APT security concerns


(TNT BOM BOM) #1

I have couple of Questions regarding software inside Parrotsec:

  • There are many third-party software (Not from debian official repository) shipped inside Parrotsec, how secure confidential can someone put on?

suggestion to read in our wiki:

(tried to read something about that in parrotsec wiki but i didnt find something explaining it)

  • Enhancement: add parrotsec onion repository. (i see only ssl repo)

Thank you! :slight_smile:


(Lorenzo "Palinuro" Faletra) #2

usually all the software pre-installed in parrot home is secure and can be trusted

by default the only allowed repository is the official parrot repo, which is monitored and packages need our confirmation (and digital signature) before entering the repo. but debian is already very secure by default and its main packages are well verified and monitored over time by the various DD, DM and DC who maintain the packets.

we also add an additional security layer by sandboxing most of the processes, so these programs don’t have full access to the system

some critical programs are also re-compiled on our build platform.


(Lorenzo "Palinuro" Faletra) #3

an onion repo will come soon :slight_smile:


(TNT BOM BOM) #4

Edit: sorry meant to say “Not from Debian official repository”


(Lorenzo "Palinuro" Faletra) #5

oh ok, then it changes everything

we do not recommend installing things from unofficial repositories and we even discourage it.

we made some statistics about the most used unofficial repositories in parrot (by looking at support topics of people posting apt output) and we found that most of the people add the ubuntu, debian or kali repository to parrot and we made an apt hook that disables such repositories by default by setting up a very low apt pinning level to them.

the second category of people using external repos involves people using specific repos for unsuported software (i.e. latest nodejs, docker prior to its inclusion in debian, sts versions of nodejs, the repos pre-installed by the atom, vscode or steam debs etc)

we can’t really protect the users from such repositories because some of them don’t need security, they just need to develop software, play games or test things without hassle. and we don’t know what external repositories they usually configure

on a brighter note we don’t include PPA support and we don’t want to support it in the future, and our support team is properly trained to do psychological terrorism on people that use external repos and ask for help :slight_smile:


Can't install anbox kernal mdules
(Lorenzo "Palinuro" Faletra) #6

whould we write a dedicated chapter on our documentation? probably yes, but i don’t have enough spare time at the moment to do it. maybe the community can do something


(Nico Paul) #7

Im hoping to start some docs writing soon within the next two weeks i want to include a section that will ecompass security best practices “randoms” or misc like what i would say something like this falls under (such a big umbrella if you think about what this could ecompass) any important info or even subjects such as these are things i would love if someone has ideas like this please try and send a quick message saying you think this should be included etc. ill be gathering a list in this time hopefully.


#8

Great idea !