Security OS.

[8bit]

This might give you some ideas:
https://www.qubes-os.org/

8bit

[SwampRabbit]

There are many others out there. Blackbuntu, Kali, Parrot, etc etc. But, I personally would like to base it on the bug bounty area and as my partner CJ said. She think it could be ramped up from there for more indepth forensic and lab tools.
There are many bug bounty scripts out there that are not added to these other distros, so it would be worth adding them imho.

The distros you mentioned are to "Red Team" / pentesting type of work, which from the sounds of it is what you are looking to make, just adding some automated bug bounty scripts.

indepth forensic and lab tools

But this makes me think you're wanting to focus more on Blue Team type users. But the thing is a bunch of tools and useful scripts can only go so far. Especially when you're talking about attempting to maintain keeping a ton of packages updated.

I think its a noble endeavor, but when you have big name distros putting in a ton of time and expertise, I think it would be better to contribute back to those distros. It would take a lot of work to try and push into that space and make it worth while for users over the current offerings.

[TheDarrenS]

But this makes me think you're wanting to focus more on Blue Team type users. But the thing is a bunch of tools and useful scripts can only go so far. Especially when you're talking about attempting to maintain keeping a ton of packages updated.

I think its a noble endeavor, but when you have big name distros putting in a ton of time and expertise, I think it would be better to contribute back to those distros. It would take a lot of work to try and push into that space and make it worth while for users over the current offerings.

I at first did try to offer help but as I am not a person that programs it was mute. Most places said they did not need anyone that is a CM(Community Manager), and some of them wanted people that have experience in the field.
So here is where I sit at the moment. And decided if I can not get in to help I will make one.

D.

[freemedia2018]

Most places said they did not need anyone that is a CM(Community Manager), and some of them wanted people that have experience in the field.

for a "security" distro thats really whats needed-- knowhow. and i would rather have a community manager that has some understanding of coding, at least. since theyre going to be interacting with people and having expectations of people who have to do technical work (much of which probably wont involve coding, though.)

personally, i would prefer a community that is more like a computer club-- it lets people in who have an interest in computers, it helps them learn about free software, and nudges them towards (optionally) learning more about the tasks that would make them developers (of software, or distros) eventually. most communities arent like that-- its possible this one is, but i wish most were like that. (theres a place for projects that expect you to already have experience as well.)

[TheDarrenS]

for a "security" distro thats really whats needed-- knowhow. and i would rather have a community manager that has some understanding of coding, at least. since theyre going to be interacting with people and having expectations of people who have to do technical work (much of which probably wont involve coding, though.)

I may not know anything about programming but this coming year I want to make this happen both the versions I want to make. And there is a saying "surround yourself with people that know what they are doing and have them help" Many a creator has done this.

personally, i would prefer a community that is more like a computer club-- it lets people in who have an interest in computers, it helps them learn about free software, and nudges them towards (optionally) learning more about the tasks that would make them developers (of software, or distros) eventually. most communities arent like that-- its possible this one is, but i wish most were like that. (theres a place for projects that expect you to already have experience as well.)

What you say about a Community more like a computer club, reminds me more of my days running a bbs back in the 80s and 90s., When we all shared knowledge and a little less of the "whom is better than whom" nonsense. I find that more and more these days.

D.

[freemedia2018]

What you say about a Community more like a computer club, reminds me more of my days running a bbs back in the 80s and 90s., When we all shared knowledge and a little less of the "whom is better than whom" nonsense. I find that more and more these days.

agreed, thats what we want to get back. happy christmas.

[imschmeg]

@TheDarrenS

I would like to help on this, if it is still on your radar (or anyone else's).

I've been tinkering with my MX19 install to make it more secure. I've been auditing setuids, capabilities, and some kernel settings to see what can be changed to be more secure with minimal impact on users, or at least acceptable impact on users. I have also been building sandboxes.

I would not consider myself a linux security novice, but I've got a lot to learn, and am actively doing so. My view on MX and other Debian distros is that they are a bit lax in security out-of-the-box - so a more secure respin of MX seems like an excellent idea.

I am a long-time software engineer with lots of diverse programming experience: C, C++, python, shell scripts, java, many very esoteric languages... I have no qualms about learning a new programming language, either.

[dolphin_oracle]

feel free to post any suggestions.

[imschmeg]

feel free to post any suggestions.

Do you mean suggestions for main-line MX? Or for a respin?

Here's one I've been thinking about recently:

MX has kernel.unprivileged_userns_clone on by default. I have read several sources advising against that, and a few in favor. There is a trade off here: one can turn off setuid on bwrap and chrome's (brave, vivaldi, etc.) sandboxer, and leave kernel.unprivileged_userns_clone on. Or vice versa. But it certainly seems that having both setuid sanboxer execs AND allowing unprivileged user namespaces, which is the way MX is configured, is overkill at best, and probably asking for trouble.

I think it would be best to have a very small and heavily audited setuid program (like bwrap) do all user space sandboxing for everything, especially if the only sandboxing allowed from user space is forced to have namespaces without root or supplementary groups - as that seems to be the best way to prevent privilege escalation escapes from the sandbox or container.

I turned off kernel.unprivileged_userns_clone in my MX with no problems so far, and have the code for bwrap and the chrome sandboxer with the intent on examining them to see:
- if one can be used instead of both
- if the created sandboxes can be rootless and groupless

[dolphin_oracle]

I meant for main mx.

that particular kernel default with debian kernels, and is toggleable with the sandbox option in mx-tweak.

there is no problen unless the app you want needs a sandbox that requires the feature. joplin in one, and there are others (brave I think is one).

I'm certainly interesting in alternates.