Securix, together with companies like Google, IBM, Novell, Red Hat, Sony, Philips, Canonical, Facebook and more than 700 others, joined Open Invention Network community.
OIN protects the open-source community through a patent cross-license for Linux and related open-source technologies. The license is free and available to companies, organizations, and individual developers if they agree not to assert their own patents against Linux. OIN also defends against anti-open-source patent aggression through education, reform efforts, and its own defensive patent portfolio.
More information could be found here.
Securix isn’t public available yet. You can see progress in this post.
Installer is completed and I’m now primarily testing Securix control scripts!
- added pwgen
- added securix motd
- added kernel and grub update
- added securix updating tool
- added kernel config update to 3.7.0
- added turned off ccache
- added RAID devices detection and auto configuration
- added /var/tmp/portage as tmpfs, setup noexec on /var
- added bash command logging via PROMPT_COMMAND, removed USE flag bashlogger
- added fail2ban default config and support to installer and securix scripts
- added load securix config with basic sanitization
- added new setup for limits.conf
- added usage of Securix DR site
- added print system limits in motd
- change 32bit systems will not be supported
- fix iptables rules-save
- fix issue with motd alerts count
- added bashrc
- added bash aliases
- added dispatch-conf setup
- added mailhub config
- added cron scripts
- added checking of Portage update GPG sign
- added NTP configuration during network setup
- added automatic portage and gentoolkit updates
- added SMART failures and temperature monitoring
- added SMART scheduled short and long self-tests
- added unhide and scrub
- fixed GCC compilation issues
- added automatic/specified bonding setup
- added sudo initial file
- added LVM monitoring
- added additional tools (network)
- added gcc-config selection
- fix run errors
- added grub fallback in case of problems with new kernel (panic, ect..)
- added grub password to avoid unauthorized single user mode
- added automatic serial terminal access detection and setup
- added genkernel configuration generator for further kernel updates
- added user auditing, bash commands logging
- added limits.conf – protection against depletion of system resources, fork bombs, ect.
- added login.defs to align with Securix environment
- added VESA framebuffer with Securix Linux Logo on boot (vga 791)
- added Securix system groups operators and services
- added terminal encoding in UTF-8
- added pvcreate force to avoid questions when LVM already exist
- fix fstab LVM misconfiguration
- fix login issue (securetty)
- fix iptables-save
- advanced partitioning (boot, swap, root, usr, home, var, opt, tmp) with options (where possible) noatime, nodev, nosuid, noexec
- Full disk encryption (LUKS)
- LVM automatically for disks >20GB
- predefined kernel setup for virtual environments (VirtualBox, KVM, VMware, …)
- rewritten yesno function
- securix user for first login
08/2011 – 16/11/2011
- environment checking, architecture, network
- functions, variables, system setup, trap errors
- hostname, root password, manual network setup, …
- partitioning (/boot, swap, /)
- stage3 and portage installation
- make.conf generator
- CHROOT script
- system installation, configuration & hardening
- kernel compiling
- grub installation and setup
- compiling system applications
- iptables script
- sysctl config
- kernel accelerated AES encryption
I would like to show you in mind map what Securix control script is about. It should maintain most tasks on system. It will do for you most boring setup, monitor or check system status, assign roles (functions) of your server etc. Next part of Securix system is Securix monitor which collect information for control script, dynamic motd and for notification system, but I will introduce it later.
Securix control script is not completed yet (roles are missing), but I will release alpha when Securix update will work and when Securix CA start signing packages.
Check and comment
[click to view full size]
I just want to inform you that Securix has been moved under multihosting, together with other projects where me and my friends participating.
This also mean that domain www.securix.org is now taken as primary.
Please update your bookmarks and stay tuned!
Last month I receive new books purchased from Amazon.co.uk
First one is: Hacking Exposed Linux: Linux Security Secrets and Solutions
- Paperback: 813 pages
- Publisher: McGraw-Hill Osborne; 3 edition (1 Aug 2008)
- Language English
- ISBN-10: 0072262575
- ISBN-13: 978-0072262575
I personally rate this book with 3 of 5 stars.
Second book is: Hardening Linux
Author: James Turnbull
- Paperback: 546 pages
- Publisher: APRESS (1 Feb 2005)
- Language English
- ISBN-10: 1590594444
- ISBN-13: 978-1590594445
I will start reading this next week, but I suppose that this book will be much better than previous one.
In meantime I have to discuss design of Securix control script (update, install, maintenance) with some geeks on forums because I don’t want to reinvent the wheel.
I also think about my own Gentoo overlay, but I’m not sure if all needed features are supported (signing packages/scripts, ect.)
I want to have all clear before I will start coding, because this script will then maintain whole server and also try to fix common issues itself so it should be designed well.
conference Security Session is over. My presentation can be found here [PDF] and here [SlideShare.net]
We have also plan to put videos on Youtube and prepare subtitles for them. If so, you can translate my presentation into any other languages supported by Youtube player.
I said on conference that Alpha version will be available +/- this summer. So lets continue with hard work on Securix to fulfill what I promised.
Regarding output of checksec.sh we are on right way :]
I would like to invite you on Security Session 2012 conference held on 18. February in Brno, Czech Republic.
For more information please visit the main page http://session.security-portal.cz/ (CZ) or http://session.security-portal.cz/en/ (for English)
I just want to inform you how it looks with Securix project now.
I have spent a lot of hours on Google to find out some installers for Gentoo.
I’ve found Cryptogen from guy called OozIe – http://blog.ooz.ie/search/label/cryptogen but link on cryptogen.sh is broken and OozIe is unable to find it out anymore.
Next project is Anaconda for Gentoo (from wiktor w brodlo) which can be great for further Gentoo installations because at this moment you must setup Gentoo by yourself (step-by-step) with Gentoo Handbook but most of installations are totally same so it is painful to do same things again and again…
This project is just on start, but can be very useful for next Gentoo releases.
Problem is that Anaconda installer using X but Securix not, so it make no sense to install system via GUI if system itself have no X environment.
Solution is: own script :] Securix Installer is written in bash and should ask you only for device/disk where you want install system, hostname and password. Everything else is setup automatically (architecture, gcc options, use flags, kernel, grub, …) to get maximum from your hardware.
Script isn’t completed yet and it takes some time of troubleshooting until I can release it as public, but from that time we can have first beta of Securix!
Stay tuned, more to come!
You can find Securix sysctl.conf file on our WiKi.
Every feedback is appreciated. Thx
I’ve installed DokuWiki into Securix website where I will post all configurations, installation setup, howto’s and other related informations.
If you have some improvement don’t hesitate and update content. [link]