Skip to main content
Topic: Hello new to the community (Read 776 times) previous topic - next topic
0 Members and 1 Guest are viewing this topic.

Hello new to the community

Hello I am new to the community. Been really delving into runit over the last 3 weeks. Haven't done any programming in a long time. It used to make me tired looking through lines of code and I just couldn't get into it. Lately I am absolutely enamored and perplexed by how someone took language and created computers from it. I've been quite comfortable with the basics of Linux for a few years and realizing what I appreciate most about computers and found myself here over RC.  I'd really like to dive in the deep end and understand scripting and live in the terminal and this system seems to encourage it, while also giving me a starting point. I'm using XFCE on an older little Starlabs Star Lite laptop when I'm more proficient I'd like to install it on my desktop as well.

My goal with this laptop are to make it as secure as possible. A minimal system with minimal attack surface. I read about VOID but Luke Smith talked me into trying this.
So I took the http mirrors out, ran the pacman-key --init pacman-key --populate artix key before running pacman, then installed runit
Went into the sshd_conf file and set ssh root permissions to no.

For the path of least resistance in terms of compatibility what MAC program do you folks recommend?
I'm not opposed to taking the time to learn something more complex like SELinux but that appears to not be super compatible either and read some folks were having issues with AppArmor?

I did do a reinstall after regretting installing Go/AUR repos as this went against my goal of having a minimal attack surface and didn't get a chance to run sysctl -a to verify if my kernel hardening script actually installed. Before I try it again I thought it would be good to verify because the articles I found mentioned using runit to do this.

nano /run/sv.d/started/sysctl
then saved it and ran
'sudo sysctl -p /run/sv.d/started/sysctl'
then
'nano /etc/sysctl.d/99_magic_sysrq.conf' I changed it from 1 to 4 and ran 'sudo sysctl -p /etc/sysctl.d/99_magic_sysrq.conf'

I'm interested in trying this out as well, wondering if the DEVs plan to ingratiate this into the kernel?
this new Linux feature makes hacking IMPOSSIBLE
https://www.youtube.com/watch?v=FSVnN6-xr9k

I'd like to say more, but this is already quite a long post so I'll leave it at this.

HELLO WORLD!

Re: Hello new to the community

Reply #1

I'm interested in trying this out as well, wondering if the DEVs plan to ingratiate this into the kernel?


As far as I know, magic SysRq is disabled in antix linux.

 

Re: Hello new to the community

Reply #2
this new Linux feature makes hacking IMPOSSIBLE
Nothing makes hacking impossible except the extreme of destroying the computer in a furnace etc.
But assuming that feature is mainlined into the kernel Artix will almost certainly get it anyway.
Quote
My goal with this laptop are to make it as secure as possible. A minimal system with minimal attack surface.
...
Went into the sshd_conf file and set ssh root permissions to no.
If you want a minimal attack surface you want as few services exposed to the internet as possible.
So you don't run sshd unless you need it. If you need it running all the time you disable password logins and only use ssh keys.

Until you understand what you are doing there is a real chance that trying to make Linux more secure can result in it being less secure than when you started due to user misconfiguration. 

A standard install is secure against external attacks as it is but of course new exploits can be found in the future.

Security where others have physical access to the hardware is a different kettle of fish but encryption will serve you better than SELinux or apparmor etc imho