How to make a Puppy Linux security distribution?

[nosystemdthanks]

put it in /root/my-applications/bin

how will "run as spot" or the modern equivalent work when the browser is under the /root folder?

[rufwoof]

Rufwoof
You mention booting then removing the flash drive. How does one do that? I am running a fugal install on a flash drive that every time I boot I get a message that flashes on my screen not to remove the drive.

Sorry John, only just now seen your post. Mike's pretty much answered it already. I use Fatdog multi-session usb ... where each 'save' creates a additional sfs as/when you actually click 'save', so between times the usb can be unplugged. I'm also running wiak's build scripts to build/run VoidLinux at present and with that I'm creating a copy of the upper_changes folder that is set to be stored in ram, so all changes are lost if I shutdown without saving, but where I can create a tarball of that folder and reload it again as part of bootup.

Physical isolation of your MBR/bootloader/kernel once booted is one of the great appeals of running a frugal type boot IMO, but I struggled to achieve that with the core Puppy's hence I went down the Fatdog multi-session path. Ideally saves should also be disconnected, only used at bootup, as otherwise a cracker could potentially trigger a 'save' action after having made their changes/installation ... and make those changes persistent across reboots.

Windows or any OS that is disk based has to be secured all of the time, a slip even briefly and that can be compromised. In contrast booting a clean version every time, as good as brand new/freshly installed, and striving to keep that clean is a lot easier and likely more successful. Whenever you want to do something sensitive/secure, booting that clean session and doing that secure action, nothing else before or after and that's about as secure as you'll likely to get. i.e. keep saves to a minimum, and only after a clean boot, make changes, save ... so that the clean boot remains clean.

[williams2]

nosystemdthanks said

how will "run as spot" or the modern equivalent work when the browser is under the /root folder?

It will run if the permissions are set to allow spot to run it,
which it probably is by default.

The configuration data would belong to spot and would be put in spot's home directory, not in root's dir.

But there might be permission problems reading files in the browser's folder.

I'm running as root, with the firefox folder in /tmp.

[gjuhasz]

I recommend the version of puppylinux known as Puli. There are two variants:
(although I haven't personally tried puli)

- Puli 6.0.5 - based on tahrpup
- Puli 3.8.3 bark 6, released Nov 2014 - based on precise

Thanks for referencing Puli. Please note that the actual versions are

- Puli 6.2 - based on Tahrpup 6.0.6 CE (32-bit)
- Puli 7.1 - based on Xenialpup64 CE 7.5 (64-bit)

See http://www.murga-linux.com/puppy/viewtopic.php?t=96964 for details.

Have fun!

Regards,

gjuhasz

[rufwoof]

For Fatdog, using gparted I format a usb (ext3 works well for me) and set it as bootable. I then install grub4dos to that usb (control panel, utilities, grub4dos).

I then locate the fatdog iso, click on that in rox to open/view the content.
In another rox window showing the usb I create a FATDOG folder and I drag/drop the vmlinuz and initrd files from the rox window showing the iso files into the FATDOG folder on the usb.

I use fdisk -l .. to list available drives, including the usb, and then I use "blkid" to identify the usb's uuid (drag to highlight it and 'copy' it).

For the usb's grub4dos menu.lst content I use a entry of ...

Code: Select all

title FatDog
root (hd0,0)
kernel /FATDOG/vmlinuz pkeys=uk lateshell savefile=direct:multi:uuid:5df8f89e-33d5-4720-b3f2-9c9030a718bd:/FATDOG/:
initrd /FATDOG/initrd

That is specific to my locale and uuid.
pkeys sets the keyboard layout to UK
lateshell drops you into a initrd cli prompt during the initial bootup, that is the point at which the usb can be unplugged as by the everything including your save file(s) is/are loaded into ram, and then type 'exit' to exit out of that shell and resume bootup into the full Fatdog gui desktop.

You're then running with everything in ram, where the usb was unplugged during initrd (before the main Fatdog was started), and its set to use multi-session saving ... saving back to the usb.

After the first bootup to gui desktop, I set things as I like, use Quicksetup (desktop icon) to set the locale to UK/British ...etc. Click and setup the network settings ...etc. A important setting is Control Panel, Desktop, Fatdog64 Event Manager ... and set the Ram Save Interval value to 0 (zero), so that it only ever saves on demand. I then reattach the usb and click the desktop Save Session icon ... to preserve those changes.

Thereafter I pretty much just boot, remove the usb, use Fatdog and shutdown without saving.

I'm careful to not save any data within Fatdog, I store data elsewhere (HDD). Also if I want to make changes I only ever boot a clean version (reboot), make the changes, click the Save Session icon ... i.e. only ever add on top of a already "clean" system. Mostly for me that's to update Chrome to the latest version (Control Panel, Updates, Get Google Chrome).

With that setup, you manually disconnect the usb during bootup, before the gui desktop, and it all runs in ram. Google Chrome and other internet applications/programs all run as spot within Fatdog, and Chrome has its own sandboxing protection mechanisms. Even if there is a zero day crack of Chrome, then as your usb is physically disconnected any crack cannot make itself persistent - it can only crack that single session. So for online banking if you reboot (to a clean desktop) and only go directly to your banks web site, nowhere else before or after, then that's about as safe as you'll ever get.

Booted that way initially uses around 1.5GB - with chrome running etc. That fits well within my 4GB ram laptop (actually more like a 3.3GB system after graphics takes its slice out of ram).

=====

With familiarity of Fatdog, you can go from the default configuration to the layout/configuration you like relatively quickly. For me that involves ...
(in addition to setting Event Manager Save Session Interval to zero, and running through QuickSetup (locale) as above)
Set the global font size to be larger (Control Panel, Desktop, Set Global Font Size)
Set the clock to date/time format (by right clicking it)
Set geany font to a larger size (Geany, Edit Preferences, Interface, Font)
Set urxvt font to a larger size (edit /etc/X11/app-defaults/URxvt file, setting the font size I prefer in three different lines)
Copy in a extensive /etc/hosts file that I use (acts as a form of ad-blocker) that I periodically update from https://github.com/StevenBlack/hosts
Resize the panel to a larger size (right click option)
Set the desktop wallpaper to a different one (control panel, desktop, nathan wallpaper setter)
Set the control panel, desktop, LXQt Panel Theme to 23Smokey (which I prefer of the Abiance theme).
Control Panel, Desktop, ChTheme GTK Chooser ... and near the bottom set the Font value to a larger size (Sans 11).
Control Panel, Desktop, Qt5 Settings, Fonts ... and set to a larger size.
In Control Panel, Sound, Set Default Sound Card I change it from the default card 0 HDMI (in my case) to Card 1 Generic. As part of that I also tick the equaliser tab so that alsamixer -D equal ... works

... that's about it, at least as much as I remember off the top of my head.

[Flash]

Just for reference, the OP has started two topics in the forum and never posted again in either of them.

[rufwoof]

one gradual route to security is to figure out what you dont need, then remove it so that it isnt a vector. easier to secure a simple distro than a complicated one, though adding security will complicate certain things.

Fundamentally I boot one of two choices, Fatdog (usb multisession where the usb is unplugged during bootup and it all runs in ram) - a full gui desktop type system that typically eats around 1.5GB of ram when up and running; And a cli/tui system - where I use Fatdog to build that. Based on Bulldog (Fatdog's init cli level) that weighs in at less than 15MB total, eats around 20MB of ram on initial bootup, maybe 30MB when heavily loaded. Can be booted to wifi net connected in just a few seconds.

gui (full Fatdog) is high cost (ram) ... primarily to experience google browsing/monitoring type activities. I can do much of those activities using my phone (more often with better choices of programs being available). Yet the smaller boot is, at least for me, the more fun choice. For instance with that I ssh into hashbang (that by default has tmux running) and surf from there, visit BBS's, partake in IRC, access sdf boards and chat rooms, track mail lists ...etc. mc is my choice of file manager and text editor, and its user menu (F2) is set to be my 'menu' (predominant program launcher). I use calcurse for my calendar/diary, ....etc.

It's also the easier to keep updated, for instance I'm running the latest kernel point release (takes less than a hour to compile even on this low power 2 core laptop), latest stable busybox, OpenSSL 1.1.1.d ...etc.

A single link (ssh tunnel) through which all traffic flows, and where I can just detach from the tmux session (logout) and later re-connect (attach) again and its all running as it was left (I can for instance scroll back through irc postings that were made since I detached).

There are still telnet severs around where you can do the likes of play chess games with others, you can read reddit postings, there's even a google maps type telnet where you can zoom in/out from a global map level down to street level (obviously nowhere near as refined as google maps, but usable).

Very much old Unix style, where security is moderately trivial/simple, flexibility is high, communications are great. But none of the multi-media type browsing that the chrome browser etc. offer, but equally none of the tracking, or security risks either.

I believe in Taiwan BBS'ing is still "big", millions of visitors each day, a hundred thousand typically online at any one time. With BBS's you get to know local sys-admins (boards) and where when you log into their system its almost like being invited into their home, much more sociable/friendly IMO. The majority elsewhere however have predominately fallen in love with multi-media/non textual (gui browsers, facebook ..etc.) and as such have to accept considerable bloat and the security risks that presents. Personally I'm not a fan of facebook ...etc., rarely visit/use those sorts of services. For me the gui serves more for doing the likes of word processing/spreadsheets, video/sound editing, google chrome browsing sites/places that don't (or poorly) cater for tui based users.

Guess I'm a old horse, retro, like how some drive old cars for the fun element rather than the latest cars for all the extras that provides. But in a dual car sense, i.e. I can jump into (drive) my phone or Fatdog quickly/easily at any time. A broader availability of options to hand. Sometimes I even have my android phone mounted by usb cable as just another 'folder' available in Bulldog. Mostly however I leave them separate, a form of physically separate multi-core type setup (gui in one hand, tui in the other).