I use Linux for quite a while and would like to gather some security advice, well known and lesser known.

Well known

Dont install random apps from the internet

This is the (old) Windows way and the result of an OS not caring about its software. Often bundled with also outsourced antivirus, or scanning all files you download.

So use official repos nearly exclusively. If there is an app not in your distros repos, try Distrobox, create a Container of any image and install it there. You can display the images available by pressing tab after -i.

distrobox-create NAME -i IMAGE-NAME

This also goes for

  • Ubuntu PPAs
  • Arch AUR
  • Opensuse Build service repos
  • Fedora COPR
  • Random external repos

Some repos are more or less controlled, so be careful!

Some “external ones” are trusted, like:

  • Fedora/Derivates: rpmfusion
  • Flathub
  • Steam Fedora Repo
  • Google Chrome Fedora Repo (dont use Chrome lol)
  • Open-h264 from Cisco

Not all Flathub repos are controlled, but here is a list

Update, update, update

Its best to enable automatic updates. If you have a slim system and install your apps as Flatpak apps (best if they are verified, look at flathub.org or directly add the verified repo), updates should never break something.

Wayland

X11 is an outdated security desaster with design flaws so big, that nobody cared to fix it. Instead, Wayland was created with way tighter (and more modern) restrictions, requiring Portals for apps to do stuff like

  • using your Camera
  • using your Microphone
  • viewing your screen or specific app Windows
  • simulating input devices
  • watching for keypresses

Only KDE and GNOME have full Wayland support for now, along with some Window Managers and RaspberryPi OS. This means

  • XFCE
  • LXQt, LXDE
  • Budgie
  • Mate
  • Cinnamon

Should be avoided until at least a year when they have full Wayland support. Wayland is not a new protocol at all, but requires Desktops to do more work. It can be expected (and hoped) that at least some effords combine, Desktops use existing Compositors etc.

Wayland is backwards compatible (X11-only apps run through xwayland, and you can also force apps to use Xwayland if they otherwise lose features).

All apps work on Wayland that dont do weird stuff that uses insecure methods. Poorly this includes screen readers and lots of Remote Desktop Software, as well as Screen recording. But things will evolve, and there are Apps that only support Wayland.

Less known

Avoid stable Distributions

Stable Distros dont get regular updates of every package that… gets an update, but they get backported security fixes.

Correct me if I am wrong, but not all security related bugs get a CVE (Common Vulnerabilities and Exposures) and thus dont get backported.

Stable Distributions are used everywhere on the internet though, so this could be debatable.

Use an “immutable” distro

Immutability is implemented in various ways, there is no standard at all

  • Android, Chromeos
  • Fedora Atomic (Silverblue, Kinoite, …)
  • Opensuse microOS (now Kalpa, Aeon)
  • VanillaOS
  • SteamOS

They are all different from each other, with Chromeos and Android being fully immutable, allowing no deviations from the OS at all, SteamOS being similar but allowing to run Flatpak apps natively.

VanillaOS and Opensuse microOS use a different form of “regular package management but atomic”, so the change does not apply to the running system but to a clone of it, being applied on reboot.

Fedora Atomic goes the “Cloud way” with an image-based system that can be downloaded, swapped out but also modified. They use OSTree for keeping track of every single package on your system and also changes, a simple rpm-ostree reset will reset your base system. It is the most secure of the customizable ones to my knowledge.

Immutable Operating systems make sure that every update works, so they can easily be done automatically and on a running system.

Also, changes to the core system through malware are not possible, at least not directly.

secure directories and dotfiles

An exception here is, if a malware would simply create a bash alias to anything. So a sudo password can easily be grabbed, or a second command executed whenever you do something with sudo.

https://madaidans-insecurities.github.io/linux.html#examples

So this means that your shell configs should only be writable by sudo, all others can only read! The same for ~/.gnupg or ~/.ssh, maybe even only readable by sudo depending on your use case.

sudo chmod 755 ~/.bashrc && sudo chown root ~/.bashrc
sudo chmod -R 700 ~/.ssh && sudo chown -R root ~/.ssh
sudo chmod -R 700 ~/.gnupg && sudo chown -R root ~/.gnupg
sudo chmod 755 ~/.zshrc && sudo chown root ~/.zshrc
sudo chmod -R 755 ~/.config/fish/ && sudo chown -R root ~/.config/fish/
sudo chmod -R 755 ~/.config/autostart && sudo chown root -R ~/.config/autostart
#sudo chmod -R 755 ~/.local/share/applications && sudo chown -R root ~/.local/share/applications

(7: read write exexecute, 5: read execute, “-R”, recursively)

This may still be incomplete, and the security is pretty flawed as long as random software can write to these directories at all, and as long as everything important is stored there.

Please report if any setting breaks something. Making the local applications directory read-only for everyone but root might be good, but will break for example KDEs GUI editor. But they put apps in ~/.local/share/applications/ons anyways for some reason.

SELinux or Apparmor

I dont know what is better, but I feel secure on Fedora with SELinux on enforcing. If any tools require you to disable it, they are poorly written.

Sandboxing

I am not nearly technical enough to explain details, but firejail is said to have many design flaws, a reason why bubblejail (using bubblewrap, which is used in Flatpak) should be preferred.

It is in early stages though.

Browser sandboxes are also not easy, Firefox Flatpak vs. Firefox native for example. Flatpaks need to replace the internal sandbox with bubblewrap. The same goes for Chromium and electron apps, and especially Chromium as a native app is said to be very secure.

For regular and especially privacy concerns, Flatpak with mostly manually hardened permissions is the best way. KDE has the permissions graphically integrated, otherwise Flatseal is nice.

Flatpak apps are always weakly isolated to make sure nothing breaks. In the future with portals for every (i.e. dynamic permissions) static permissions should be gone.

Firmware updates & Coreboot

While you may use the linux-libre Kernel and live full stallman, what Firmware does your PC use?

In most cases, especially for “Laptops with good Linux compatibility” that may be older Laptops, decommissioned Company devices, older Thinkpads… and they all probably dont get Firmware updates anymore!

My Thinkpad T495 has an outdated, bloated Lenovo Firmware. Firmware can read RAM, connect to the Internet and do anything. You cannot monitor that from the OS, you need a MITM proxy using another device.

And also, proprietary Firmware is everywhere. Only a vew people develop it, but it is there!

  • Novacustom for EU people, they partner with 3mdeb to support and ship Dasharo, a secure Coreboot Distro similar to Heads
  • System76 for US People
  • Starlabs also ships coreboot
  • 3mdeb sells PCs with Coreboot

Lots of Coreboot Distros only support old Hardware like Thinkpads up to T430. Nitrokey is a good vendor here, but keep in mind that these machines are now 11 years old. I still have one and it works great! But not for complex stuff like multiple VMs.

Secureboot

Also important to verify that your OS was not tempered with. Many Distros support it, even though they may not have an agreement with Microsoft so work out of the box, but they generate their own keys after installation.

Firmware like Dasharo or heads with integrity checks is better than Secureboot alone.


What other tips do you know?

  • Pantherina@feddit.deOP
    link
    fedilink
    arrow-up
    1
    ·
    11 months ago

    Good point about “no new security issues”. But new issues mostly also mean zero days so this is very less likely that old bugs that didnt get a CVE. But I dont know the details, what bugs Debian backports always, I just assume its not all.