![[BunsenLabs Logo]](/img/bl.svg)
You are not logged in.
- Topics: Active | Unanswered
Pages: 1
#1 2016-05-28 16:42:26
- nobody1
- Disabled account
- Registered: 2016-05-27
- Posts: 10
Security Question
Hi everyone; I hope someone can answer a simple question for me. When I install plain Debian, I just install the base system (and the bootloader), and then I add the desktop, software, and packages after reboot. This gives me a smaller system with only the software and packages that I want or need.
My question is, is there any type of security compromise by doing this? I know that iptables is in the base system, and I add UFW too. Still, I wonder if I'm missing something.
Here's a quick rundown of how I do an install if it will be of any help.
I start off with a netinstall of the unofficial release of Debian stable with firmware included. I use the stable branch, because the installer for testing doesn't offer one of the steps that I need.
1. When the installer reaches the point to add a desktop, I click on "Go back"...the "Go back" feature isn't in the Testing installer. Anyway, this shows an installation failure of course, but I click on "Continue" and click to install grub. I install grub...and I'm done with the installation.
2. Upon restart, all I get is the full-screen command-line prompt. I log in and get started building.
3. The first thing I do is limit systemd's journal (nano /etc/systemd/journald.conf) by uncommenting #SystemMaxUse= and adding a limit ... so that it becomes SystemMaxUse=50M
4. Edit my sources.list (nano /etc/apt/sources.list). The main Jessie repo is missing contrib and non-free when I install this way. If I want to change Stable to Testing, I do that at this point too. Then update and upgrade or dist-upgrade if changing to Testing.
5. I add my desktop (usually adding --no-install-recommends to keep it even smaller).
6. I add Lightdm.
7. I add a few more basic things if needed depending on the desktop.
8. Reboot and add the remaining things from the now functioning desktop.
So, with that basic outline, can anyone think of any reason why a system like this wouldn't be as secure as a normal install?
Thanks!
Last edited by nobody1 (2016-05-28 17:06:53)
Offline
#2 2016-05-28 17:42:58
- Horizon_Brave
- Operating System: Linux-Nettrix
- Registered: 2015-10-18
- Posts: 1,473
Re: Security Question
I have not heard of anything added in the "prepackaged" installs over the netinstalls that involves security. The only thing that stands out is that your sources.list file should have:
deb http://security.debian.org/ jessie/updates mainwith the option contrib and non-free additional line as well. I could be off the mark, but I believe as long as you're pulling from those repos as well, you should be on par with a full install. Again, there are others who would know far more than me, so I defer to their judgement, but that's my insight.
"I have not failed, I have found 10,000 ways that will not work" -Edison
Offline
#3 2016-05-28 17:56:33
- nobody1
- Disabled account
- Registered: 2016-05-27
- Posts: 10
Re: Security Question
I have not heard of anything added in the "prepackaged" installs over the netinstalls that involves security. The only thing that stands out is that your sources.list file should have:
deb http://security.debian.org/ jessie/updates mainwith the option contrib and non-free additional line as well. I could be off the mark, but I believe as long as you're pulling from those repos as well, you should be on par with a full install. Again, there are others who would know far more than me, so I defer to their judgement, but that's my insight.
Thanks...yes, I didn't mean to give the impression that the security repo wasn't included. It's there with main, contrib, and non-free. There's also a third repo "previously known as volatile" jessie-updates. It also includes contrib and non-free.
It's the first repo in the list (that I referred to as the "main" repo) that only has main for some reason. I have to add contrib and non-free to it. The other two already have them added.
If I remember correctly, when I would actually let the installer install a desktop, I didn't have to add contrib and non-free to the first repo in the list...but it's been a while, and I could be wrong about that.
Thanks again for your input; that makes me feel better!
Offline
#4 2016-05-28 18:35:38
- Horizon_Brave
- Operating System: Linux-Nettrix
- Registered: 2015-10-18
- Posts: 1,473
Re: Security Question
Thanks again for your input; that makes me feel better!
No problem, but let's monitor this thread to see if anyone responds with any other mentions on this. I'm curious as to whether there is anything "slipped in", that the netinstall doesn't cover..For security concerns though, I'd think that little should be removed.
"I have not failed, I have found 10,000 ways that will not work" -Edison
Offline
#5 2016-05-28 22:44:51
- Head_on_a_Stick
- Member
- From: London
- Registered: 2015-09-29
- Posts: 9,093
- Website
Re: Security Question
In my opinion, installing from a minimal base as you have done should actually improve security at least a tiny little bit as Debian has a habit of enabling services automatically to "help" you in contrast to (for example) OpenBSD, which would never do any such thing.
If security is a concern then I would strongly recommend sticking with Debian stable rather than testing (which has limited support from the Debian Security team [1]) or unstable (which is not covered by the Security team but instead draws updates directly from upstream [2]) -- the new features introduced by the new package versions will always carry the risk of introducing new vulnerabilities into the system.
For securing your Debian system further, see https://www.debian.org/doc/manuals/secu … ian-howto/
[1] https://www.debian.org/security/faq#testing
[2] https://www.debian.org/security/faq#unstable
Offline
#6 2016-05-29 00:26:16
- nobody1
- Disabled account
- Registered: 2016-05-27
- Posts: 10
Re: Security Question
For securing your Debian system further, see https://www.debian.org/doc/manuals/secu … ian-howto/
Thanks for the link...not sure how I've never seen that before.
It's not so much that I'm overly concerned about security, it's just a nagging thing with me wondering if some underlying piece of system security may be left out with the type of install that I do.
I've used Testing for a couple of years now, but it's more to just play around with. I use Stable for my main computer to do anything important on.
Thanks again for the link and your input; I really appreciate it!
Offline
#7 2016-05-29 22:05:52
- nobody1
- Disabled account
- Registered: 2016-05-27
- Posts: 10
Re: Security Question
I also just asked this on the Debian forums, so we'll see what information we may receive there also.
Offline
#8 2016-05-30 00:03:05
- nobody1
- Disabled account
- Registered: 2016-05-27
- Posts: 10
Re: Security Question
From the Debian forum...in reference to security.
As long as the desktop you do install comes from the Debian repositories there
would not be any difference
Sounds good. 
Offline
#9 2016-05-30 00:43:04
- Horizon_Brave
- Operating System: Linux-Nettrix
- Registered: 2015-10-18
- Posts: 1,473
Re: Security Question
From the Debian forum...in reference to security.
As long as the desktop you do install comes from the Debian repositories there
would not be any differenceSounds good.
Hip hip hooray for 'ol Stable. Slow n' steady wins the race.
"I have not failed, I have found 10,000 ways that will not work" -Edison
Offline
#10 2016-05-30 01:26:58
- nobody
- The Great
- Registered: 2015-08-10
- Posts: 3,655
Re: Security Question
A default Debian installation is not secure in any special way. You need to configure it: iptables, users, ACLs, selinux,...
Offline
#11 2016-05-30 07:46:29
- brontosaurusrex
- Middle Office
- Registered: 2015-09-29
- Posts: 2,755
Re: Security Question
They say that security is sligthly improved when system is smaller (for example missing compilers are a plus).
Online
Pages: 1