Your Linux Desktop Security Setup

Discussion in 'all things UNIX' started by BrandiCandi, Apr 3, 2012.

Thread Status:
Not open for further replies.
  1. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    I'm considering writing my own seccomp profiles for programs like Pidgin and XChat.

    Xchat doesn't update anymore so I don't really lose anything by recompiling it.

    Pidgin might be a pain.

    Xchat needs virtually no file system access so the apparmor profile is very strong. But... I do love that seccomp sandbox lol and it doesn't get patches.

    Where do you feel it's lacking?
     
  2. tancrackers

    tancrackers Registered Member

    Joined:
    May 22, 2012
    Posts:
    18
    Location:
    USA
    Archlinux, google chrome with web of trust and adblock.
    Enabled SElinux. I wonder what else can be done?
     
  3. jitte

    jitte Registered Member

    Joined:
    May 2, 2012
    Posts:
    67
    I like rkhunter to check for rootkits and lynis to check system configuration.

    They're both by the same company.
     
  4. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Set up SELinux profiles for various services and programs.
     
  5. tancrackers

    tancrackers Registered Member

    Joined:
    May 22, 2012
    Posts:
    18
    Location:
    USA
    Which is better btw, SELinux or Apparmor?
     
  6. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    That's hard to say. SELinux is more powerful but Apparmor is a million times easier to use. Bypasses that'll work for Apparmor (like giving mount rights along with other rights) won't work for SELinux and you can get ridiculously fine grained access control on SELinux.

    Apparmor is better, in my opinion, because anyone can write a profile. I'd rather have 100 processes running in the potentially weaker Apparmor than have just 10 running in the potentially stronger SELinux.
     
  7. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Network
    DDWRT Router running recommended build - Remote Access disabled
    DDWRT firewall turned on
    OpenDNS with DNSCrypt

    Realtime Protection
    No AV running.
    All ports closed - no need for a firewall.

    System Hardening -- Ubuntu 12.04 Kernel 3.4.X Optimized for i5 CPUs
    Pax + Grsecurity, custom kernel with custom settings.
    As few programs installed as possible.
    BIOS Password
    Apparmor Enabled - Profiles for all programs and various services


    Browser -- Chrome Beta
    Seccomp Sandbox + Default Sandbox + AppArmor
    Block 3rd Party Cookies
    Built in malware protection
    Default PDF reader -- no adobe necessary
    Adblock Plus with DNT
    HTTPS Everywhere
    Javascript whitelist by TLD
    Cookie whitelist by HTTPS

    A "private" profile with more aggressive privacy/ data settings.

    Chrome Privacy Profile
    No cookies/ no data sent to Google
    Block form validation
    ScriptNo with strict settings
     
  8. Gentoo64

    Gentoo64 Registered Member

    Joined:
    Jun 10, 2012
    Posts:
    12
    Location:
    UK
    Heh slightly similar to mine (Random list):

    Tomato Toastman WRT54G (IPv6 build, firewall, no remote access)

    Hardened Gentoo ~amd64

    Hardened Sources (always latest ~arch) completely minimal and thoroughly revised, GRSec + PAX on custom (too many to list, max possible security)

    Hardened toolchain

    Sysctl network hardening, grsec.lock = 1

    Minimal compiled programs

    OpenBox WM

    ZSH + urxvtd

    Tor + Sasl for IRC

    IPv6 tempaddress

    Truecrypt containers

    Immutable history files

    No root tty logins

    Fstab hardening

    Iptables default deny

    SSH key only auth

    Most services running as their own isolated user/group

    Browsers (No flash / Java)

    Chromium 9999:
    Incognito
    Adblock, (easylist, easyprivacy)
    Privoxy
    Seccomp Sandbox
    --disk-cache-dir=/tmp
    Javascript whitelist
    Clear cookies on close
    No tracking

    Firefox:
    Noscript
    Adblock Plus
    Privoxy
    Block third party cookies
    Clear all data on close
    No tracking
    about:config tweaks

    It's all pretty pointless, but doesn't affect usablility a single bit so why not. Used to use RBAC but disabled it (PITA for desktop maintenance). Everything is mprotected with full aslr/hardening and all programs compiled with fully hardened gcc. I'd like to try apparmor for per-program restrictions, it's available in the kernel, and tools in an overlay but afaik only Ubuntu has full support for it. I like a set and forget machine though.
     
    Last edited: Jun 14, 2012
  9. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Yeah I should really get around to using Gentoo but I really like Unity and I don't think it works with it.
     
  10. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Network
    DDWRT Router running recommended build - Remote Access disabled
    DDWRT firewall turned on
    OpenDNS with DNSCrypt
    All ports closed - no Avahi, Cups, or dnsmasq
    GUFW inbound/ outbound firewall enabled

    System Hardening -- Ubuntu 12.04 Kernel 3.4.X
    Pax + Grsecurity, custom kernel with custom settings
    Removed many default programs and dependencies
    BIOS Password
    Apparmor Enabled - Profiles for all programs and various services
    Open Source GPU Drivers


    Browser -- Chrome Dev
    Seccomp Sandbox + Default Sandbox + AppArmor + GPU Sandbox
    Block 3rd Party Cookies
    Built in malware protection
    Default PDF reader
    Adblock Plus with DNT
    HTTPS Everywhere
    Javascript whitelist by TLD
    Cookie whitelist by HTTPS

    A "private" profile with more aggressive privacy/ data settings.

    Chrome Privacy Profile
    No cookies/ 'Privacy' boxes unchecked
    Block form validation
    Incognito Only
     
  11. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Finally added GUFW outbound protection. I'm working on hardening the network aspect of the setup.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.