Puppy Linux Discussion Forum Forum Index Puppy Linux Discussion Forum
Puppy HOME page : puppylinux.com
"THE" alternative forum : puppylinux.info
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

The time now is Wed 26 Nov 2014, 13:26
All times are UTC - 4
 Forum index » Off-Topic Area » Security
Iron Clad Puppy
Post_new_topic   Reply_to_topic View_previous_topic :: View_next_topic
Page 1 of 1 Posts_count  
Author Message
2byte

Joined: 09 Oct 2006
Posts: 357

PostPosted: Tue 29 Nov 2011, 11:42    Post_subject:  Iron Clad Puppy
Sub_title: Recipe for a secure dedicated Puppy computer
 

Linux is not immune to malware or rootkits. In fact, exploit kits for these that target Linux are being sold. I ran across an article about that on BBC the other day but unfortunately I didn’t bookmark it.

An acquaintance of mine observed that a pup booting from a CD/DVD was a very secure OS, but in her opinion left something to be desired. She would prefer a ‘regular’ computer. Carrying around a separate disc or stick is not her idea of a OS, and ‘why couldn’t a normal computer be made as iron-clad as one booted from a CD?’

Good question.

We tossed around a few ideas and made some observations.
Puppy booted from CD/DVD has theses advantages:
It is immune to rootkits.
The base OS can not be compromised, except via a saved session or save file.

How could a regular kit, booted from the hard drive, implement the same features?
Things to consider:
The OS must be easy to update, so no immutable files.
The browser and email client must be updated regularly, along with some other applications.
Emails, documents and other personal files must be preserved.

This is the recipe we have so far:

Hardware
Set Bios password(s)
Disallow boot from CD or USB.
Partition HD – 1 swap – 2 Linux – 1 data – 1 backup (never mounted by user)

Software
Install GRUB to mbr, /boot on sda1
Create a blank save file (dd).
Manual install Puppy and configure menu.lst.

Boot & set up a frugal Puppy on a clean system (not connected to LAN or internet).
Set root password and computer name.
symlink ~/ browser and email files to /mnt/home/xx
Set browser to download to /mnt/home/yy
Install core apps from local copies, move to /mnt/home/zz and symlink back.
An alternative to storing apps and data on /mnt/home/xyz could be to use sfs files mounted rw at boot.

1 time
Backup mbr and partition table (dd).
Backup Puppy files: pupsave, initrd, vmlinuz, pup.sfs files.
Backup /boot directory.

Operation
Do periodic md5sum checks of system files at runtime.
At every shutdown, after all apps are killed and partitions unmounted:
Perform a final md5sum.
If anything is dubious, then from obscured onboard backup files,
Overwrite the mbr and partition table (dd).
Overwrite the Puppy system files and pupsave.
Overwrite /boot.
Shutdown.

We would like to hear the thoughts of other forum members about this. How could the recipe be improved? Any pitfalls to look out for?

_________________


Edited_time_total
Back to top
View user's profile Send_private_message 
Flash
Official Dog Handler


Joined: 04 May 2005
Posts: 11164
Location: Arizona USA

PostPosted: Tue 29 Nov 2011, 15:58    Post_subject: Re: Iron Clad Puppy
Sub_title: Recipe for a secure dedicated Puppy computer
 

2byte wrote:
....This is the recipe we have so far:

Hardware
Set Bios password(s)
Disallow boot from CD or USB. ...

I would only do that if I were going to boot from a network. Because what do you do if the computer's hard disk craters? (Which it will, trust me, and at the worst possible moment.) You won't be able to boot from a repair CD or from a plain Puppy CD to at least use the computer.
Back to top
View user's profile Send_private_message 
2byte

Joined: 09 Oct 2006
Posts: 357

PostPosted: Tue 29 Nov 2011, 16:13    Post_subject:  

She has no problem with going into the bios and changing the boot options. Or replacing a fried HD for that matter.
She's a very savvy lady.

Edit: Disabling CD USB boot was her idea

_________________

Back to top
View user's profile Send_private_message 
PaulBx1

Joined: 16 Jun 2006
Posts: 2308
Location: Wyoming, USA

PostPosted: Fri 02 Dec 2011, 03:19    Post_subject:  

I wouldn't bother with the overwrites at the end. Instead, get checksums and compare with known good values (that you've stored previously). In fact checking checksums in the background after boot wouldn't be a bad idea. That way you won't bork things if power goes down in the middle of a write. Probably faster too.
Back to top
View user's profile Send_private_message 
2byte

Joined: 09 Oct 2006
Posts: 357

PostPosted: Sat 03 Dec 2011, 17:53    Post_subject:  

Thanks for the suggestion, it's sort of obvious now that you've pointed it out. Plus, the rewrites can still be done if anything dubious is detected.

Would anyone else care to offer up an idea?

_________________

Back to top
View user's profile Send_private_message 
PaulBx1

Joined: 16 Jun 2006
Posts: 2308
Location: Wyoming, USA

PostPosted: Mon 05 Dec 2011, 20:50    Post_subject:  

I'll be interested to see the scripts you come up with. I run an encrypted pupsave and a truecrypt volume for my personal data, but I always intended at some point (never got around to it) to kick off a low priority background task in rc.local to verify the checksums of the non-encrypted pieces like the puppy sfs, just to be paranoid about stuff like trojans and key loggers.

I also boot off flash drive and carry this around when I'm not home so it's pretty secure I imagine, but it doesn't hurt to add more security to the picture.
Back to top
View user's profile Send_private_message 
Display_posts:   Sort by:   
Page 1 of 1 Posts_count  
Post_new_topic   Reply_to_topic View_previous_topic :: View_next_topic
 Forum index » Off-Topic Area » Security
Jump to:  

Rules_post_cannot
Rules_reply_cannot
Rules_edit_cannot
Rules_delete_cannot
Rules_vote_cannot
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group
[ Time: 0.0529s ][ Queries: 11 (0.0030s) ][ GZIP on ]