Hardening a desktop linux, is it a good idea or not needed ?

Hello all,

First of all, I'm somewhat new with Linux in general, however I do have some knowledge about the CLI and how to gain root access and editing some important conf files (like rc.conf / xorg.conf or other configuration files like fstab, etcetera).
So I do have some knowledge, but it is a bit limited to be honest, but I'm learning.
Also I know something about customizing kernels (like adding virtualization and stuff), but again my knowledge is still basic.

Anyway, my question is, from a relative newbie kind of view, which security approach is relative the simplest to maintain or configure.
I have read about SELinux but I find it very difficult to get it to work right or difficult to configure.

I run a desktop computer with dualboot WIndows 7 64-bit and OpenSUSE 12.2 64-bit (Gnome3) and ext4 filesystem (no LVM).
And I run as a normal user, and only use root when absolutely needed (installs or changing configuration files, etcetera).
The installation comes with a enabled firewall when logged in and entering the desktop.

Anyway, sorry if this a difficult question to answer, and maybe a definitve answer can't be given or if you think that I'm not needing this kind of security, please tell me.
I'm not running a server, so maybe I'm already very well protected, but I'm not very sure.

Anyway, cheers and thanks for reading.
If you know some links I have to try, to read about various security subjects then you are welcome as well.

 

Whether it is needed or not can't really be said. SELinux is very difficult to learn, if you're looking for something similar but much easier I suggest Apparmor, which is the default for Ubuntu. There are profiles already made for many programs and services.

I could list out all of the things that can be done, but it seems easier to just link you to my blog.
http://www.insanitybit.com/2012/12/17/hardening-ubuntu-linux/

That is specific to Ubuntu, but most of those can be done on any Linux OS. It'll range from easy to difficult in terms of the level required, work your way up to the harder stuff and consider what is and isn't worth the time.

 

Thank you very much Hungry Man ! the link to your blog is very very much appreciated, thank you !

Ehm, SELinux is indeed a beast to master and I doubt that I would actually benefit from such a elaborate security.
I suppose if I would run a server or database server or running a website I would benefit from SELinux more.

I will absolutely look into AppArmor ! I have read some comments that AppArmor is preferable although I'm not implying in any way that it would be better. That is not my intention. But AppArmor is very interesting indeed and might just cover MY need of security.

 

Not needed. All you need is to activate your firewall.

Linux runs on the principle of elevated privilege so drive by exploits and hacks aren't a problem like in Windows. And viruses and spyware simply don't exist in the Unix world.

 

- It's "principle of least privilege." And vanilla Linux (with only UNIX DAC) does not follow it at all; in fact Windows 7 follows it more closely (by sandboxing IE and various system services).

- Exploits, both remote and local, are quite common on Linux. Plenty of pwned servers can attest to that.

- Viruses and spyware most definitely exist in the UNIX world; their methods and purposes are just somewhat different (because they're usually designed for servers, not desktops).

Please stop spreading misinformation. Linux is not a target right now, that doesn't mean it's intrinsically more secure than the competition.

Re actually hardening Linux, there are a couple things I'd recommend:

1. Browser security. Probably 90% of nasty stuff on desktops (on any OS) comes in through the browser.

If you're using Firefox or Seamonkey you should use Noscript, just because it's available. On recent versions you can enable plugins.click_to_play in about:config, but Noscript provides more coverage, even with Javascript fully enabled.

If you're using Chrome/Chromium, you should still enable click-to-play for plugins. You can make use of JS whitelisting too, but it's really nowhere near as good as in Noscript - it's by page instead of domain, so much less useful. The famous sandbox will hopefully keep direct browser exploits at bay, should you ever run into one.

If you're using Opera, you really should enable click-to-play, and probably use JS whitelisting as well. Opera unfortunately does not have much in the way of security features, either internal or third party.

Note that it's not just malware that's a problem. On Linux I think the bigger issue at the moment is cross-site scripting and the like (which Noscript helps protect against).

Finally, if you don't use the Java plugin you should probably disable it. Likewise Flash, which is getting less common as HTML5 becomes more popular.

2. Firewall and network services.

Most (but not all) Linux distros ship with no open ports, but using a software firewall is generally good policy. With OpenSUSE you're set, it has the firewall enabled (and configured sanely) by default.

There are other possible hazards. Network services like avahi do various sorts of input parsing, and are not usually critical on home networks; they can be disabled if not used (but do some research first!). NetworkManager and Wicd have had some vulnerabilities; if you have a desktop, think about using your distro's wired (or wireless) networking scripts on it instead. sshd and Samba should absolutely not be running if you don't need them. The NFS client probably shouldn't be running if you're not mounting NFS shares. Etc. Don't go into a service-disabling frenzy, but do think about what makes sense to be running given your setup.

Hope that helps...

 

It might not be needed by you learn so much by doing it.

 

What settings should you disable? Can you expand on what you disable and what not....

 

in open suse there gui tool with set profiles of apparmor just select desktop many hardning setting in yast you can go through them no need any additional software etc

just go through them if you want to harden it or else default is enough with firewall enable

http://doc.opensuse.org/documentation/html/openSUSE/opensuse-security/part.apparmor.html

http://doc.opensuse.org/documentation/html/openSUSE/opensuse-security/cha.apparmor.yast.html

i also suggest to check

Predefined Security Configurations

http://doc.opensuse.org/documentati...suse-security/cha.security.yast_security.html

 

Yes, servers (which have to have open ports unlike desktop systems). In most cases because they are not updated or are simply misconfigured, weak passwords etc. But again, we're talking about desktop systems.

 

Thanks very much !
Thanks to all others who commented as well, appreciate it very much!.
I think that I manage with apparmor and firewall.

@Gullible Jones
Thanks for the comment and I did install noscript in firefox. Sorry for the somewhat short reply on my side, but I do appreciate all comments and have read them. Also the blog from Hungry Man is a very good read about security, thanks !

About which services or daemon's I can or can't disable, well I have to delve deeper into this. I think I'd better search some info about that on the net.

 

FYI that is not an accurate statement.
There term comes from Multics, which Unix inherited this model.
http://en.wikipedia.org/wiki/Principle_of_least_privilege#History

Rest I agree with the gist of

Nowadays it comes down to the skill/experience of the person configuring Windows/*nix to make/break a systems security (especially as so many people apply settings from tweak guides without researching if they work or not).

Cheers, Nick

 

Not needed at all.
Mrk

 

i certainly would not use Linux if i had to become a scientist in order to be safe using it!

i had to do a google search the other day because i forgot the 4 letters magic word. lol

 

Opinions seems to be divided. I do agree that I need to do some reading and gaining some knowledge about security in linux and when to apply it (if at all).
I think I inherited the somewhat extensive security measures from my everday windows OS use.

I'm so used to AV, FW, BB, HIPS which are usually very present and visible in Windows OS that I kind of have a misplaced feeling of 'missing' this in Linux.
Although I know that linux has its own programs as well, but far less obtrusive or less visibly present but doing most of what it does in the background (if installed/enabled) and if it needs to do anything at all.
Anyway, got some more reading to do.

Thank you all for your opinions, I appreciate it. Doesn't matter if in favor or against, I think it makes it even more interesting and gives a better overall idea about security when presented with arguments about why yay or nay.

 

Works like this (purely IMO)...

Linux inherits from UNIX OSes, which were running on mainframes and servers back in the early days. Security on such machines was (and still is) a problem of legendary magnitude, and typically involved fending off resourceful and manipulative human attackers. As a result, UNIX security developed mostly around more generic methods - reducing attack surface, limiting the scope of damage from a compromised program, counteracting exploits directly, etc.

On Windows desktops these things were nonissues for a while, until the blackhats realized they could automate their dirty work. Thus, malware became the main problem on the desktop, and most security strategies were invented to deal with it.

Only lately it's become apparent that the malware-specific strategies are not a good bet in the long run - they have trouble keeping up with new developments in attack methods. Which is why Microsoft has been implementing more exploit mitigation strategies (MIAC, AppContainer, ASLR enhancements, etc.) Linux has had this stuff a while longer, though often underutilized; other UNIXes have had it for ages.

TLR version - Windows security products have a history of limited focus. UNIX security never really had that issue. Fortunately Microsoft has been catching up lately.

 

Hi jna99,

If you have not looked up hardening (computing) and read on Wikipedia, it is a good first step to knowing not only what it is, but getting a better handle on the topic overall.

-- Tom