Includes Full SSD Encryption, Webcam Slider Shield and Emergency Hardware Internet "Kill Switch"....
The openSUSE project is a community program sponsored by SUSE Linux and other companies. Promoting the use of Linux everywhere, this program provides free, easy access to openSUSE, a complete Linux distribution. The openSUSE project has three main goals: make openSUSE the easiest Linux for anyone to obtain and the most widely used Linux distribution; leverage open source collaboration to make openSUSE the world's most usable Linux distribution and desktop environment for new and experienced Linux users; dramatically simplify and open the development and packaging processes to make openSUSE the platform of choice for Linux developers and software vendors.
1. Security and Confidentiality
This chapter introduces basic concepts of computer security. Threats and basic mitigation techniques are described. The chapter also provides references to other chapters, guides and websites with further information.
One main characteristic of Linux is its ability to handle multiple users at the same time (multiuser) and to allow these users to simultaneously perform tasks (multitasking) on the same computer. To users, there is no difference between working with data stored locally and data stored in the network.
Due to the multiuser capability, data from different users has to be stored separately to guarantee security and privacy. Also important is the ability to keep data available in spite of a lost or damaged data medium, for example a hard disk.
This chapter is primarily focused on confidentiality and privacy. But a comprehensive security concept includes a regularly updated, workable, and tested backup. Without a backup, restoring data after it has been tampered with or after a hardware failure is very hard.
Use a defense-in-depth approach to security: Assume that no single threat mitigation can fully protect your systems and data, but multiple layers of defense will make an attack much harder. Components of a defense-in-depth strategy can be the following:
1. Hashing passwords (for example with PBKDF2, bcrypt, or scrypt) and salting them
2. Encrypting data (for example with AES)
3. Logging, monitoring, and intrusion detection
5. Antivirus scanner
6. Defined and documented emergency procedures
8. Physical security
9. Audits, security scans, and intrusion tests
openSUSE Leap includes software that addresses the requirements of the list above. The following sections provide starting points for securing your system.
On a Linux system, only hashes of passwords are stored. Hashes are one-way algorithms that make it easy to encrypt data. At the same time, hash algorithms make it very hard to compute the original secret from the hash.
The hashes are stored in the file /etc/shadow, which cannot be read by normal users. Because restoring passwords is possible with powerful computers, hashed passwords should not be visible to regular users.
The National Institute of Standards and Technology (NIST) publishes a guideline for passwords, which is available at https://pages.nist.gov/800-63-3/sp800-63b.html#sec5
For details about how to set a password policy, see Section 9.3, “Password Settings”. For general information about authentication on Linux, see Part I, “Authentication”.
1.3 System Integrity
If it is possible to physically access a computer, the firmware and boot process can be manipulated to gain access as soon as an authorized person boots the machine. While not all computers can be locked into inaccessible rooms, your first step should be physically locking the server room.
Consider taking the following additional measures:
Configure your system so it cannot be booted from a removable device, either by removing the drives entirely or by setting a UEFI password and configuring the UEFI to allow booting from a hard disk only.
To make the boot procedure more tamper-resistant, enable the UEFI secure boot feature. For more information about Secure Boot, see Book “Reference”, Chapter 14 “UEFI (Unified Extensible Firmware Interface)”.
Linux systems are started by a boot loader that usually allows passing additional options to the booted kernel. You can prevent others from using such parameters during boot by setting an additional password for the boot loader. This is crucial to system security. Not only does the kernel itself run with root permissions, but it is also the first authority to grant root permissions at system start-up.
For more information about setting a password in the boot loader, see Book “Reference”, Chapter 12 “The Boot Loader GRUB 2”, Section 12.2.6 “Setting a Boot Password”.
Enable hard disk encryption. For more information, see Chapter 12, Encrypting Partitions and Files.
Use AIDE to detect any changes in your system configuration. For more information, see Chapter 14, Intrusion Detection with AIDE.
1.4 File Access
Because of the everything is a file approach in Linux, file permissions are important for controlling access to most resources. This means that by using file permissions, you can define access to regular files and directories as well as hardware devices. By default, most hardware devices are only accessible for root. However, some devices, for example serial ports, can be accessible for normal users.
As a general rule, always work with the most restrictive privileges possible for a given task. For example, it is definitely not necessary to be root to read or write e-mail. If the mail program has a bug, this bug could be exploited for an attack that acts with exactly the permissions of the program at the time of the attack. By following the above rule, minimize the possible damage.
For details, see Section 11.1, “Traditional File Permissions” and Section 11.2, “Advantages of ACLs”.
AppArmor and SELinux allow you to set constraints for applications and users. For details, see Part IV, “Confining Privileges with AppArmor” and Part V, “SELinux”.
If there is a chance that hard disks could be accessed outside of the installed operating system, for example by booting a live system or removing the hardware, encrypt the data. openSUSE Leap allows you to encrypt partitions containing data and the operating system. For details, see Chapter 12, Encrypting Partitions and Files.
Securing network services is a crucial task. Aim to secure as many layers of the OSI model as possible.
All communication should be authenticated and encrypted with up-to-date cryptographic algorithms on the transport or application layer. Use a Virtual Private Network (VPN) as an additional secure layer on physical networks.
openSUSE Leap provides many options for securing your network:
Use openssl to create X509 certificates. These certificates can be used for encryption and authentication of many services. You can set up your own certificate authority (CA) and use it as a source of trust in your network. For details, see man openssl.
Usually, at least parts of networks are exposed to the public Internet. Reduce attack surfaces by closing ports with firewall rules and by uninstalling or at least disabling unrequired services. For details, see Chapter 17, Masquerading and Firewalls.
Use OpenVPN to secure communication channels over insecure physical networks. For details, see Chapter 18, Configuring a VPN Server.
Use strong authentication for network services. For details, see Part I, “Authentication”.
1.6 Software Vulnerabilities
Software vulnerabilities are issues in software that can be exploited to obtain unauthorized access or misuse systems. Vulnerabilities are especially critical if they affect remote services, such as HTTP servers. Computer systems are very complex, therefore they always include certain vulnerabilities.
When such issues become known, they must usually be fixed in the software by software developers. The resulting update must then be installed by system administrators in a timely and safe manner on affected systems.
Vulnerabilities are usually announced on centralized databases, for example the National Vulnerability Database, which is maintained by the US government. You can subscribe to feeds to stay informed about newly discovered vulnerabilities. In some cases the problems induced by the bugs can be mitigated until a software update is provided. Vulnerabilities are assigned a Common Vulnerabilities and Exposures (CVE) number and a Common Vulnerability Scoring System (CVSS) score. The score helps identify the severity of vulnerabilities.
SUSE provides a feed of security advisories. It is available at https://www.suse.com/en-us/support/update/. There is also a list of security updates by CVE number available at https://www.suse.com/en-us/security/cve/.
In general, administrators should be prepared for severe vulnerabilities in their systems. This includes hardening all computers as far as possible. Also, we recommend to have predefined procedures in place for quickly installing updates for severe vulnerabilities.
To reduce the damage of possible attacks, use restrictive file permissions. See Section 11.1, “Traditional File Permissions”. SUSE provides a guide to hardening openSUSE Leap.
Other useful links:
http://lists.opensuse.org/opensuse-security-announce/, mailing list with openSUSE security announcements
https://nvd.nist.gov/home, the National Vulnerability Database
https://cve.mitre.org/, MITRE's CVE database
https://www.bsi.bund.de/DE/Service/Aktuell/Cert_Bund_Meldungen/cert_bund_meldungen_node.html, German Federal
Office for Information Security vulnerability feed
https://www.first.org/cvss/, information about the Common Vulnerability Scoring System
Malware is software that is intended to interrupt the normal functioning of a computer or steal data. This includes viruses, worms, ransomware, or rootkits. Sometimes malware uses software vulnerabilities to attack a computer. However, in many cases it is accidentally executed by a user, especially when installing third-party software from unknown sources. openSUSE Leap provides an extensive list of programs (packages) in its download repositories. This reduces the need to download third-party software. All packages provided by SUSE are signed. The package manager of openSUSE Leap checks the signatures of packages after the download to verify their integrity.
The command rpm --checksig RPM_FILE shows whether the checksum and the signature of a package are correct. You can find the signing key on the first DVD of openSUSE Leap and on most key servers worldwide.
You can use the ClamAV antivirus software to detect malware on your system. ClamAV can be integrated into several services, for example mail servers and HTTP proxies. This can be used to filter malware before it reaches the user.
Restrictive user privileges can reduce the risk of accidental code execution.
1.8 Important Security Tips
The following tips are a quick summary of the sections above:
Stay informed about the latest security issues. Get and install the updated packages recommended by security announcements as quickly as possible.
Avoid using root privileges whenever possible. Set restrictive file permissions.
Only use encrypted protocols for network communication.
Disable any network services you do not absolutely require.
Conduct regular security audits. For example, scan your network for open ports.
Monitor the integrity of files on your systems with AIDE (Advanced Intrusion Detection Environment).
Take proper care when installing any third-party software.
Check all your backups regularly.
Check your log files, for example with logwatch.
Configure the firewall to block all ports that are not explicitly whitelisted.
Design your security measures to be redundant.
Use encryption where possible, for example for hard disks of mobile computers.
1.9 Reporting Security Issues
If you discover a security-related problem, first check the available update packages. If no update is available, write an e-mail to <[email protected]>. Include a detailed description of the problem and the version number of the package concerned. We encourage you to encrypt e-mails with GPG.
You can find a current version of the SUSE GPG key at https://www.suse.com/support/security/contact/.
PRIVACY IS THE CORNERSTONE OF SECURITY
Our security focused laptops include a free webcam slider shield and an anti-spy screen filter guard for added privacy and protection with a disabled or a permanently disabled AMT (Active Management Technology) chip making the Intel Management Engine (IME) inaccessible and ultimately UN-exploitable to hackers or government agencies.
REFURBISHED WITH SIX MONTHS FREE WARRANTY
1. This second user product has been fully tested and cleaned internally and externally to the highest possible standard.
2. Due to this nature our products may show some signs of use such as small scuffs or scratches to the outer casing.
3. Fully packaged and wrapped by ComputerPrivacy.store (original packaging not included).
Includes: Intel® Core™ i5 Processor and matte LCD display. Intel HD 400 Graphics, Bluetooth, DVD-RW, Card Reader, Display Port, FireWire, USB 2.0 Ports, Webcam, WiFi, Tested Battery.
GDPR privacy principle 6 states that “personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures.”
Your potential to own a laptop computer with hardened privacy and up-to-date security has always been our top priority, but it never has been more important to us than it is now when more people are working from home. We want you to know that we are going above and beyond to ensure the safety of our customers, our employees and our products, while adhering to all Health Service Executive [HSE Guidelines] and local directives regarding SARS-COVID-19.
|Processor:||2.26 GHz Core i5-430M|
|Screen Size:||14.1 inches|
|Max Screen Resolution:||1366x768|
|RAM:||4 GB DDR3|
|Hard Drive:||120 GB SSD|
|Graphics Coprocessor:||Intel Integrated Graphics|
|Number of USB 2.0 Ports:||4|
|Item Model Number:||ThinkPad T410|
|Item Weight:||2.3 kg|
|Product Dimensions:||13.2 x 9.4 x 1.3 inches|
|Item Dimensions L x W x H:||13.2 x 9.4 x 1.3 inches|
|Flash Memory Size:||128 GB|
|Hard Drive Interface:||Solid State|
|Batteries:||1 Lithium ion batteries required. (included)|
OpenSUSE on Lenovo ThinkPad T410 with Data Security + Hardened Privacy
- Brand: Lenovo
- Product Code: Lenovo ThinkPad T410
- Availability: MADE-TO-ORDER
- Price in reward points: 100