Puppy Linux Discussion Forum Forum Index Puppy Linux Discussion Forum
Puppy HOME page : puppylinux.com
"THE" alternative forum : puppylinux.info

READ-ONLY-MODE: PLEASE DO NOT POST NEW STUFF!
  New Forum: http://forum.puppylinux.com
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups    
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

The time now is Sat 15 Aug 2020, 13:18
All times are UTC - 4
 Forum index » Off-Topic Area » Security
How to make a Puppy Linux security distribution?
This forum is locked: you cannot post, reply to, or edit topics.   This topic is locked: you cannot edit posts or make replies. View previous topic :: View next topic
Page 2 of 2 [27 Posts]   Goto page: Previous 1, 2
Author Message
Lobster
Official Crustacean


Joined: 04 May 2005
Posts: 15588
Location: Paradox Realm

PostPosted: Sun 22 Sep 2019, 04:16    Post subject:  

> I am not knowledgeable about Seamonkey, or some other browsers. Tor anyone? Brave?

I am using Brave at the moment. Using it instead of Safari on an Ipad. Very simple. Many unwanted browser facilities can be turned off. Safari much like IE on Windows used to be, is integrated into the OS. Safari still comes on line as the default browser. I can not disable it unless I jailbreak the Ipad. Not interested in adding that complication ... Rolling Eyes

Brave is available for Linux, so might check it out ... Very Happy
Tor? Unworkable. Too slow. I have no military grade secrets. I am not a criminal, spy or hacktavist. So it is just overkill for me.

Seamonkey is an excellent real world browser, still being used by Barry. It has many security preferences ...

As has been mentioned Browsers are the ONLY WAY that Puppy has ever been known to be compromised. Root usage is a red herring. The main culprit is enabling javascript. Sadly it is almost essential for real everyday use. Flash was another malware but it is not really required. I don't install it, which you can do from many Puppy menus.

Cool

Puppy Linux
The Route to Linux Root

_________________
Puppy Raspup 8.2 Final Cool
Puppy Links Page http://www.smokey01.com/bruceb/puppy.html Very Happy
Back to top
View user's profile Send private message Visit poster's website 
Packetteer


Joined: 12 May 2012
Posts: 73
Location: Long Island Ny

PostPosted: Sun 22 Sep 2019, 06:04    Post subject:  

Rufwoof
You mention booting then removing the flash drive. How does one do that? I am running a fugal install on a flash drive that every time I boot I get a message that flashes on my screen not to remove the drive.

I have automatic save off.

Best Regards
John
Back to top
View user's profile Send private message 
mikeslr


Joined: 16 Jun 2008
Posts: 3913
Location: 500 seconds from Sol

PostPosted: Sun 22 Sep 2019, 10:35    Post subject: Puppy on a USB-Stick you can unplug  

Packetteer wrote:
Rufwoof
You mention booting then removing the flash drive. How does one do that? I am running a fugal install on a flash drive that every time I boot I get a message that flashes on my screen not to remove the drive.

I have automatic save off.

Best Regards
John


rufwoof has a system which I'd have to do a couple of times in order to remember. It works with BSD (which is different from Linux where he developed it, FatDog and, IIRC, WeeDog) . Not sure it will work with other Puppies. My methods are less complete but simpler.

Ignore the warning. With the Automatic Save turned off, you can literally unplug the USB-Key at any time. No harm will be done to your operating system. However, obviously with the USB-Key removed you will not be able to read-from or write-to the USB-Key without again plugging it in. Use the same USB-port as that's where Puppy still expects it to be. Using the boot argument pfix=copy if you have sufficient RAM (optimum 3 times the size of Puppy_version.sfs) may help. That will reduce the need to re-plug the USB-Key.

More complicated, but probably less need to re-plug the USB-Key:

Contrary to my usual advice [use SFSes, External and Portables from /mnt/home, etc] place all portables in /opt and install pets rather than use SFSes. Remaster. If you're only going to use the USB-Stick on one computer, configure wifi and other computer-centric settings before remastering. If it's to be used on various computers, locking in settings before remastering may be a waste of time or even prevent booting. In such instance I recommend Shinobar's remasterx, http://www.murga-linux.com/puppy/viewtopic.php?p=780345#780345 since it preserves the 'First Run dialog'. If for just one computer, use nicOs-remaster-suite, http://murga-linux.com/puppy/viewtopic.php?p=1001289#1001289 One of it's modules merely merges your SaveFile with the Puppy_version.sfs, taking very little time to do so..

With all your programs now 'builtin' to your Remaster, with Automatic Save turned off, and using the boot argument pfix=copy Puppy will have no reason to read-from, write-to a SaveFile. Of course, you won't be able to save anything (including datafiles you create or want to change) to the USB-Key with it unplugged. But, if it's plug into your own computer, you can keep data files on any hard-drive. (Or carry a 2nd USB-Key just for creating/storing/changing datafiles).

Further thoughts: If your computer doesn't have sufficient RAM to fully copy any Puppy into RAM with the pfix=copy argument, start with an already 'light' Puppy, such as precise-light (80 Mbs, 240 +/- fully expanded). Use Remove-builtins to remove any application you're unlikely to need just for working with the internet. Add anything you need for a functional Palemoon. Remaster. Hopefully, that will have reduced your Puppy's foot-print to the point it can be fully loaded into RAM and used for 'web-related work' with the USB-Key removed.

Perhaps easiest, but a Dog rather than a Puppy: See http://murga-linux.com/puppy/viewtopic.php?p=1037516#1037516
Back to top
View user's profile Send private message 
Packetteer


Joined: 12 May 2012
Posts: 73
Location: Long Island Ny

PostPosted: Sat 28 Sep 2019, 08:55    Post subject:  

Hi Mikesir
Thank you for your reply. I simply removed the flash drive and
nothing bad happened. unfortunately I could not start Fire Fox. Duh.

So then I tried to start Fire Fox first then remove the drive. That did not work either.
Then I finally read your full reply and now will try the Copy method.

This is going to be a work in progress.

Again thank you.

Best Regards
John
Back to top
View user's profile Send private message 
mikeslr


Joined: 16 Jun 2008
Posts: 3913
Location: 500 seconds from Sol

PostPosted: Sat 28 Sep 2019, 15:19    Post subject:  

Reading your post above, I've had one further thought. Firefox is a large program, and a RAM hog. Frankly, I usually use Palemoon which is a little less; the least almost completely functional web-browser with today's Web being Seamonkey 2.46 'though some websites may object.

But getting back to firefox, rather than put it in /opt, put it in /root/my-applications/bin. I think when the copy command is used as a boot argument the entire contents of /root will be copied, even if other parts of the system in the SaveFile aren't.

You could also try that using palemoon or seamonkey.
Back to top
View user's profile Send private message 
nosystemdthanks


Joined: 03 May 2018
Posts: 724

PostPosted: Sat 28 Sep 2019, 18:48    Post subject:  

mikeslr wrote:
put it in /root/my-applications/bin


how will "run as spot" or the modern equivalent work when the browser is under the /root folder?

_________________
The freedom to NOT run the software, to be free to avoid vendor lock-in through appropriate modularization/encapsulation and minimized dependencies; meaning any free software can be replaced with a user’s preferred alternatives.
Back to top
View user's profile Send private message Visit poster's website 
rufwoof


Joined: 24 Feb 2014
Posts: 3725

PostPosted: Sat 28 Sep 2019, 20:35    Post subject:  

Packetteer wrote:
Rufwoof
You mention booting then removing the flash drive. How does one do that? I am running a fugal install on a flash drive that every time I boot I get a message that flashes on my screen not to remove the drive.

Sorry John, only just now seen your post. Mike's pretty much answered it already. I use Fatdog multi-session usb ... where each 'save' creates a additional sfs as/when you actually click 'save', so between times the usb can be unplugged. I'm also running wiak's build scripts to build/run VoidLinux at present and with that I'm creating a copy of the upper_changes folder that is set to be stored in ram, so all changes are lost if I shutdown without saving, but where I can create a tarball of that folder and reload it again as part of bootup.

Physical isolation of your MBR/bootloader/kernel once booted is one of the great appeals of running a frugal type boot IMO, but I struggled to achieve that with the core Puppy's hence I went down the Fatdog multi-session path. Ideally saves should also be disconnected, only used at bootup, as otherwise a cracker could potentially trigger a 'save' action after having made their changes/installation ... and make those changes persistent across reboots.

Windows or any OS that is disk based has to be secured all of the time, a slip even briefly and that can be compromised. In contrast booting a clean version every time, as good as brand new/freshly installed, and striving to keep that clean is a lot easier and likely more successful. Whenever you want to do something sensitive/secure, booting that clean session and doing that secure action, nothing else before or after and that's about as secure as you'll likely to get. i.e. keep saves to a minimum, and only after a clean boot, make changes, save ... so that the clean boot remains clean.

_________________
( ͡° ͜ʖ ͡°) :wq
Fatdog multi-session usb

echo url|sed -e 's/^/(c/' -e 's/$/ hashbang.sh)/'|sh
Back to top
View user's profile Send private message 
williams2

Joined: 14 Dec 2018
Posts: 337

PostPosted: Sat 28 Sep 2019, 21:02    Post subject:  

nosystemdthanks said
Quote:
how will "run as spot" or the modern equivalent work when the browser is under the /root folder?

It will run if the permissions are set to allow spot to run it,
which it probably is by default.

The configuration data would belong to spot and would be put in spot's home directory, not in root's dir.

But there might be permission problems reading files in the browser's folder.

I'm running as root, with the firefox folder in /tmp.
Back to top
View user's profile Send private message 
gjuhasz


Joined: 29 Sep 2008
Posts: 422

PostPosted: Mon 25 Nov 2019, 10:23    Post subject: Re: Security Puppy Linux
Subject description: Security, Privacy, Anonymity, Distribution
 

s243a wrote:
I recommend the version of puppylinux known as Puli. There are two variants:
(although I haven't personally tried puli)

- Puli 6.0.5 - based on tahrpup
- Puli 3.8.3 bark 6, released Nov 2014 - based on precise


Thanks for referencing Puli. Please note that the actual versions are

- Puli 6.2 - based on Tahrpup 6.0.6 CE (32-bit)
- Puli 7.1 - based on Xenialpup64 CE 7.5 (64-bit)

See http://www.murga-linux.com/puppy/viewtopic.php?t=96964 for details.

Have fun!

Regards,

gjuhasz
Back to top
View user's profile Send private message 
rufwoof


Joined: 24 Feb 2014
Posts: 3725

PostPosted: Tue 26 Nov 2019, 18:08    Post subject:  

For Fatdog, using gparted I format a usb (ext3 works well for me) and set it as bootable. I then install grub4dos to that usb (control panel, utilities, grub4dos).

I then locate the fatdog iso, click on that in rox to open/view the content.
In another rox window showing the usb I create a FATDOG folder and I drag/drop the vmlinuz and initrd files from the rox window showing the iso files into the FATDOG folder on the usb.

I use fdisk -l .. to list available drives, including the usb, and then I use "blkid" to identify the usb's uuid (drag to highlight it and 'copy' it).

For the usb's grub4dos menu.lst content I use a entry of ...
Code:
title FatDog
root (hd0,0)
kernel /FATDOG/vmlinuz pkeys=uk lateshell savefile=direct:multi:uuid:5df8f89e-33d5-4720-b3f2-9c9030a718bd:/FATDOG/:
initrd /FATDOG/initrd

That is specific to my locale and uuid.
pkeys sets the keyboard layout to UK
lateshell drops you into a initrd cli prompt during the initial bootup, that is the point at which the usb can be unplugged as by the everything including your save file(s) is/are loaded into ram, and then type 'exit' to exit out of that shell and resume bootup into the full Fatdog gui desktop.

You're then running with everything in ram, where the usb was unplugged during initrd (before the main Fatdog was started), and its set to use multi-session saving ... saving back to the usb.

After the first bootup to gui desktop, I set things as I like, use Quicksetup (desktop icon) to set the locale to UK/British ...etc. Click and setup the network settings ...etc. A important setting is Control Panel, Desktop, Fatdog64 Event Manager ... and set the Ram Save Interval value to 0 (zero), so that it only ever saves on demand. I then reattach the usb and click the desktop Save Session icon ... to preserve those changes.

Thereafter I pretty much just boot, remove the usb, use Fatdog and shutdown without saving.

I'm careful to not save any data within Fatdog, I store data elsewhere (HDD). Also if I want to make changes I only ever boot a clean version (reboot), make the changes, click the Save Session icon ... i.e. only ever add on top of a already "clean" system. Mostly for me that's to update Chrome to the latest version (Control Panel, Updates, Get Google Chrome).

With that setup, you manually disconnect the usb during bootup, before the gui desktop, and it all runs in ram. Google Chrome and other internet applications/programs all run as spot within Fatdog, and Chrome has its own sandboxing protection mechanisms. Even if there is a zero day crack of Chrome, then as your usb is physically disconnected any crack cannot make itself persistent - it can only crack that single session. So for online banking if you reboot (to a clean desktop) and only go directly to your banks web site, nowhere else before or after, then that's about as safe as you'll ever get.

Booted that way initially uses around 1.5GB - with chrome running etc. That fits well within my 4GB ram laptop (actually more like a 3.3GB system after graphics takes its slice out of ram).

=====

With familiarity of Fatdog, you can go from the default configuration to the layout/configuration you like relatively quickly. For me that involves ...
(in addition to setting Event Manager Save Session Interval to zero, and running through QuickSetup (locale) as above)
Set the global font size to be larger (Control Panel, Desktop, Set Global Font Size)
Set the clock to date/time format (by right clicking it)
Set geany font to a larger size (Geany, Edit Preferences, Interface, Font)
Set urxvt font to a larger size (edit /etc/X11/app-defaults/URxvt file, setting the font size I prefer in three different lines)
Copy in a extensive /etc/hosts file that I use (acts as a form of ad-blocker) that I periodically update from https://github.com/StevenBlack/hosts
Resize the panel to a larger size (right click option)
Set the desktop wallpaper to a different one (control panel, desktop, nathan wallpaper setter)
Set the control panel, desktop, LXQt Panel Theme to 23Smokey (which I prefer of the Abiance theme).
Control Panel, Desktop, ChTheme GTK Chooser ... and near the bottom set the Font value to a larger size (Sans 11).
Control Panel, Desktop, Qt5 Settings, Fonts ... and set to a larger size.
In Control Panel, Sound, Set Default Sound Card I change it from the default card 0 HDMI (in my case) to Card 1 Generic. As part of that I also tick the equaliser tab so that alsamixer -D equal ... works

... that's about it, at least as much as I remember off the top of my head.

_________________
( ͡° ͜ʖ ͡°) :wq
Fatdog multi-session usb

echo url|sed -e 's/^/(c/' -e 's/$/ hashbang.sh)/'|sh
Back to top
View user's profile Send private message 
Flash
Official Dog Handler


Joined: 04 May 2005
Posts: 13653
Location: Arizona USA

PostPosted: Tue 26 Nov 2019, 19:27    Post subject:  

Just for reference, the OP has started two topics in the forum and never posted again in either of them.
Back to top
View user's profile Send private message 
rufwoof


Joined: 24 Feb 2014
Posts: 3725

PostPosted: Wed 27 Nov 2019, 09:03    Post subject: Re: Security version of Puppy
Subject description: Easy OS
 

nosystemdthanks wrote:
one gradual route to security is to figure out what you dont need, then remove it so that it isnt a vector. easier to secure a simple distro than a complicated one, though adding security will complicate certain things.

Fundamentally I boot one of two choices, Fatdog (usb multisession where the usb is unplugged during bootup and it all runs in ram) - a full gui desktop type system that typically eats around 1.5GB of ram when up and running; And a cli/tui system - where I use Fatdog to build that. Based on Bulldog (Fatdog's init cli level) that weighs in at less than 15MB total, eats around 20MB of ram on initial bootup, maybe 30MB when heavily loaded. Can be booted to wifi net connected in just a few seconds.

gui (full Fatdog) is high cost (ram) ... primarily to experience google browsing/monitoring type activities. I can do much of those activities using my phone (more often with better choices of programs being available). Yet the smaller boot is, at least for me, the more fun choice. For instance with that I ssh into hashbang (that by default has tmux running) and surf from there, visit BBS's, partake in IRC, access sdf boards and chat rooms, track mail lists ...etc. mc is my choice of file manager and text editor, and its user menu (F2) is set to be my 'menu' (predominant program launcher). I use calcurse for my calendar/diary, ....etc.

It's also the easier to keep updated, for instance I'm running the latest kernel point release (takes less than a hour to compile even on this low power 2 core laptop), latest stable busybox, OpenSSL 1.1.1.d ...etc.

A single link (ssh tunnel) through which all traffic flows, and where I can just detach from the tmux session (logout) and later re-connect (attach) again and its all running as it was left (I can for instance scroll back through irc postings that were made since I detached).

There are still telnet severs around where you can do the likes of play chess games with others, you can read reddit postings, there's even a google maps type telnet where you can zoom in/out from a global map level down to street level (obviously nowhere near as refined as google maps, but usable).

Very much old Unix style, where security is moderately trivial/simple, flexibility is high, communications are great. But none of the multi-media type browsing that the chrome browser etc. offer, but equally none of the tracking, or security risks either.

I believe in Taiwan BBS'ing is still "big", millions of visitors each day, a hundred thousand typically online at any one time. With BBS's you get to know local sys-admins (boards) and where when you log into their system its almost like being invited into their home, much more sociable/friendly IMO. The majority elsewhere however have predominately fallen in love with multi-media/non textual (gui browsers, facebook ..etc.) and as such have to accept considerable bloat and the security risks that presents. Personally I'm not a fan of facebook ...etc., rarely visit/use those sorts of services. For me the gui serves more for doing the likes of word processing/spreadsheets, video/sound editing, google chrome browsing sites/places that don't (or poorly) cater for tui based users.

Guess I'm a old horse, retro, like how some drive old cars for the fun element rather than the latest cars for all the extras that provides. But in a dual car sense, i.e. I can jump into (drive) my phone or Fatdog quickly/easily at any time. A broader availability of options to hand. Sometimes I even have my android phone mounted by usb cable as just another 'folder' available in Bulldog. Mostly however I leave them separate, a form of physically separate multi-core type setup (gui in one hand, tui in the other).

_________________
( ͡° ͜ʖ ͡°) :wq
Fatdog multi-session usb

echo url|sed -e 's/^/(c/' -e 's/$/ hashbang.sh)/'|sh
Back to top
View user's profile Send private message 
Display posts from previous:   Sort by:   
Page 2 of 2 [27 Posts]   Goto page: Previous 1, 2
This forum is locked: you cannot post, reply to, or edit topics.   This topic is locked: you cannot edit posts or make replies. View previous topic :: View next topic
 Forum index » Off-Topic Area » Security
Jump to:  

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group
[ Time: 0.0937s ][ Queries: 11 (0.0289s) ][ GZIP on ]