System security and attack prevention

Hi everyone, I would like to know if anyone is an expert in the security of operating systems, in particular linux ones and in particular Manjaro of course.

If you who are reading this have some useful information to keep the system safe (many know that it is good to only install software from their repositories but not all do) let us know.

My idea is a security approach more oriented to monitoring the operating system in order to prevent than checking if someone is attacking us through software and techniques, but if you know better or more specifically it would be very nice to inform all of us for to be able to protect ourselves, and at most, tinker a bit by learning something new.

I invite you to be as detailed as you can, starting from the idea that whoever is in front of you is ignorant, in my case, I just don’t know how to do it.

I just read some little information on analyzing data through Wireshark and netstat, using a good firewall and using an antivirus, although viruses are rare around here.

I await your opinion or maybe even your experiential guide.

Thank you in advance.

The Arch Wiki is always a good place to start: Security - ArchWiki

Very well, I found some vulnerabilities, you have to try to update the kernel to fix them, but if I update my kernel to an unstable one, don’t I also risk losing all my files due to a malfunction?

@Yochanan I have read the document, and it says how to find a vulnerability (and I found them) but it does not say how to close it. Can you tell me now that wiki explains how to close a vulnerability?

If you mean running something like arch-audit
Then remember this is computer technology … and open-source at that.
Dont expect to be running a system without any CVEs at all.

I don’t know what a cve is and since it’s open-source I expect that by being able to look at the code in a free way many people can work on it so reduce the leaks in the system.
I, who am a neophyte, have already found several, now I wonder how I can close them or work with some program to reduce the impact of these leaks on my system. I also wonder if you do not have the answer on how to secure a system from its flaws, if at least you could use programs to monitor that someone does not enter, so at least you know what you die of.
For an operating system renowned for security (linux in general) it has more holes than an XD sieve

only if you do not have a back up strategy.

1 Like

What have you found exactly?

1 Like

I doubt I can do a back-up every 5 seconds, also because I don’t know how to do incremental back-ups, and even knowing this I don’t trust their accuracy, and even trusting my protected wires to be passed through should be unprotected every time for several times a day thus preventing me from using my computer or internet too.

A bit like asking a banker exactly where the holes in his bank are, he will surely tell you how to use them, so much to improve the security of the accounts of his XD clients.
Probably everyone who has my kernel has the same problems, and you already know my kernel, and the bugs in my version of manjaro should theoretically all be known, otherwise I don’t know how I would have found them if I didn’t deal with high programming.

Anyway, the post is not a way to challenge the fallacy points of a speech, I don’t care who is right, I care that my system is safe, so we can open a post where we do some rhetoric, and use this post where we suggest information about improving security, so maybe we produce a more specific and targeted approach to find solutions for each of the contexts of interest.

? what ?
You say you have found vulnerabilities. So … provide proof.
List the issues.

Me either … who is arguing? The point is … you said a thing, so … back it up or this is just trolling.

3 Likes

I agree, but I like to do things well, not only do I give you a good proof, but I also help you find your own.

This is one of the ways to find your own, and you can understand for yourself whether or not there are vulnerabilities.

grep -r . /sys/devices/system/cpu/vulnerabilities/

OK … I dont need assistance with that.
I am happy with my system security … and that commmand you stumbled upon showed, and still shows, no serious vulnerabilities for me. I dont think you understand what it actually is or does.
In fact many users run with mitigations=off param to turn off available mitigations for those issues because, for example, on certain intel devices those mitigations could cost more than 30% performance while the vulnerability is probably only a concern if you are actively being targeted by sophisticated state actors.

Now … lets go through some basics … the very beginning of the Archwiki Security page:

Concepts

  • It is possible to tighten security to the point where the system is unusable. Security and convenience must be balanced. The trick is to create a secure and useful system.
  • The biggest threat is, and will always be, the user.
  • The principle of least privilege: Each part of a system should only be able to access what is strictly required, and nothing more.
  • Defense in depth: Security works better in independent layers. When one layer is breached, another should stop the attack.
  • Be a little paranoid. And be suspicious. If anything sounds too good to be true, it probably is!
  • You can never make a system 100% secure unless you unplug the machine from all networks, turn it off, lock it in a safe, smother it in concrete and never use it.
  • Prepare for failure. Create a plan ahead of time to follow when your security is broken.

So … do always remember that security is something you configure :wink:

1 Like

safety --configure --usability-protection

Could this be the right command to use?

That’s not a very good example as those are hardware vulnerabilities that were patched (most years ago) by CPU manufacturers and OEMs via BIOS.

Check out Spectre Meltdown Checker for more details.

It even spits out the same stuff by default if you do your basic inxi -Fazy
ex:

  Vulnerabilities: Type: itlb_multihit status: Not affected 
  Type: l1tf status: Not affected 
  Type: mds status: Not affected 
  Type: meltdown status: Not affected 
  Type: spec_store_bypass 
  mitigation: Speculative Store Bypass disabled via prctl and seccomp 
  Type: spectre_v1 
  mitigation: usercopy/swapgs barriers and __user pointer sanitization 
  Type: spectre_v2 mitigation: Full AMD retpoline, IBPB: conditional, STIBP: 
  disabled, RSB filling 
  Type: srbds status: Not affected 
  Type: tsx_async_abort status: Not affected 

But if spectre was pached, why is it showing it to me as a vulnerability? If I already had the answer and the solution I would have no reason to ask for it here, at most I would just disclose it without asking.

Either the patch is applied to your system, you specifically are disabling it, or there isnt one available for your hardware. (yes depending on your device … the manufacturer may simply have never fixed it, or it was technologically unfeasible to do so … and your only choice is buy a different device)
I guess it also depends on how you are reading it.
If it says vulnerable … then you are vulnerable. To understand what you are vulnerable to… read things like the link Yochanon shared.

So even if they are patched if one looks for them, they still appear in the system. At least now it is clearer, although I don’t find it useful to make them look like that if they have been resolved.

No … thats not how it works.
Why dont you just give us your output?
Maybe even easier with something like inxi -Cazy