybernetic carrier pigeons with encrypted GPS locational awarness?). = )
Oh you mean RFC 1149 http://tools.ietf.org/html/rfc1149
:]
cm3l1k1, you’re amazing. I had completely forgotten the RFC #. Thank you!!!
I think public/symmetric key cryptography is preferred by most helps rule out the potential for the devastating “taxi-cab windshield” and “Sylvester the cat” scenarios. GPG/GNUPG key on my to do list.
If you’re OK with jabber we can use Pidgin/Adium with OTR (http://www.cypherpunks.ca/otr/), but its up to you.