this post was submitted on 16 Apr 2025
29 points (91.4% liked)
Linux
53416 readers
599 users here now
From Wikipedia, the free encyclopedia
Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).
Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word "Linux" in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.
Rules
- Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.
- No misinformation
- No NSFW content
- No hate speech, bigotry, etc
Related Communities
Community icon by Alpár-Etele Méder, licensed under CC BY 3.0
founded 5 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
What does that even mean? What kind of exploitation are you talking about?
Every use case comes with its own risk, and every risk needs to be handled differently. People jokingly said that if you wanna be sure, don't connect your computer to the network at all; and if you wanna be surer, don't use a computer. While that was a joke, there's truth in that.
If you're just going to use it as a workstation, then firewall to make sure some randos don't ping you should suffice. If you're sharing this workstation with your tech illiterate mates, then perhaps something to prevent executing random stuff like SELinux or AppArmor would do. If executing random stuff is just what you do, then set up VMs or some other ways to isolate that execution environment.
If you're sharing files directly from your computer to the internet (e.g. with SMB or NFS), then you'd need to make sure only the right people have the access, and the auth can't be brute-forced (i.e. with rate-limiting and lock-out policy). Same goes if you allow remote login (i.e. thru SSH). Some people use custom port number to obscure their stuff, and you can do it too, but do keep in mind it could make your life (or your mates' lives) harder.
If you're running other outward facing services like SQL database or HTTP, that would require different ways to address. If you're on such level, you'd want do some serious readings.
You raise a valid point. In which case, I want to try and prevent malicious privilege escalation by a process on this system. I know that's a broad topic and depends on the application being run, but most of the tweaks I've listed work towards that to an extent.
To be precise, I'm asking how to harden the upcoming AlmaLinux based Dom0 by the XCP-NG project. I want my system to be difficult to work with even if someone breaks into it (unlikely because I trust Xen as a hypervisor platform but still).
I admit I was a bit surprised by the question since I've never consciously thought about a reason to harden my OS. I always just want to do it and wonder why OSes aren't hardened more by default.
Privilege escalations always have to be granted by an upper-privilege process to a lower-privilege process.
There is one general way this happens.
Ex: root opens up a line of communication between it and a user, the user sends input to root, root mishandles it, it causes undesired behavior within the root process and can lead to bad things happening.
All privilege escalation is two different privilege levels having some form of interaction. Crossing the security boundary. If you wish to limit this, you need to find the parts of the system that cross that boundary, like sudo[1], and remove those from your system.
[1]: sudo is an SUID binary. That means, when you run it, it runs as root. This is a problem, because you as a process have some influence on code that executes within the program (code running as root).
Thanks. You are correct, however since root is required for certain processes, I will use different users and doas for my needs.
I have realised that it is hard for me to justify the reason why I want to harden an OS for personal use. I gave privilege escalation out, but after reading your comment I have realised that that is not the only thing I am looking to "fix". My intention with running hardened_malloc was to prevent DoS attacks by malicious applications trying to exploit unknown buffer overflow situations, and LibreSSL and musl were to reduce the attack surface.
I agree with your comment though. I'm just wondering about how I can specify a reason (and why such a reason is required to justify hardening of a distro). I haven't found much of a reason for the existence of OpenBSD, Kicksecure, Qubes etc other than general hardening and security.
That narrows it down a lot. To be honest, I'm not familiar with that. However, with that specific of a topic, it shouldn't be that hard to look up for articles to follow and come up with a course of action.
The reason why OSes aren't 'hardened' by default is because it would be a real pain for users trying to set things up or use it for daily operation. If you take it to an extreme, they wouldn't be able to access anything they want. If you're a sysadmin, you'd be faced with your whole office pissed off because they wouldn't be able to do their work.
Last but not least, what does 'hardened' mean anyway? You can have something as 'hardened' as an airgapped workstation in a faraday cage with an off-grid power supply. Are you running away from a government agency? I wouldn't think so. So a firewall blocking unused ports and mindful practice should suffice.