Your Linux Desktop Security Setup

[Hungry Man]

I'm considering writing my own seccomp profiles for programs like Pidgin and XChat.

Xchat doesn't update anymore so I don't really lose anything by recompiling it.

Pidgin might be a pain.

Xchat needs virtually no file system access so the apparmor profile is very strong. But... I do love that seccomp sandbox lol and it doesn't get patches.

Where do you feel it's lacking?

[tancrackers]

Archlinux, google chrome with web of trust and adblock.
Enabled SElinux. I wonder what else can be done?

[jitte]

Quote:

Originally Posted by tancrackers

I wonder what else can be done?

I like rkhunter to check for rootkits and lynis to check system configuration.

They're both by the same company.

[Hungry Man]

Set up SELinux profiles for various services and programs.

[tancrackers]

Which is better btw, SELinux or Apparmor?

[Hungry Man]

That's hard to say. SELinux is more powerful but Apparmor is a million times easier to use. Bypasses that'll work for Apparmor (like giving mount rights along with other rights) won't work for SELinux and you can get ridiculously fine grained access control on SELinux.

Apparmor is better, in my opinion, because anyone can write a profile. I'd rather have 100 processes running in the potentially weaker Apparmor than have just 10 running in the potentially stronger SELinux.

[Hungry Man]

Network
DDWRT Router running recommended build - Remote Access disabled
DDWRT firewall turned on
OpenDNS with DNSCrypt

Realtime Protection
No AV running.
All ports closed - no need for a firewall.

System Hardening -- Ubuntu 12.04 Kernel 3.4.X Optimized for i5 CPUs
Pax + Grsecurity, custom kernel with custom settings.
As few programs installed as possible.
BIOS Password
Apparmor Enabled - Profiles for all programs and various services


Browser -- Chrome Beta
Seccomp Sandbox + Default Sandbox + AppArmor
Block 3rd Party Cookies
Built in malware protection
Default PDF reader -- no adobe necessary
Adblock Plus with DNT
HTTPS Everywhere
Javascript whitelist by TLD
Cookie whitelist by HTTPS

A "private" profile with more aggressive privacy/ data settings.

Chrome Privacy Profile
No cookies/ no data sent to Google
Block form validation
ScriptNo with strict settings

[Gentoo64]

Heh slightly similar to mine (Random list):

Tomato Toastman WRT54G (IPv6 build, firewall, no remote access)

Hardened Gentoo ~amd64

Hardened Sources (always latest ~arch) completely minimal and thoroughly revised, GRSec + PAX on custom (too many to list, max possible security)

Hardened toolchain

Sysctl network hardening, grsec.lock = 1

Minimal compiled programs

OpenBox WM

ZSH + urxvtd

Tor + Sasl for IRC

IPv6 tempaddress

Truecrypt containers

Immutable history files

No root tty logins

Fstab hardening

Iptables default deny

SSH key only auth

Most services running as their own isolated user/group

Browsers (No flash / Java)

Chromium 9999:
Incognito
Adblock, (easylist, easyprivacy)
Privoxy
Seccomp Sandbox
--disk-cache-dir=/tmp
Javascript whitelist
Clear cookies on close
No tracking

Firefox:
Noscript
Adblock Plus
Privoxy
Block third party cookies
Clear all data on close
No tracking
about:config tweaks

It's all pretty pointless, but doesn't affect usablility a single bit so why not. Used to use RBAC but disabled it (PITA for desktop maintenance). Everything is mprotected with full aslr/hardening and all programs compiled with fully hardened gcc. I'd like to try apparmor for per-program restrictions, it's available in the kernel, and tools in an overlay but afaik only Ubuntu has full support for it. I like a set and forget machine though.

[Hungry Man]

Yeah I should really get around to using Gentoo but I really like Unity and I don't think it works with it.

[Hungry Man]

Network
DDWRT Router running recommended build - Remote Access disabled
DDWRT firewall turned on
OpenDNS with DNSCrypt
All ports closed - no Avahi, Cups, or dnsmasq
GUFW inbound/ outbound firewall enabled

System Hardening -- Ubuntu 12.04 Kernel 3.4.X
Pax + Grsecurity, custom kernel with custom settings
Removed many default programs and dependencies
BIOS Password
Apparmor Enabled - Profiles for all programs and various services
Open Source GPU Drivers


Browser -- Chrome Dev
Seccomp Sandbox + Default Sandbox + AppArmor + GPU Sandbox
Block 3rd Party Cookies
Built in malware protection
Default PDF reader
Adblock Plus with DNT
HTTPS Everywhere
Javascript whitelist by TLD
Cookie whitelist by HTTPS

A "private" profile with more aggressive privacy/ data settings.

Chrome Privacy Profile
No cookies/ 'Privacy' boxes unchecked
Block form validation
Incognito Only

[Hungry Man]

Finally added GUFW outbound protection. I'm working on hardening the network aspect of the setup.