Im using linux for ±3 yrs and im pretty used to it. Im currently running nixos on my laptop. My question is what kind of hardening do i need firejail, apparmor, selinux, … all 3 of them ? none of them ? Thanks for the advice and have a nice day

  • @[email protected]
    link
    fedilink
    English
    351 year ago

    Linux is fairly secure out the box and typically does not need any sort of extra hardening for most people unless you have a specific case you are worried about or some threat model that requires it. And hardening a system is not simply about installing some package, but more about learning to setup and utilise said packages to mitigate the threats you think you are going to be dealing with. Hardening a system generally comes with tradeoffs and these are not always worth the cost involved for what you get from them. All depends on what types of threats you think you will face - a journalist in a hostile country is going to want a far more secure system and will be more willing to compromise on other aspects to get that then some grandma that just wants to look at pictures on facebook. Both of these will want different tradeoffs for their systems.

    Generally speaking I would start by reading up more about hardening linux systems, and what types of things these tools are designed to do. I would start with anything related to the system you are interested in, nixos has its own guides general security which links to many things you might want to think about. Arch Linux also has some good guides on security that are worth a read. And there is more general stuff like The Practical Linux Hardening Guide or redhats guides though these are more server focused and might offer tips that can be too restrictive for desktop systems.

    As for apparmor and selinux, these are competing technologies and I don’t think you can use both at once.

    • @HerculesOP
      link
      31 year ago

      Thanks for your anwser i will look into your links!!!

  • Krafting
    link
    131 year ago

    You can use Lynis to scan your system for settings or weird behavior, it’s pretty useful, some stuff don’t have great explainations however… so you will need to do a bit of research to know why a certain setting should be turn off or stuff like that

    https://cisofy.com/lynis/

  • @[email protected]
    link
    fedilink
    6
    edit-2
    1 year ago

    You’re off to a good start, I’d recommend reading through and following this guide, its the best resource out there at the moment for Linux hardening/security imo.

  • BoofStroke
    link
    fedilink
    21 year ago

    Start with lynis and go from there. Also lsof -ni and disable things that you don’t need.

    Lynis will help you to comply with cis benchmarks, which are another thing you should read through.

  • @[email protected]
    link
    fedilink
    11 year ago

    You could use a hardened kernel. I don’t remember exactly how to set it up, but look it up like Nixos hardened kernel.

  • @[email protected]
    link
    fedilink
    English
    -21 year ago

    I am not sure. I personally don’t trust selinux because it was developed my the nsa, though that is just me being tinfoil-hat-ish about it. I am a fan of clamav / clamtk for files you think are sketchy (“alternatively obtained” games and things.) I also use ufw but that is more of a thing for servers if I’m not mistaken. If you use ssh server on your laptop, you should get fail2ban or sshguard. While the whole “Linux can’t get hacked” thing is wrong, as long as you stay updated and don’t be stupid you should be protected from automated scripts which is all desktop users really need to worry about.

    • @Theoriginalthon
      link
      31 year ago

      I put fail2ban on everything, and I manage to lock my self out of systems at least once a month, so I guess it’s working as intended.

      • @[email protected]
        link
        fedilink
        English
        11 year ago

        I like sshguard simply because I couldn’t get the fail2ban daemon running and sshguard started right up. I don’t know how the functionality compares but it is simple and never messes stuff up.

    • @HerculesOP
      link
      11 year ago

      Thanks for the time to anwser. What is the diffrents between ufw and systemds firewall ?

      • @[email protected]
        link
        fedilink
        English
        31 year ago

        I’m not familiar with systemd’s but as long as you use a firewall and configure it properly you are fine.

        • @HerculesOP
          link
          21 year ago

          I meant firewalld im sorry

          • @danielfgom
            link
            English
            21 year ago

            Use UFW - uncomplicated firewall. Some distros install it by default. Its very easy to use whereas other firewalls are super complicated

            • @HerculesOP
              link
              21 year ago

              I currently use firewalld is their a diffrents in terms of security ?

              • @[email protected]
                link
                fedilink
                English
                61 year ago

                I dont think so. Both UFW and firewalld are just frontends - they don’t actually do any work themselves. That is all handled by the iptables or the newer nftables kernel modules inside the kernel itself, the major difference will be in what rules they create but both should be able to create the same rules for either of these kernel APIs. UFW is what ubuntu uses by default I believe and firewalld what a lot of other distros use by default.

                • @HerculesOP
                  link
                  11 year ago

                  Thanks this was a very usefull anwser!!!

              • Helix 🧬
                link
                fedilink
                1
                edit-2
                1 year ago

                No, only the configuration syntax is different. If you know what you’re doing in configuring them both are fine.

          • Helix 🧬
            link
            fedilink
            11 year ago

            They’re pretty similar but firewalld allows more complex rules without resorting to plain iptables syntax. Try both and see what you like better.