====== SliTaz and System Security ======

===== Security Policy =====

SliTaz has given a lot of consideration to system security. Applications are tested for many months before being included in the distribution. At boot time, a minimum of services are launched by the rc scripts. For a complete lists of daemons enabled, you can look at the //RUN_DAEMONS// variable in the ///etc/rcS.conf// configuration file:

<code> $ cat /etc/rcS.conf | grep RUN_DAEMONS </code>

To view the actual processes, their PID and memory usage, you can use the 'ps' command or the 'htop' utility:

<code>
 $ ps
 $ htop
</code>

===== Root - The system administrator =====

In a GNU/Linux system, the root user is the system administrator. root has all the rights to the system files and that of the users. It is advisable never to log in as root by using the command //su// followed by the password to obtain absolute rights over the system. Never log in as root and surf the internet for example. This allows you to create a double barrier in the case of an attack or intrusion after a download and makes it harder for a cracker to take control of your machine - first he must crack your password and then crack the root password of the system administrator.

A GNU/Linux system has secured at least two users, one to work and another to administer, configure or update the system (root). It's also advisable to entrust the administration of the system to a person.

===== Passwords =====

By default the SliTaz user tux doesn't have a password and the system administrator root comes with the password (root). You can easily change these by using the passwd command:

<code>
 $ passwd
 # passwd
</code>

===== Busybox =====

The file busybox.conf configures the applets and their respective rights. On the SliTaz LiveCD the commands: //su, passwd, loadkmap, mount, reboot// and //halt// can be initiated by all users - the owner and group of these commands is root (//* = ssx root.root//). The //busybox.conf// file is readable by root, using the rights //600//. Note that the //passwd// command will not allow users to change their own password if it is not //ssx//.

===== LightTPD web server=====

On SliTaz the LightTPD web server is enabled by default at system startup, if you don't intend to use SliTaz in a server environment, you can safely disable it by removing it from the //RUN_DAEMONS// variable in the ///etc/rcS.conf// configuration file or to stop it manually:

<code> # /etc/init.d/lighttpd stop </code>

===== SSH Server =====

This small section is a compliment to the Secure SHell (SSH) page. On SliTaz the Dropbear SSH server is not run by default, we must add it to the variable //RUN_DAEMONS// in the configuration file ///etc/rcS.conf// for it to be enabled at system boot. Or to start the server manually:

<code> # /etc/init.d/dropbear start </code>

By default, Dropbear is launched with the following options:

<file>
 -w   Disallow root logins.
 -g   Disallow logins for root password.
</file>

You can add new options by editing the daemons configuration file: ///etc/daemons.conf//. For all options, you can type: //dropbear -h//.

===== Pscan - Ports scanner =====

Pscan is a small utility of the Busybox project that scans the ports of your machine. You can use pscan to scan the localhost or a remote host using the name or IP address of the machine. Pscan will test all the ports from 1 - 1024 by default and list those that are open, their protocol and associated service (ssh, www, etc):

<code> $ pscan localhost </code>